Geopolitical Implications of the European Court’s Schrems II Decision

Read the original article: Geopolitical Implications of the European Court’s Schrems II Decision


On July 16, the Court of Justice of the European Union (CJEU) invalidated one principal legal method for the transfer of personal data from EU territory to the United States and cast substantial doubt on the validity of the other. 

U.S. intelligence agencies can utilize personal data initially transferred for commercial purposes to the U.S. from Europe. Consequently, the Court insisted that the United States provide persons in Europe with “actionable rights” of challenge before U.S. courts that are “essentially equivalent” to privacy rights enjoyed within the EU. The Luxembourg-based CJEU, the EU’s judicial branch, found U.S. intelligence law lacked such individualized protections. 

The immediate result is that more than 5300 companies – European as well as American, small as well as large – no longer may rely on the U.S.-EU Privacy Shield as a basis for transferring personal data from Europe to the United States. The Privacy Shield is a 2016 agreement that allows companies to transfer data while ensuring compliance with privacy laws on either side of the Atlantic. Companies may continue, for now, to conduct data flows on the basis of standard privacy protection clauses built into international data transfer contracts – a second principal method that is used widely not only for transatlantic commerce but also globally. But the CJEU ruling may also threaten the long-term future of this second legal method for data transfer. 

In this post, we provide background on the case and describe its holdings, explore issues for the near term, and highlight geopolitical implications for data flows between Europe and other parts of the world that do not necessarily share a rule-of-law culture. This post builds on previous Lawfare posts by the authors that provide further background on the litigation.

From Edward Snowden to Luxembourg

The case, Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (colloquially known as Schrems II), is but the latest chapter in a long and tangled history of litigation before Irish and European courts about the intersection of EU privacy rights and U.S. surveillance law. 

Schrems II’s origin lies in the voluminous disclosures by former National Security Agency (NSA) contractor Edward Snowden in 2013 about the nature and scope of U.S. national security surveillance programs. Maximillian Schrems, an Austrian privacy activist, soon complained to the Irish Data Protection Commissioner that Facebook, which has its European headquarters in that country, could be ordered by the U.S. government to send the NSA his personal communications. Schrems asked that the Irish data watchdog overturn a European Commission decision on the validity of the underlying commercial data transfer mechanism, the U.S.-EU Safe Harbor Framework. Schrems’s first case made its way to the CJEU, which held in October 2015 that the Safe Harbor privacy protections to which Facebook was bound did not measure up to rights of redress conferred under the EU’s Charter of Fundamental Rights and its privacy legislation. This first ruling effectively invalidated the Safe Harbor Framework.

A year later, the U.S. and the EU governments hastily put in place a successor, the Privacy Shield Framework, with strengthened protections designed to answer the CJEU’s criticisms. Undeterred, a group of European privacy activists (La Quadrature du Net) quickly filed a challenge to Privacy Shield at the European court. Max Schrems, meanwhile, launched a judicial attack in Ireland against the standard contractual clauses to which Facebook, like other companies, had turned in the wake of the sudden collapse of the Safe Harbor and before the adoption of the Privacy Shield. He pointed out that the U.S. intelligence community was just as likely to claim his Facebook data transferred under standard clauses as under the intergovernmental Safe Harbor arrangement. The CJEU eventually decided to consider together the parallel questions about the U.S. surveillance regime raised in the two separate cases.

The Schrems II Ruling

Stung by the ruling in the first Schrems case, both the U.S. government and business groups whose members rely heavily on transatlantic data transfers intervened in the successor proceedings. The Irish High Court and the CJEU had the benefit of numerous independent expert opinions (including one by Swire) detailing U.S. privacy protections in the surveillance context and the comparable practice of EU member states. The result of the second Schrems case, however, was arguably worse than that in the first: not only invalidation of a foundational transatlantic data transfer arrangement, but also probable destabilization of the main alternative transfer method.

In its ruling, the CJEU first asserted its own primacy over the subject-matter. It confirmed that EU privacy protections travel abroad with personal data originating in the territory of the EU, even when a foreign state’s national security organs subsequently claim access to that data – a nakedly extraterritorial assertion of EU jurisdiction. The Court took the standards established in the EU Charter and its privacy legislation as the sole reference point for assessing a third country’s surveillance law protections for personal data. It opted for these stringent rules instead of either the more nuanced standards contained in the jurisprudence developed by the European Court of Human Rights (ECHR), the Strasbourg-based judicial arm of the Council of Europe, or those contained in member state constitutional law.

Standard clauseswhich typically apply EU-style privacy requirements to data even after it goes outside of the EUcan serve to vindicate Europeans’ privacy rights, the Court then found. The Court stated that these clauses create the possibility for the parties to the contract, or for an EU member state data protection authority (DPA), to assess the privacy protections accorded under foreign surveillance law. Specifically, the company or DPA must determine that legal requirements (in the country receiving the data transfer do not go beyond what is “necessary in a democratic society” to safeguard national security, defense, and public security. Although a company or European DPA obviously lacks the ability to block surveillance by a foreign authority, it does possess the power to prohibit or suspend a particular international data transfer if it concludes that the standards of EU law are not met. This decentralized system of privacy protection could yield divergent rulings on foreign states by different European DPAs, but the CJEU expressed confidence that the new EU-level European Data Protection Board (EDPB) could harmonize practice in this respect.

The Court could have limited its judgment to standard clauses, but instead chose also to decide the validity of the Privacy Shield decision, because of the shared underlying issues. In particular, it examined whether individuals whose personal data had been transferred to the U.S. under Privacy Shield and then accessed by the NSA enjoyed rights of redress in U.S. courts. While surveillance programs conducted under Section 702 of the Foreign Intelligence Surveillance Act (FISA) must be authorized by the Foreign Intelligence Surveillance Court, the CJEU noted, that did not amount to judicial review in each individual case. Nor, it found, did surveillance conducted outside the United States, on the basis of Executive Order 12333, confer actionable rights, even when the additional protections for foreign persons under Presidential Policy Directive 28 are taken into account.

Finally, the CJEU found insufficient the administrative remedy – the designation of an ombudsperson – that the United States and the European Union had developed for both Privacy Shield and standard clauses as a way of affording Europeans at least some means of redress for alleged improper national security access to their personal data. The ombudsperson, an Undersecretary of State, was not independent of the U.S. executive branch, the Court pointed out, and lacked the power to take corrective decisions that would bind the intelligence community.

What Happens to Transatlantic Data Transfers Now?

Although some observers had predicted this sort of outcome, there is considerable uncertainty in these early hours about what level of change will be expected immediately. Secretary of Commerce Wilbur Ross immediately issued a statement for the administration, using measured words: “We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship.” After the 2015 Schrems decision, European regulators provided a grace period for transition, and at a practical level companies who were relying on the Safe Harbor Framework were allowed to continue data transfers on that basis until the new Privacy Shield came online. It is unclear whether that will happen again, as European data protection regulators have already begun to issue guidance, with varying interpretations of the implications of the new decision.

The Court’s decision sends mixed signals about how quickly companies must change their data flows. The Court expects companies that export personal data to assess whether each of their data transfers has adequate protections; if they do not, the data protection supervisor in the EU member state from which the data is sent could then begin an enforcement action, which presumably could take a substantial amount of time. On the other hand, the Court flatly held that the EU Commission’s approval of the Privacy Shield “is invalid,” with no discussion of a transition period to enable companies to come into compliance. 

One response from companies could be data localization – companies deciding to store in the EU all personal data originating there, due to the possible lack of a lawful way to export it. This would be a stricter version of data localization than other foreign jurisdictions demand, under which only a copy of the data must remain in the country, such as for access during law enforcement investigations. Keeping all personal data in Europe would be expensive, and cause numerous technical problems. But more fundamentally, it is hard to imagine how multinational companies and services could carry out their business if data entering the EU cannot emerge from it. The CJEU judgment does not concern itself with these sorts of practical difficulties.

Another response from companies could be to sit back and watch what develops. In other cases, the CJEU has issued strict privacy holdings, such as limiting the ability of law enforcement to engage in “data retention”the practice of keeping government records of communications on the internet. Although the Court ruled against such data retention in the 2014 Digital Rights Ireland case and the 2018 Tele2 Sverige AB case, some Member States, in our understanding, have continued to utilize this information-gathering technique. A third data retention case is expected to be decided this fall, and that ruling will test the extent to which national security services can engage in the same type of data retention that the Court did not permit for law enforcement purposes. In light of the slow pace of EU rulings and begrudging compliance by Member States, one strategy for companies in the face of Schrems II may be to continue with business as usual and wait and see if consequences follow.

The risk of this approach, however, is the enormous level of fines that may now be imposed by data protection authorities under the General Data Protection Regulation, which came into effect in 2018. The maximum fines for violations are 4% of a company’s revenue not based on its EU economic activity, but based on its global revenue. Even though these fearsome penalties have not been imposed to date, corporate leaders face considerable risk if they decide to sit back and do nothing in the face of the Schrems II decision. […]


Read the original article: Geopolitical Implications of the European Court’s Schrems II Decision

Liked it? Take a second to support IT Security News on Patreon!
Become a patron at Patreon!