Today, July 16, the European Court of Justice (ECJ) ruled that the agreement to allow data transfer between the EU and the United States, known as Privacy Shield, is no longer valid. Under Privacy Shield, US intelligence services had access to this data for national security reasons but the EJC’s decision has struck out the deal on the grounds that it doesn’t sufficiently protect the data of European citizens. In this blog, BH Consulting COO Valerie Lyons analyses the verdict.

What’s it all about?

Essentially it is about preventing US companies from illegally accessing data of European citizens. Max Schrems, a lawyer and privacy advocate, complained to the Irish Data Protection Commission (DPC) that the current transfer governance mechanisms between the EU and US were not compliant and the DPC disagreed. The European Court of Justice (ECJ) upheld Schrems’ complaint.

Background to the case

In 2013, Edward Snowden revealed the PRISM programme (where the US NSA accessed data from big tech e.g. Facebook, Apple, Google, and Microsoft among others). Following this, Max Schrems complained to the DPC that Facebook was helping the NSA conduct mass surveillance of EU citizens. The DPC rejected his complaint. So Schrems took his case to the High Court – where it was referred to the ECJ.

In late 2015, this case resulted in the abrogation of Safe Harbour. Then, standard contractual clauses (SCCs) became the mechanism for transferring data. In 2016, a new data transfer agreement called the EU-US Privacy Shield was born. Schrems then submitted a new complaint to the DPC, this time challenging Facebook’s use of SCCs to transfer data (hence the term Schrems II). Again, his complaint was rejected, and again, it was referred to the Irish High Court and then to the ECJ. While the Privacy Shield was not part of Schrems’ initial complaint, the Irish Court’s request pulled the Privacy Shield into the case as well. Today the ECJ ruled Privacy Shield invalid.

What does this mean for Data Transfers between the US and the EU?

This depends on how the transfers have been governed. If the transfer relied on Privacy Shield, then an alternative (such as a Data Processing Addendums (DPAs) or SCCs) will need to be put in place and adequate consideration given to the target country’s/states local legislative landscape. Transfers cannot take place legally until alternatives are in place. This may seem like a straightforward task, but what about where an EU business uses a US-based cloud platform for critical operations such as email or networks? These businesses will now be unable to operate until the cloud service provider demonstrates adequate alternatives to Privacy Shield. Amazon’s AWS for instance has already noted:

“AWS customers can already transfer personal data from the EU to the US in a compliant way; The EU-US Privacy Shield aims to enable the compliant transfer of personal data from data controllers in the EU to data controllers (or processors) in the US. AWS offers customers a Data Processing Addendum, including Model Clauses (Data Processing Addendum) that was approved in 2015 by the EU data protection authorities, known as the Article 29 Working Party. This Data Processing Addendum enables our customers, when using AWS to transfer personal data outside the European Economic Area (EEA), to any country, including to the US. For this reason, the EU-US Privacy Shield does not affect the way customers use, or work, with AWS. Customers can continue transferring their content from AWS’ EU regions to the US regions with the knowledge that AWS is compliant with EU data protection requirements.

Microsoft too has also announced:

“We want to be clear: if you are a commercial customer, you can continue to use Microsoft services in compliance with European law. The Court’s ruling does not change your ability to transfer data today between the EU and U.S. using the Microsoft cloud.”

What does this mean for organisations that transfer data between the US and the EU?

We have always advised BH Consulting clients against using Privacy Shield for transfers, due to the uncertainty that has surrounded it, and due to the need to re-validate it. In fact, the European Data Protection Board [EDPB] only re-validated Privacy Shield in November 2019.

Most importantly, we always highlight the use of Privacy Shield (to govern data transfers between the EU and the US) as a risk in any relevant Data Protection Impact Assessment that our data protection team undertakes for our clients. We also advise the use of alternatives to Privacy Shield and will continue to do so until US data transfer governance is reformed in a way that provides assurance that EU data is safe when it is transferred to the US.

Key questions arising from Schrems II

The ECJ has clarified that EU data protection authorities (DPAs), including the Irish DPC, have a duty to take action. The ECJ highlighted how DPAs are “required to execute its responsibility for ensuring that the GDPR is fully enforced with all due diligence”.

As privacy practitioners – and as European data subjects – we need to ask ourselves at this point a number of really difficult questions:

  1. How come a privacy advocate has to lodge complaints (twice) with the Irish DPC, in order to pursue ensuring privacy rights for EU data subjects (for safe compliant data transfers between the EU and the US)? Should the DPC not be supporting such a complaint?
  2. How come when he does so, the DPC rejects both complaints?
  3. How come when the DPC rejects two complaints (affecting transfers of data for most of the Tech Giants), the ECJ does not?
  4. This case cost the Irish State (and the taxpayer) €2.9m where our data protection regulatory body took legal action against a privacy advocate who was pursuing upholding data protection rights for citizens where the appointed regulator wasn’t – does this feel like an appropriate use of taxpayers’ money? Does it seem ethical?

Schrems notes: “The Court is not only telling the Irish DPC to do its job after seven years of inaction, but also telling all European DPAs that they have a duty to take action and cannot just look the other way. This is a fundamental shift going far beyond EU-US data transfers. Authorities like the Irish DPC have so far undermined the success of the GDPR by simply not processing complaints. The Court has clearly told the DPAs to get going and enforce the law.”

The Schrems I, and Schrems II cases have served 1) to show that the EU-US data transfer mechanisms require significant reformation and 2) the Schrems cases do not enhance the reputation and brand of the Irish DPC in Europe and as an office supposedly charged with protecting the data protection rights of its citizens. The DPC has some catching up to do and should start fining these large tech giants.