From Luxembourg, a look at Schrems II. Is the “Privacy Shield” poised to hit the recycling bin? Both sides are worried the final ruling could be sweeping.

 

(with thanks to my Project Counsel Media staff who attended the hearing)

10 July 2019 – It was a full house yesterday in the cavernous main chamber of Luxembourg’s Court of Justice of the European Union (CJEU). As the Irish Times noted:

Beneath a mesh, looking like a giant golden jellyfish, more than 300 gold-upholstered seats filled up long before 9am with lawyers, law students and observers. All rise for round two in the long-running legal action between Facebook, Max Schrems and Ireland’s Data Protection Commissioner (DPC).

Yep. What Max Schrems began six years has ballooned into a European legal battle with global economic implications. That much was clear in Luxembourg airport on Sunday morning with the arrival of a plane marked “United States of America” with a large contingent of U.S. attorneys and staff from the Department of Justice, Federal Trade Commission and the International Trade Commission crowding the very small airport. It’s unusual for the U.S. government to ask to appear in Europe’s highest court and long-term CJEU watchers said it was unprecedented for Washington officials to be admitted to such proceedings.

Note: Eileen Barrington, Senior Counsel and Member of the Irish Bar, spoke for the U.S. government. She is very well-known an an Accredited Mediator and an expert in European Law, as well as fluent in French.

The CJEU hearing in “Case 311/18″, but known more popularly as “Schrems II,” stretched arguments to the limit yesterday. In a mammoth 8-hour session, the court heard from the Irish Data Protection Commissioner, Facebook, the Electronic Privacy Information Center, DigitalEurope, the Business Software Alliance, the European Commission, the European Data Protection Board, the U.S. government itself, as well as several EU countries and representatives of Max Schrems himself. Over 30 amicus curiae had been filed:

Note: “amicus curiae” (literally, “friend of the court”) is someone who is not a party to a case and may or may not have been solicited by a party and who assists a court by offering information, expertise, or insight that has a bearing on the issues in the case. It is typically presented in the form of a brief. It has been reported the CJEU cast a pretty wide net for opinions. 

The issues

Following a complaint to the Irish DPC by Schrems about the transfer of his personal data from Facebook Ireland to Facebook in the U.S. more than five years ago — and after years of to-ing, fro-ing and appeals – the DPC’s questions are finally being assessed by Europe’s top court. According to the CJEU, the central question is this:

“Whether EU law applies to the transfer of personal data by a private company from an EU member state to a private company in a third country for commercial purposes (in this case via standard contractual clauses), and may be further processed in the third country by its authorities for purposes of national security and of law enforcement.”

In simpler terms, the question is whether U.S. law on the access of national security agencies to the personal data of non-nationals (the U.S. Foreign Intelligence Service Act) breaks European data protection laws. And if so, does that invalidate currently legal data transfer mechanisms? Schrems argued that, as per the Edward Snowden revelations, U.S. national security services have unfettered access to Europeans’ data in breach of European law. His lawyer, Eoin McCullough, told the court:

“When data is transferred to Facebook in the U.S., this high level of protection is undermined by certain U.S. laws, and that is true of any transfer mechanisms, whether standard contractual clauses, Privacy Shield or other any other contractual arrangement. U.S. law requires Facebook to assist the U.S. in surveillance of non-U.S. persons.”

The looming question here is, in the case, does the Irish DPC need to consider simply standard contractual clauses (SCCs) — the data transfer mechanism being challenged by Schrems here — or SCCs alongside other data protection frameworks, such as Privacy Shield? Should the DPC take a holistic approach, or should each mechanism stand or fall on its own? This is key, since if both mechanisms were ruled invalid, it would place businesses in a hugely difficult position.

Note: SCCs have been approved by various European Commission decisions. They were designed to allow businesses to transfer the personal data of EU citizens to countries outside the European Economic Area while ensuring the citizens enjoyed equivalent privacy rights to those they have in the EU. It is that data transfer mechanism being challenged by Schrems here.

But did the Court swing wider than the actual facts in the case?

The hearing yesterday has more at stake than the first Schrems/EU-US Safe Harbor case because this time around it may impact international data transfers not only from the EU to the U.S., but from the EU to the entire world where standard contractual clauses are relied upon. At the same time, the successor of the Safe Harbor, the EU-US Privacy Shield, is also on the table. The court noted:

“The Privacy Shield is automatically in the picture when a DPA is exercising its rights or interpretations under the SCCs. This case and the Privacy Shield case are linked. Can you rely on SSCs when there is an adequacy decision?”

This explains why the picture of parties and interveners is also significantly more complex, including not only EU institutions and member state governments, but also industry associations and the U.S. government.

And (unusually) we found Schrems aligned with Facebook on the issue of whether SCCs and Privacy Shield should be grouped together in a potential invalidation case, asserting that the DPC could have long ago dealt with the issue directly related to SCCs without referring the question to the European court. In a Tweet the day before the hearing he said:

“The Irish Data Protection Commission caused this whole circus for three years, when they can totally solve the issue themselves. It’s interesting that both industry and lobby groups see the same ‘solution’ to the problem as we do. It’s not often that, as a consumer, you agree with the industry more than with the regulator”.

Facebook, along with the two trade organizations represented at the hearing, fear the fallout if the Privacy Shield arrangement were to be struck down or SCCs totally gutted. As Facebook lawyer Paul Gallagher told the court

If SCCs were totally invalidated, or the Shield, the effect on trade would be immense.

And even the Irish government and the European Commission seemed to oppose the Irish DPC’s decision to refer the question upwards to the high court, given the dangers the Court might just run with the ball. The Commission argued that if a country has weak legislation in place, it can prevent the EU from adopting adequacy decisions — like Privacy Shield — but it doesn’t necessarily apply also to SCCs.

Note: obviously the CJEU found the Commission wrong in approving adequacy for Privacy Shield’s predecessor Safe Harbor in 2015 and it would not welcome a similar fate for Privacy Shield.

It’s clear that the EU Commission is not thrilled to have been put in the position the DPC’s application would require of it. For the Commission, it would have been preferable if the DPC would have taken action on a piecemeal, case-by-case basis on specific data transfers. Nonetheless, the DPC’s application followed on the CJEU imposing a duty to act in the earlier Schrems case law. It remains to be seen in the court’s judgement whether the Commission, or the DPC’s interpretation of the extent of that duty, is accepted by the court.

As for the standard contractual clauses part, it is possible the court will only uphold the data protection authority’s powers to suspend a transfer to a certain jurisdiction based on a case-by-case analysis, rather than invalidating the entire mechanism, given that standard contractual clauses are linking EU-based controllers and processors to controllers and processors in virtually all jurisdictions in the world, and it’s difficult to envision a general finding that would deem all possible uses of the SCCs being in collision with the EU fundamental rights framework.

But Eduardo Ustaran, partner at Hogan Lovells, has raised the possibility that the court might uphold the validity of SCC for transfers of data to the U.S., because of the U.S. government commitments, but render them invalid in the absence of similar commitments in other jurisdictions. So essentially SCCs would become okay for transfers to the U.S. but not okay for transfers to, say, Russia or China.

What’s next?

The EU court’s Advocate General Henrik Saugmandsgaard Øe said he will give his non-binding opinion in the case December 12 this year, with a full decision expected by early 2020.

My team had an opportunity to chat with a number of attendees at the hearing, and some follow-up phone chats today. A few points from their notes and conversations:

1. The EU maintains an internal data market meaning personal data can be shared within the EU but an international pact is required to share beyond EU borders. However, the Court made it clear these contracts cannot protect a user against the state. As a result, Facebook and other tech companies switched to using SCCs and continued to use them even when the Commission later put in place the Privacy Shield Framework, which it claims is “more robust” than its predecessor.

2. Not everyone is happy with Privacy Shield. The French privacy organization La Quadrature du Net has just one of several lawsuits “pending” that was delayed to allow the EU court to rule on Schrems II. The French group claims the Privacy Shield Framework is incompatible with EU law and many hope the Schrems II court will “kill it”.

3. Even after the first decision went his way, Schrems remains unsatisfied with how the standard contractual clauses were used. He told us “we don’t have a problem with standard contractual clauses, we have a problem with enforcement “.

4. There was a lot of argument on this point: the Irish Data Protection Commission wrote in a prehearing brief that “there was no evidence that Schrems’ personal data had been accessed by the NSA” and therefore was not required to investigate his complaint. But Michael Collins, one of the representatives for the Commission, told the EU justices there was no way for it to know if Schrems’ data had been improperly shared with U.S. security agencies like the National Security Agency.

5. And many were furious this case even made it to the EUCJ. At Tuesday’s hearing, European Commission attorney Herke Kranenborg told the justices bluntly “what the data protection commissioner should have done is to make a decision as to whether or not the SCCs are adequate. They had the power. What are we doing here?”

6. Strange bedfellows: in an odd group of coalitions, the Irish Data Protection Commission called for the Luxembourg-based EU court to do away with the standard contractual clauses, while Schrems, Facebook and nine of the EU countries argued for them to stay. Eoin McCullough, one of Schrems’ lawyers, during his oral argument: “We do not want to have the EU stop using standard contractual clauses, but we call for them to enforce the existing rules. It is interesting that the industry lobby groups see the same “solution” to the problem as we do.”

7. Both Facebook and the U.S. government made the argument that ruling on a foreign surveillance regime is not within the court’s scope. Europe’s sweeping privacy reform — the GDPR — does not give the EU the mandate to “conduct a worldwide enquiry” of surveillance regimes across the world, said Eileen BarringtonBut despite all of the assurances from both Facebook and the United States that data transferred to the U.S. is protected, almost all of the other parties in the proceedings were doubtful and many attendees expressed surprise the U.S. would even try to make the argument.

8. Biggest concern: the EU court will make a sweeping decision on standard contractual clauses and whether they protect the privacy rights of EU citizens, but will also go further and decide whether the Privacy Shield Framework goes far enough in keeping EU citizens’ data safe from the U.S. security apparatus.

Oh, and a final note: Schrems isn’t finished with Facebook even after this case is completed. His nonprofit organization called noyb (None Of Your Business) brought a class action lawsuit against Facebook in Austria for violating the General Data Protection Regulation, which took effect in May 2018. Facebook said all lawsuits against it must be brought in Ireland, where its EU headquarters are. But the Austrian Supreme Court rejected the argument, ruling any EU citizens can bring a complaint under the regulation in their home country’s court. And Schrems has no illusions of a quick settlement. The appeals process can stretch these cases out 8-10 years.

Leave a Reply

Your email address will not be published. Required fields are marked *

scroll to top