June 22, 2020

The US data protection framework under pressure (CJEU case ‘Schrems II’), by Socrates Vertellis

One of the main pillars of the digital economy is the flow of data between businesses located in different parts of the world which allows for new product/services to come into the market and for the better understanding of consumer needs. However, the transfer of data to countries with a low level of data protection presents risks for data subjects putting their rights at stake. It is the reason why Directive 1995/46 (Data Protection Directive or DPD) prohibited the transfer of data to third countries (outside of the EEA) unless they ensured an adequate level of protection. The Commission had the power to take what was called ‘adequacy decisions’ – a regime continued under the GDPR – which means that, after scrutiny, it could decide that a specific country provided sufficient data protection. The fact that a third country was covered by an adequacy decision was enough for data flows between the EEA and this country to be deemed as absolutely legitimate. Hence, in 2000 the Commission took Decision 2000/520/EC stating that the US Safe Harbor Privacy Principles Framework (the ‘Safe Harbor’) provided for adequate safeguards of data protection. However, following Edward Snowden’s revelations on the extension of NSA’s surveillance activities, an Austrian citizen (Maximillian Schrems) lodged a complaint with the Irish Data Protection Authority (which was the competent authority since Facebook’s headquarters in the EU are located in Ireland) asking it to prevent Facebook from sending his personal data to the US, where Facebook holds servers processing data, on the grounds that the Safe Harbor did not ensure enough protection. The case was finally referred to the CJEU which delivered decision C-362/14 (‘Schrems I’) withholding Mr Schrems’ arguments and invalidating adequacy decision 2000/520/EC. ‘Schrems I’ gave a first blow to EU-US trade relations because of the huge amounts of personal data transferred to the US by multinational companies, especially tech giants.

To satisfy the demanding EU rules and restore normality in the market, the US hurried to replace the Safe Harbor with the US Privacy Shield Framework (the ‘Privacy Shield’). A new adequacy decision (Decision 2016/1250) was adopted by the Commission in July 2016 recognizing that the standards laid down by the Privacy Shield were now sufficiently high. However, soon afterwards the GDPR came into force and consequently international transfers to third countries are permitted only where the level of protection offered by the third country complies with the stricter safety requirements set out by the Regulation. Thus, in the course of examining a reformulated complaint about the respect of data protection in the US filed again by Maximillian Schrems and exactly four years after Decision 2016/1250 was published, the CJEU came up with a new judgment (C-311/18) also annulling the Commission’s recent adequacy decision. To the Court’s view Decision 2016/1250 by accepting the primacy of US national security while many surveillance programs in the US do not limit intrusion to what is strictly necessary is opposed to the security standards required by the GDPR and therefore it is declared null and void.

The implications of ‘Schrems II’ are twofold. On the one hand, from a social perspective, data subjects are now even more afforded to have serious doubts about the Commission’s ability to assess the safeguards provided by third countries in respect of data protection. The lack of confidence would be disastrous if individuals arrived at the point to believe that adequacy decisions in fact demonstrate either the Commission’s low bargaining power or even worse the circumvention of safety standards in favor of trading relations. On the other hand, from an economic perspective, after the annulment of Decision 2016/650 the digital economy and the commercial bonds between US and EU companies are gravely threatened because data flows to the US which are undeniably so necessary to the digital world we live in, will be now allowed only under the regime of standard contractual clauses (SCC) established by Decision 2010/87 – and where this is possible under that of binding corporate rules (BCR). This means that both the data exporter and the data importer now become inevitably much more engaged in the whole process of the transfer and should play a proactive role in complying with the GDPR. Businesses must be much more alert since they can no longer simply rely on an adequacy decision, which would otherwise automatically validate their data flow. Instead, they have to investigate the conditions themselves (just imagine the resources SMEs should dedicate to that purpose!) and where the environment for processing and protection in the third country fails to satisfy the requirements of the GDPR, they have to abstain from the data transfer.

The important disruption to commercial relations brought about by ‘Schrems II’ will definitely constitute a catalyst of reforms in both sides of the Atlantic. We should just wait and see whether the scale will finally tip in favor of human rights or trade exchanges.