Privacy Shield: Schrems II
Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (“Schrems II”) – Case C-311/18
JUDGEMENT ANALYSIS: DECISION OF THE COURT OF JUSTICE OF THE EUROPEAN UNION: 16 JULY 2020
LEGAL CONTEXT BACKGROUND
On 16 July 2020 the European Court of Justice declared that the adequacy decision pertaining to the Privacy Shield which was declared in 2016 was invalid. The invalidity of the Privacy Shield meant that companies such as Facebook and Google would continue to be required to meet all data transfer requirements as per the European Union Data Privacy Laws (hereon referred to as EU Law).
There were several promises that the Privacy Shield declared. However, the delivery of those promises depended upon the data requirements set by the Court of Justice being met. Indeed, a contract or a judgement that tries to enforce requirements that are impossible to execute is either void or voidable.
Invalidity to such a contract or a judgement is often a consequence. Invalidity is effective from the beginning of the contract when void. However, when voidable, it becomes invalid only when either party disputes it with a legal reason by revoking or cancelling it. In this judgement, the contract of the Privacy Shield between the United States of America (hereon referred to as the US) is voidable. Therefore, it became invalid due to Mr. Maximillion Schrems asserting his legal right to data privacy protection against Facebook. Facebook was also a party shielded under the Privacy Shield as a paying participant.
THE CREATION AND PURPOSE OF THE PRIVACY SHIELD
The Privacy Shield was constructed by the United States Commerce Department and the European Union (hereon referred to as EU). They did so with the purpose of providing a system that would safeguard the transfer of personal data from the EU to the US. For which the data would be transferred with the goal of supporting transatlantic Commerce.
The history of the Privacy Shield is based on several negotiations between the US and the EU. However, to analyse the ruling of 16 July 2020, it is critical to look at the rulings that set it in motion.
On 12 July 2016 the European Commission (hereon referred to as the Commission) declared that the Privacy Shield Framework between the US and the EU was adequate under the EU Law. Stating that it was adequate to enable data transfers.
On 16 July 2020 the Court of Justice of the EU issued a judgement which declared that the Privacy Shield adequacy decision was invalid (European Commission’s Decision of 2016/1250 of 12 July 2016).
THE POWERS OF THE EUROPEAN COMMISSION ON THE MATTER
The European Commision was the lead negotiator with the US. On 2 February 2016 the Commission reached an agreement regarding the Privacy Shield Framework. Thereafter, on 8 July 2016 Member States voted positively. Thus, formalising the Framework on 12 July 2016.
THE POWERS OF THE COURT OF JUSTICE ON THE MATTER
On 6 October 2015 the Court of Justice set strict requirements that needed to be met before the Privacy Shield could be adopted as a valid mechanism for the transatlantic exchanges of personal data for commercial purposes. It was also the Court of Justice that had declared the International Safe Harbor Privacy Principles (hereon referred to as Safe Harbor) invalid. The Safe Harbor had been a tool on which the US had relied when dealing with data transfer matters. Initially it was also proposed as a mechanism that all parties could rely on when transferring personal data from the EU to the US.
Reaching the agreement of adequacy in 2016, factors from the Safe Harbor were deliberately used to convince the Commission. They did so by judging, amongst other factors, the already existing commitments that the US had with the EU. It is further noted that from the Safe Harbor, one of the key factors used to determine adequacy was the FAQs.
Relying on FAQs presents a higher risk in terms of absolute reliability, and as a key source of reference for the courts of law. One of the reasons for this is the high subjectivity to the FAQs. For example, usually, new organisations can form up their own FAQs based on what they think people would ask. And do so without actually having any user ask those questions. Some organisations draw up such questions relying on professional experience, the market or competitors, and data future analytics.
The risk with FAQs arises because it is impossible to have a conclusive estimation of what the users or consumers would really want to know until the subject is active. In the case of the Privacy Shield Framework, only a few factors were certain. The rest was based on the principles of trust that existed between the countries or their representatives, rather than the concrete evidence pertaining to the absolute assurance of personal data protection.
The ruling of the Privacy Shield of which its adequacy being ‘invalid’ was declared because some of the requirements relating to the personal data transfer of people in the EU to third countries were not all met. Consequently, to reverse the ruling of adequacy in favour of the Privacy Shield to being “invalid” is reasonable. Indeed, the law is not set in stone. Any and all laws are subject to revisions and adjustments, particularly in cases whereby there is no precedent case law.
We must note that Article 25 of the key directive had stated that:
‘1. The Member States shall provide that the transfer to a third country of personal data … may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.
2. The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; …’
In such a context, it is reasonable, even in cases where there are precedents, to review the relevance and effectiveness of all laws. When doing so, one must consider the time, environment, political and economic factors, technological changes, market developments, social influences, and risk related factors, such as safety and security.
To give a clearer perspective for reasons why laws can be reversed, for example, there were times when slave trading was an acceptable and recognised commercial law. However, with the changes in time, environment, and other social factors, that law was reversed and deemed invalid.
Therefore, the invalidity decision by the Court of Justice is commendable because it regains the trust of the EU citizens regarding their rights to data privacy.
Element of Trust
Trust is one of the key factors in contract law. However, usually — and unless in special exceptions — the element of trust does not bind third or other parties that are usually not involved in the negotiations. To give an example, in a business transaction, the trust factor is often binding to the buyer and the seller, and not also to their friends, relatives, or even suppliers.
However, in the case of the Privacy Shield, the US negotiated in the representation of all the companies that would participate in the framework. Likewise, the Commision negotiated in the representation of the EU citizens/consumers. Both parties trusted that the organisations that would participate would adhere to the expectations of the set requirements, and the seven principles that were to be followed.
US Domestic Law
In the negotiations, it was raised that the US Domestic Law was one of the components that gained the Commission’s trust. Relying on it as another measure of securing data protection. However, the gap between the US law and the EU law, which was identified by the Court of Justice, did not prove, in absolute, the extension of the trust component to EU consumers. Hence the decision of invalidity.
Role of Max Schrems
Mr. Schrems challenged the Privacy Shield Adequacy in the best of his interest. In fact, it could have been any EU citizen. The Court of Justice had to take his rights into account. His interests are, in deed protected as per, for example, Article 69;
‘ …a data subject should, nevertheless, be entitled to object to the processing of any personal data relating to his or her particular situation. It should be for the controller to demonstrate that its compelling legitimate interest overrides the interests or the fundamental rights and freedoms of the data subject.’
Human and Procedure Factors
We can also accept that there was an element of human fault within the entire process. Thus, concluding that the law can be rightfully so adjusted with new insights. This is not the first case whose decision was reversed by invalidating a prior ruling. The case of Vaupel, for example, is one of many that the Court of Justice has invalidated since the 1980s.
To analyse the procedure in terms of applying the law, we must analyse if the necessary steps were followed. Were critical questions asked to reach the adequacy verdict on 16 July 2016? If not, which is likely the matter in this case, then we can accept that some critical details in the application of the law to reach the judgement were overlooked.
Before the ruling of 12 July 2016, there was not enough comparison made; comparing point by point the data laws. Particularly, comparing so with an interest to identify any differences in the US law and the EU law relating to data handling. If this had been done early on, the gap would have been identified, and plans would have been made to close it.
PROPOSED CRITICAL REMARKS
There was not sufficient due diligence followed in the ruling made on 12 July 2016, namely declaring the ‘adequacy’ of the Privacy Shield Framework.
The adequacy decision that was taken by the Commission declared that ‘a non-EU country’, as in the case of the US, ‘ensures an adequate level of protection of personal data by reason of its domestic law and international commitments.’
Current State – Future
Procedurally, it is still out of the norm that companies are still required to pay yearly non-refundable participation fees to a framework that has been deemed inadequate. And one that has been recognise as not fully meeting the standards of data transfer from the EU to the US. In the end, it can be concluded that currently the Privacy Shield is a Law-under-construction.
Court of the European Union. (2020, 7 16). The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shie – CURIA – europa.eu [Judgment of the Court (Grand Chamber) of 16 July 2020 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems]. Judgment in Case C-311/18. https://www.europarl.europa.eu/RegData/etudes/ATAG/2020/652073/EPRS_ATA(2020)652073_EN.pdf
EUROPA. (2016, 5 20). EU-US Data Protection Umbrella Agreement – 20 May 2016 English. Commercial sector: EU-US Privacy Shield. https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en
European Court of Justice. (2020, 7 16). https://curia.europa.eu › pdfPDF Web results The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield. CURIA. https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091 en.pdf
European Parliament and Commission. (2016, 7 27). Recital 69 – Right to Object. Recitals. https://gdpr.eu/recital-69-right-to-object/
Publications Office of the European Union. (1983, 8 6). Case 131/83: Action brought on 11 July 1983 by Peter Vaupel against the Court of Justice of the European Communities. Europa. https://op.europa.eu/en/publication-detail/-/publication/a3a41ea4-73a5-4993-a3bd-0dc73a31ebc1