Schrems and the future of EU-US data transfers (or lack thereof…)

Golden Data Law
Jun 30, 2019 · 59 min read
Pre-fight: Oil for the engine of an airliner preparatory to takeoff. Municipal airport, Washington, D.C. July 1941. / Britt Fuller

Everyone knows the story of the Privacy Shield. Or at least they think they do. But, I’ll let you in on a little secret. Nobody knows the real story, because nobody has ever heard my version of it.

I am a lecturer at Santa Clara Law.

You can call me L.

I don’t know how this whole Big Bad Schrems thing got started, but it’s all wrong.

Maybe it is because his case brought down Safe Harbor and Privacy Shield. Hey, it’s not his fault nobody told him Facebook relied on SCCs for exports to the US. If you believed Facebook relied on Safe Harbor, you would have included it in your complaint too.

Like I was saying, the whole Big Bad Schrems thing is all wrong.

The real story is about a guest lecturer, a persistent activist, a famous whistle-blower, and a friend of mine who let us all down when it mattered most.

This Is the Real Story…

Image from page 62 of “Bird-lore” (1899) / Internet Archive Book Image
Internat’l law class, Columbia / The Library of Congress

[…] the interpretation of EU law and examination of the legality of EU legislation must be undertaken in the light of the fundamental rights guaranteed by the Charter

C‑311/18, Data Protection Commissioner v. Schrems and Facebook (¶99)

“When personal data moves across borders outside the Union it may put at increased risk the ability of natural persons to exercise data protection rights in particular to protect themselves from the unlawful use or disclosure of that information.”

Recital 116 of GDPR

Passengers boarding a Capitol Airways flight at Shannon Airport. / National Library of Ireland

“[…] a Commission adequacy decision is, in its entirety, binding on all the Member States to which it is addressed and is therefore binding on all their organs in so far as it finds that the third country in question ensures an adequate level of protection and has the effect of authorising such transfers of personal data”

C‑311/18, Data Protection Commissioner v. Schrems and Facebook (¶117)

Image from page 84 of “Kurt Gelles Collection” (1912) — IABI

“Decision 2000/520 does not contain any finding regarding the existence, in the United States, of rules adopted by the State intended to limit any interference with the fundamental rights of the persons whose data is transferred from the European Union to the United States, interference which the State entities of that country would be authorised to engage in when they pursue legitimate objectives, such as national security.”

C-362/14, Schrems v. Data Protection Commissioner, 6.10.2015 (Paragraph 88)

“In the present case, in essence, Mr Schrems requested the Commissioner to prohibit or suspend the transfer by Facebook Ireland of his personal data to Facebook Inc., established in the United States, on the ground that that third country did not ensure an adequate level of protection.”

C‑311/18, Data Protection Commissioner v. Schrems and Facebook (¶159)

“…the national supervisory authorities are responsible for monitoring compliance with the EU rules concerning the protection of individuals with regard to the processing of personal data, each of them is therefore vested with the power to check whether a transfer of personal data from its own Member State to a third country complies with the requirements…”

C-362/14, Schrems v. Data Protection Commissioner, 6.10.2015 (Paragraph 47)

Cool in Summer: Keeping the airliner air-conditioned while it is on the ground. Municipal airport, Washington, D.C., July 1941. / Britt Fuller

A finding of adequacy does not require an identical level of protection but it requires “the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union”

C-362/14, Schrems v. Data Protection Commissioner, 6.10.2015 (Paragraph 73)

Silver Fleet: In the main waiting room of the municipal airport in Washington, D.C., July 1941. / Britt Fuller

“[…] it is clear from the information provided in the order for reference that, in the main proceedings, Facebook Ireland claims that the Privacy Shield Decision is binding on the Commissioner in respect of the finding on the adequacy of the level of protection ensured by the United States and therefore in respect of the lawfulness of a transfer to that third country of personal data pursuant to the standard data protection clauses in the annex to the SCC Decision”

C‑311/18, Data Protection Commissioner v. Schrems and Facebook (¶152)

“[…] the referring court harbours doubts as to whether US law in fact ensures the adequate level of protection […] As far as concerns effective judicial protection, it adds that the introduction of a Privacy Shield Ombudsperson cannot, in its view, remedy those deficiencies since an ombudsperson cannot be regarded as a tribunal within the meaning of Article 47 of the Charter.”

C‑311/18, Data Protection Commissioner v. Schrems and Facebook (¶168)

Speedway driver Harry Lewis recovers from a crash, St. Vincent’s Hospital, by Sam Hood, Feb 1935 / State Library of New South Wales

“… legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter…”

C-362/14, Schrems v. Data Protection Commissioner, 6.10.2015 (Paragraph 94)

This case in a nutshell….

Last Call: Waiting for instructions to take off. Washington D.C. municipal airport, July 1941. / Britt Fuller

“such appropriate guarantees must be capable of ensuring that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses are afforded, as in the context of a transfer based on an adequacy decision, a level of protection essentially equivalent to that which is guaranteed within the European Union.”

C‑311/18, Data Protection Commissioner v. Schrems and Facebook (96)

“[…] in the light of the fact that the level of protection ensured by a third country is liable to change, it is incumbent upon the Commission […] to check periodically whether the finding relating to the adequacy of the level of protection ensured by the third country in question is still factually and legally justified. Such a check is required, in any event, when evidence gives rise to a doubt in that regard.”

C-362/14, Schrems v. Data Protection Commissioner, 6.10.2015 (Paragraph 76)

[…] validity depends, however, on whether, […], such a standard clauses decision incorporates effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law and that transfers of personal data pursuant to the clauses of such a decision are suspended or prohibited in the event of the breach of such clauses or it being impossible to honour them.”

C‑311/18, Data Protection Commissioner v. Schrems and Facebook (¶137)

Panorama: In the main waiting room at the municipal airport in Washington, D.C., July 1941 / Britt Fuller
Wait Here: Entrance to the waiting room at the municipal airport, in Washington, D.C. 1941 / Britt Fuller

“Although Article 46 of the GDPR does not specify the nature of the requirements which flow from that reference to ‘appropriate safeguards’, ‘enforceable rights’ and ‘effective legal remedies’, it should be noted that that article appears in Chapter V of that regulation and, accordingly, must be read in the light of Article 44 of that regulation, entitled ‘General principle for transfers’, which lays down that ‘all provisions [in that chapter] shall be applied in order to ensure that the level of protection of natural persons guaranteed by [that regulation] is not undermined’. That level of protection must therefore be guaranteed irrespective of the provision of that chapter on the basis of which a transfer of personal data to a third country is carried out.”

C‑311/18, Data Protection Commissioner v. Schrems and Facebook (Paragraph 91)

Skylark: An airliner on the field seen through the window of the waiting room. Municipal airport, Washington, D.C. July 1941. / Britt Fuller

“… in the absence of an adequacy decision […] a controller or processor may transfer personal data to a third country only if the controller or processor has provided ‘appropriate safeguards’, and on condition that ‘enforceable data subject rights and effective legal remedies for data subjects’ are available, such safeguards being able to be provided, inter alia, by the standard data protection clauses adopted by the Commission.”

C‑311/18, Data Protection Commissioner v. Schrems and Facebook (Paragraph 91)

Now my two cents:

Globetrotters: Decoration on the floor of the waiting room in the municipal airport in Washington, D.C. July 1941. / Britt Fuller

BACKGROUND ON THE CASES

Understanding the US surveillance laws connected with this case

Procedural background for the Schrems cases.

ANALYSIS OF THE CASES:

Schrems I

Schrems I: Questions referred

Schrems I: Court findings

Schrems II

Schrems II: Questions referred (as combined by the Court in its answers)

Schrems II: Court findings.

RESOURCES

Golden Data Articles

Case documents

Relevant law and jurisprudence:

EU law

US Surveillance law

Case-law challenging surveillance programs

Other Resources

From Max Schrems and Non of Your Business (NOYB)

Transparency reports

Reactions to Schrems I

Reactions to the CJEU Decision on Schrems II

UK and adequacy

Webinars

Other resources

“Crazy takes” section

Golden Data

Legal blog about data laws