One of the most important international privacy cases in recent history arose from a complaint against Facebook brought to the Irish Data Protection Commissioner by an Austrian privacy advocate named Max Schrems. In the complaint, Mr. Schrems challenged the transfer of his data (and the data of EU citizens’ generally) to the United States by Facebook, which is incorporated in Ireland. The case (“Schrems I”) led the Court of Justice of the European Union on October 6, 2015, to invalidate the Safe Harbor arrangement, which governed data transfers between the EU and the US.
The Law of Data Transfers: the Data Protection Directive, Safe Harbor, and Privacy Shield
The Schrems cases address one of the core tensions between EU and US privacy law, and the international agreements and contracts that have been used to address the data protection gap. The key issue in both cases is whether US law ensures adequate protection for personal data, as required to permit international data transfers under EU law.
Unlike in the United States, the default rule in the European Union is that data transfers are prohibited; a transfer of personal data is permitted only if certain criteria are met. The European Data Protection Directive is the EU law embodying this norm. The Directive states that transfer of personal data to a third country may take place only if that country ensures an adequate level of data protection. The Directive also provides that the European Commission may find a third country ensures an adequate level of protection. If the Commission adopts a decision to that effect, the transfer of personal data to the third country concerned may take place.
In July 2000, the European Commission adopted a decision declaring that the United States provides for adequate safeguards for data protection. The decision of the Commission was based on the Safe Harbor framework. The Safe Harbor arrangement consisted of data protection principles to which to which American companies could subscribe voluntarily in order to engage in cross-border data transfers. Thus, the protections for user data relied on the self-assessment and self-certification by private companies.
As is discussed in greater detail below, in October of 2015, the Court of Justice for the European Union ruled that the Safe Harbor framework was invalid.
Shortly thereafter, the EU and US began negotiating a replacement agreement: the EU-US Privacy Shield. The European Commission adopted Privacy Shield on July 12, 2016, and US companies have begun to self-certify and transfer data under the agreement. However, the Privacy Shield shares many of the same problems as the Safe Harbor framework, including the reliance on self-certification by US companies.
Max Schrems v. Irish Data Protection Commissioner (the “Safe Harbor” Decision):
This case arose from proceedings before the Irish Data Protection Commissioner (DPC) brought by Max Schrems, an Austrian PhD student and privacy activist.
The data that Mr. Schrems, a Facebook user, provided to Facebook was transferred from Facebook’s Irish subsidiary (Facebook Ireland) to Facebook’s servers located in the United States (Facebook, Inc.). Mr. Schrems lodged a complaint with the Irish data protection authority, taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency), the law and practices of the US offer no real protection against surveillance by the US of the data transferred to that country. The Irish authority rejected the complaint, on the ground, in particular, that in a decision of 26 July 2000 the Commission considered that, under the ‘safe harbour’ scheme, the US ensures an adequate level of protection of the personal data transferred.
Mr. Schrems appealed the decision of the DPC before the Irish High Court. The Court decided to stay the proceedings and to refer the following question to the CJEU for preliminary ruling:
May and/or must the national data protection supervisory authority conduct his or her own investigation of the adequacy of data protection in a third country or the Commissioner is absolutely bound by the Commission’s decision?
On September 23, 2015, Advocate General Yves Bot issued his opinion on the case. The Advocate General’s opinion indicated that the Safe Harbor arrangement, which permitted the transfer of personal data from the EU to the US, must end because the arrangement failed to provide the requisite legal protection under EU law and thus “must be declared invalid.” The CJEU issued its ruling on October 6, 2015, agreeing with the Advocate and invalidating Safe Harbor. The Court ruled that (1) national data protection authorities have the right to investigate the adequacy of data transfers under the EU-US Safe Harbor arrangement or any other arrangements concluded pursuant to an adequacy decision by the European Commission for that matter, and (2) the Safe Harbor arrangement should be invalid due to the lack of adequacy.
EPIC has long been involved in the policy debate over data transfers between the EU and the US, advocating for adequate safeguards for personal data regardless of where it resides. EPIC and a coalition of EU and U.S. consumer organizations have opposed the Privacy Shield arrangement for its failure to comply with the terms set out by the CJEU in its Safe Harbor decision. Speaking before the European Parliament, Marc Rotenberg outlined several flaws in the agreement, including a weak privacy framework, lack of enforcement, and a cumbersome redress mechanism. In testimony before Congress, EPIC also criticized the prior Safe Harbor Arrangement for its lack of effective means of enforcement, redress, and accountability for privacy violations.
EPIC has participated as an amicus before international courts concerning the lack of safeguards for data transferred internationally. EPIC was chosen by the Irish High Court to make amicus submissions in the related case Data Protection Commissioner v. Facebook and Schrems, and also made amicus submissions in that case before the Court of Justice of the European Union. EPIC also previously joined a case before the European Court of Human Rights concerning the activities of British and U.S. intelligence organizations. EPIC has also appeared as a “friend of the court” in almost 100 cases in the United States concerning emerging privacy and civil liberties issues.
Irish Data Protection Commissioner
- Schrems Complaint to the DPC (June 25, 2013)
Irish High Court, No. 2013 765JR
- High Court Reference to the CJEU for Preliminary Ruling (July 17, 2014)
CJEU, Case C‑362/14
- Advocate General’s Opinion on Case C-362/14 Maximillian Schrems v Data Protection Commissioner (Sept 23, 2015)
- Ruling on Safe Harbor (October 6, 2015)
- EPIC webpage, EU Data Protection Directive (2016)
- EPIC webpage, Privacy Shield EU-U.S. Data Transfer Arrangement (2016)
- EPIC webpage, Max Schrems v Irish Data Protection Commissioner (Safe Harbor), (2016)
- European Commission, Model Contracts for the transfer of personal data to third countries (2016)
- Courts Service Ireland, High Court (2016)
- Commission Implementing Decision of 12.7.2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-US Privacy Shield
- Annexes to the Commission Implementing Decision (July 12, 2016)
- EU-US Privacy Shield Framework Principles issued by the US Department of Commerce
- Europe v Facebook, US Government wants to intervene in European Facebook Case (June 13, 2016)
- Trans Atlantic Consumer Dialogue, Resolution on the EU-U.S. Privacy Shield Proposal (April 7, 2016)
- Commission Communication on the Transfer of Personal Data from the EU to the United States of America under Schrems (November 6, 2015)
- EPIC’s Testimony before Congress on Safe Harbor (November 3, 2015)
- Max Schrems, First Thoughts on Decision C-362/14, Europe v Facebook (October, 2015)
- Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).
- Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (OJ 2000 L 215, p. 7).
- Europe v Facebook website
- Safe Harbor Framework
- Marc Rotenberg, Anna Fielder, Jeff Chester, Letters to the Editor of the New York Times on Digital Privacy, in the U.S. and Europe (October, 2015)
- Max Schrems, First Thoughts on Decision C-362/14, Europe v Facebook (October, 2015)
- EU and US organisations welcome the European Court of Justice Safe Harbor Ruling, TACD (October 15, 2015)
- EPIC, Decision by EU Legal Advisor Signals End of “Safe Harbor” (September 23, 2015)
- EPIC, EPIC Expresses Support for Advocate General Opinion in Schrems Case (September 28, 2015)
- EPIC, Advocate General Correctly Determines that Safe Harbor Fails to Protects Privacy and Does Not Establish Trust, Threatening Data Flows that Underpin Transatlantic Trade (September 28, 2015)
- Simon Davies, Five uncomfortable facts about the CJEU Safe Harbour decision, Privacy Surgeon (October, 2015)
- Dr Gus Hosein, There is no Safe Harbour from U.S. Authorities, Privacy International (October 6, 2015)
- Joe McNamee, Fifteen years late, Safe Harbor hits the rocks, European Digital Rights (October 6, 2015)
- BEUC, Historic victory for Europeans’ personal data rights, BEUC (October 6, 2015)
- TACD, TACD Statement in Response to European Court of Justice Safe Harbour Ruling, TACD (October 6, 2015)
- Estelle Masse, How safe is the “Safe Harbour”? A close look at the “Schrems” case on the eve of the ruling, access (October 6, 2015)
- Joe Uchill, US to Join Irish Facebook Case, The Hill (July 19, 2016)
- RTE News, US govt can join legal action over data transfers – High Court (July 19, 2016)
- Glyn Moody, In “an unusual move,” US government asks to join key EU Facebook privacy case, Ars Technica (June 13, 2016)
- Cryptic Safe Harbor Pact ‘Privacy Shield’: Public, Possibly Soon, Forbes, February 6, 2016
- EU-US Privacy Shield offers flimsy protection, InfoWorld, February 5, 2016
- The new Safe Harbor agreement: Will it survive Europe’s paranoia?, American Enterprise Institute, February 5, 2016
- U.S. and European Officials Fail to Reach Agreement for New Data Transfer Deal, JDSupra, February 4, 2016
- U.S. and Europe in ‘Safe Harbor’ Data Deal, but Legal Fight May Await, New York Times, February 2, 2016