Schrems v. Data Protection Commissioner

Summary

Two of the most important international privacy cases in recent history arose from complaints against Facebook brought to the Irish Data Protection Commissioner by an Austrian privacy advocate named Max Schrems. In the complaints, Mr. Schrems challenged the transfer of his data (and the data of EU citizens’ generally) to the United States by Facebook, which is incorporated in Ireland. The first Schrems case (“Schrems I”) led the Court of Justice of the European Union on October 6, 2015, to invalidate the Safe Harbor arrangement, which governed data transfers between the EU and the US. After that case was remanded to the Irish data protection authority, the Commissioner filed a second suit (“Schrems II”) in the Irish High Court to determine whether the “standard contractual clauses” used by Facebook to authorize the transfer of personal data to the U.S. post-Safe Harbor provide adequate protection for E.U. citizens. EPIC has been selected by the Irish High Court to provide an amicus submission in Schrems II to “counterbalance” the submission of the U.S. Government.

Top News

Background

The Law of Data Transfers: the Data Protection Directive, Safe Harbor, and Privacy Shield

The Schrems cases address one of the core tensions between EU and US privacy law, and the international agreements and contracts that have been used to address the data protection gap. The key issue in both cases is whether US law ensures adequate protection for personal data, as required to permit international data transfers under EU law.

Unlike in the United States, the default rule in the European Union is that data transfers are prohibited; a transfer of personal data is permitted only if certain criteria are met. The European Data Protection Directive is the EU law embodying this norm. The Directive states that transfer of personal data to a third country may take place only if that country ensures an adequate level of data protection. The Directive also provides that the European Commission may find a third country ensures an adequate level of protection. If the Commission adopts a decision to that effect, the transfer of personal data to the third country concerned may take place.

In July 2000, the European Commission adopted a decision declaring that the United States provides for adequate safeguards for data protection. The decision of the Commission was based on the Safe Harbor framework. The Safe Harbor arrangement consisted of data protection principles to which to which American companies could subscribe voluntarily in order to engage in cross-border data transfers. Thus, the protections for user data relied on the self-assessment and self-certification by private companies.

As is discussed in greater detail below, in October of 2015, the Court of Justice for the European Union ruled that the Safe Harbor framework was invalid.

Shortly thereafter, the EU and US began negotiating a replacement agreement: the EU-US Privacy Shield. The European Commission adopted Privacy Shield on July 12, 2016, and US companies have begun to self-certify and transfer data under the agreement. However, the Privacy Shield shares many of the same problems as the Safe Harbor framework, including the reliance on self-certification by US companies.

Schrems I (Safe Harbor): Max Schrems v. Irish Data Protection Commissioner

This case arose from proceedings before the Irish Data Protection Commissioner (DPC) brought by Max Schrems, an Austrian PhD student and privacy activist.

The data that Mr. Schrems, a Facebook user, provided to Facebook was transferred from Facebook’s Irish subsidiary (Facebook Ireland) to Facebook’s servers located in the United States (Facebook, Inc.). Mr. Schrems lodged a complaint with the Irish data protection authority, taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency), the law and practices of the US offer no real protection against surveillance by the US of the data transferred to that country. The Irish authority rejected the complaint, on the ground, in particular, that in a decision of 26 July 2000 the Commission considered that, under the ‘safe harbour’ scheme, the US ensures an adequate level of protection of the personal data transferred.

Mr. Schrems appealed the decision of the DPC before the Irish High Court. The Court decided to stay the proceedings and to refer the following question to the CJEU for preliminary ruling:

May and/or must the national data protection supervisory authority conduct his or her own investigation of the adequacy of data protection in a third country or the Commissioner is absolutely bound by the Commission’s decision?

On September 23, 2015, Advocate General Yves Bot issued his opinion on the case. The Advocate General's opinion indicated that the Safe Harbor arrangement, which permitted the transfer of personal data from the EU to the US, must end because the arrangement failed to provide the requisite legal protection under EU law and thus "must be declared invalid." The CJEU issued its ruling on October 6, 2015, agreeing with the Advocate and invalidating Safe Harbor. The Court ruled that (1) national data protection authorities have the right to investigate the adequacy of data transfers under the EU-US Safe Harbor arrangement or any other arrangements concluded pursuant to an adequacy decision by the European Commission for that matter, and (2) the Safe Harbor arrangement should be invalid due to the lack of adequacy.

Schrems II (Standard Contractual Clauses): Irish Data Protection Commissioner v. Facebook and Max Schrems

Following the CJEU ruling, Mr. Schrems filed a renewed complaint with the Irish DPC based on Facebook’s use of “standard contractual clauses” to authorize EU-US data transfers, which provided the basis for a new case in the Irish High Court. Soon after the CJEU decision, the Irish High Court quashed the Irish DPC’s previous decision not to investigate Facebook Ireland regarding the allegations in Mr. Schrems’s first complaint. The Irish DPC then commenced an investigation. The Irish DPC considered two key issues: does the US provide adequate legal protection to EU users whose data is transferred, and, if not, could standard contractual clauses (SCCs) used by Facebook Ireland and Facebook, Inc. to regulate the transfer of that data raise the level of protection and still render transfer permissible? Simultaneously, Mr. Schrems updated his complaint with the DPC against Facebook, and he contended that U.S. surveillance law is not in line with the requirements laid down by EU law including the judgment of the CJEU in the Safe Harbor decision. The CJEU found that the US must make changes to its “domestic laws” and “international commitments” in order to provide essentially equivalent privacy and data protection to the European Union. Additionally, Mr. Schrems argued the SCCs fail to provide the adequate legal protection necessary to otherwise permit data transfers.

In May of 2016, the Irish DPC issued a Draft Decision announcing its preliminary position: that US law fails to adequately provide legal remedies to EU citizens and the SCCs could not address the deficiency in US law. As a result, the Irish DPC suggested the contractual clauses at issue were invalid under EU law. However, the Irish DPC found that, as a representative of one nation in the EU with limited authority, it did not have the ability to declare the clauses invalid under EU law; the Irish DPC argued that standard contractual clauses issued under the broader authority of the European Commission had been deemed by that Commission to authorize data transfers. The Irish DPC argued that, without a finding that the clauses are indeed invalid, they cannot complete its investigation into Facebook.

As a result, the Irish DPC brought the case back before the Irish High Court and is seeking a referral to the the CJEU on the question of whether the standard contractual clause decisions are valid under the Charter of Fundamental Rights. The High Court granted EPIC's application to intervene as an amicus curiae in the case, which opened in February 2017.

EPIC’s Interest

The Irish High Court accepted EPIC's application to participate in Schrems II as the only NGO from the United States. EPIC will provide the Irish Court, and likely the CJEU, with a perspective on U.S. surveillance law to “counterbalance” the views offered by the U.S. Government. EPIC recently joined a case before the European Court of Human Rights concerning the activities of British and U.S. intelligence organizations. EPIC has appeared as a "friend of the court" in almost 100 cases in the United States concerning emerging privacy and civil liberties issues.

EPIC has provided expert opinion to decision makers during the negotiations about data transfers between the EU and the US. EPIC has urged both sides to respect the decision of the Court of Justice of the European Union in the Safe Harbor case and provide adequate protections for personal data in transatlantic transfers. EPIC and a coalition of EU and U.S. consumer organizations have opposed the Privacy Shield arrangement.

Speaking before the European Parliament on "Privacy Shield," Marc Rotenberg outlined several flaws in the proposed EU-US data transfer agreement, including a weak privacy framework, lack of enforcement, and a cumbersome redress mechanism. In the short term, Rotenberg recommended that the EU condition acceptance of the Privacy Shield on the end of the "702 program," which permits bulk surveillance on Europeans by the US.

In ACLU v Clapper EPIC petitioned the Supreme Court to halt the disclosure of the telephone records of millions of Americans, arguing that FISC did not have statutory authority to compel Verizon to turn over all domestic telephone metadata to the National Security Administration (NSA).

As a member of the Trans Atlantic Consumer Dialogue (TACD), EPIC has been advocating for adequate safeguards for transatlantic data transfers and the revision of the Safe Harbor arrangement. Since its formation in 1998, TACD has developed into a thriving network of over 75 leading organizations representing the consumer interest on both sides of the Atlantic. TACD previously criticized Safe Harbor for its lack of effective means of enforcement, redress, and accountability for privacy violations. The has called upon the US to develop legal means to safeguard the privacy of US consumers based on Fair Information Practices as articulated in the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Most recently, the TACD counseled against the adoption of the Privacy Shield, urging the US to first put in place an enforceable, comprehensive legal framework supporting privacy.

Legal Documents

Schrems I

Schrems II

Resources

NGO Statements

News

Share this page:

Support EPIC

EPIC relies on support from individual donors to pursue our work.

Defend Privacy. Support EPIC.

#Privacy