Schrems Does It Again! Europe’s Top Court Invalidates Privacy Shield: Data Privacy Trends

I’ve already seen several people cover this today and it just happened today, but it’s news if you haven’t seen it.  According to TechCrunch and several other publications, a highly anticipated ruling by Europe’s top court has just landed — striking down the flagship EU-US data flows arrangement called Privacy Shield.

In a press release, the Court of Justice of the European Union (CJEU) stated: “The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield”.  The CJEU’s finding is that “the requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country”, and that mechanisms in the EU-US Privacy Shield ostensibly intended to mitigate this interference (such as an ombudsperson role to handle EU citizens’ complaints) are not up the required legal standard of ‘essential equivalence’ with EU law.

The case — known colloquially as Schrems II (in reference to privacy activist and lawyer, Max Schrems, whose original complaints underpin the saga) — has a long and convoluted history. In a nutshell it concerns the clash of two very different legal regimes related to people’s digital data: On the one hand US surveillance law and on the other European data protection and privacy.

The Schrems II case directly concerns Facebook, while having much broader implications for how large scale data processing of EU citizens data can be done.

Schrems challenged Facebook’s use of a European data transfer mechanism used by Facebook (and many other companies) for processing regional users’ data in the US — called Standard Contractual Clauses (SCCs).  He did so at the end of 2015, when he updated an earlier complaint on the same data transfer issue related to US government mass surveillance practices with Ireland’s data watchdog. SCCs have not been struck down by today’s ruling, though judges have made it clear that third country context around the use of SCCs is king and EU regulators must step in when they suspect data is flowing to unsafe locations outside the bloc.

He asked the Irish Data Protection Commission (DPC) to suspend Facebook’s use of SCCs. Instead the regulator decided to take him and Facebook to court, saying it had concerns about the legality of the whole mechanism. Irish judges then referred a large number of nuanced legal questions to Europe’s top court, which brings us to today. Facebook, meanwhile, repeatedly tried and failed to block the reference to the Court of Justice. And you can now see exactly why they were so keen to derail this train.

The referral by the Irish High Court ended up looping in questions over the European Commission’s flagship data transfer agreement, the EU-US Privacy Shield. This replaced a long standing EU-US data transfer agreement, called Safe Harbor, which was struck down by the CJEU in 2015 after an earlier challenge also lodged by Schrems.

The TechCrunch article has much more on the ruling and ramifications of it.  I’m sure this is a topic that will be discussed quite a bit over the next several weeks, or even months.  Don’t mess with Max Schrems!

So, what do you think?  Are you surprised that the EU-US Privacy Shield has been struck down like Safe Harbor before it?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

2 comments

  1. I am NOT surprised, and this was another great result. Simply put, the US does not protect privacy rights in the same ways and with the same rigor as the EU. Well-done, CJEU!

  2. No they don’t, Darius. Maybe next time, they should get Mr. Schrems involved in the drafting of the next one, since he has defeated both Safe Harbor and Privacy Shield. 🙂

Leave a Reply