After Safe Harbor, will Max Schrems sink the Privacy Shield? The Court of Justice of the European Union is due to deliver its judgment in the ‘Schrems II’ case (see EUROPE 12292/15) on Thursday 16 July.
This decision could invalidate the model contracts (standard contractual clauses) developed by the European Commission to regulate the transfer of data from the EU to non-Member States, or even suspend the transatlantic data protection shield.
A long process
This case (C-311/18) dates back to 2013. After Edward Snowden’s revelations about US surveillance programmes targeting people living outside the US, Austrian lawyer and founder of the NGO NOYB (‘None of Your Business’), Max Schrems, had filed a complaint with the Irish Data Protection Commission (DPC) to stop the flow of data between Facebook’s European headquarters in Ireland and its parent company in California.
His lawsuit led to a 2015 ruling by the EU Court of Justice invalidating the agreement on the transfer of personal data between the EU and the US, the so-called ‘Safe Harbor’.
But the case did not end there, as in November 2016, the Irish data protection authority notified Mr Schrems that Facebook transfers did not fall under the Safe Harbor, but under another mechanism: ‘standard contractual clauses’.
Contractual clauses targeted
In 2016, the regulatory environment changed radically, as the Safe Harbor was replaced by a new self-certification mechanism for US-based companies and deemed sufficiently protective of privacy by the European Commission, known as Privacy Shield. Then the General Data Protection Regulation (GDPR) was adopted.
Faced with Max Schrems’ re-classification of his complaint, the DPC decided to refer the case to the Court of Justice of the EU again. Hence the name of the case ‘Schrems II’.
In view of the context, the Court’s judgment should primarily concern the validity of the Decision (2010/87/EU) establishing ‘standard contractual clauses’ (SCC) for the transfer of data outside the EU.
But the judgment could also be broader and follow the path mapped out by the Advocate General of the Court in 2019, Henrik Saugmandsgaard Øe (see EUROPE 12394/7). In his findings, the latter considered the 2010 decision on SCC clauses to be valid, but strongly criticized the ‘Privacy Shield’, including the lack of an effective remedy.
What are the consequences for companies?
On the corporate side, the decision has caused panic. They argue that invalidation of the standard contractual clauses and/or the ‘Privacy Shield’ will lead to uncertainties about how data would be transferred abroad in the future.
And one observer argues that, unlike 2015, there is “no Plan B” here. When the ‘Safe Harbor’ was rendered invalid, the parties were already thinking about a replacement, which is not the case here, he said.
The Commission uncertain
In the European Parliament’s Committee on Civil Liberties on Monday 13 July, Justice Commissioner Didier Reyners recalled that the Commission had been working for some time to modernise the standard contractual clauses in order to “strengthen the level of protection guaranteed by these clauses, in line with the requirements of the GDPR, while ensuring that they cover a greater number of types of transfer”.
However, this project is conditional on the decision of the Court of Justice, he said.
Mr Reynders also indicated that the Commission was awaiting the decision of the European judges before publishing its assessment of the eleven adequacy decisions adopted under the 1995 Directive, the predecessor to the GDPR (see EUROPE 12513/10).
He promised that this analysis would be published “after the summer”, adding that the ruling would certainly require in-depth discussions with the countries concerned, and even the negotiation of additional safeguards.
“The Commission could withdraw some adequacy decisions or amend some that are no longer in line with the General Data Protection Regulation”, he said. (Original version in French by Sophie Petitjean)