The European Court of Justice (CJEU) has ruled that countries must vet the sending of personal information being sent overseas.
Yesterday, we reported on a potential court ruling that could have wide ranging implications on online companies like Facebook. What must companies do to comply with the General Data Protection Regulation (GDPR) with respect to transferring personal information overseas? Now, today, we have an answer.
The CJEU, Europe’s top court, has ruled that countries must vet personal information before companies can send it overseas. Regulators can’t simply rubber stamp the information and look the other way. The ruling is being seen by some European privacy observers as a major blow to Facebook who clearly was hoping for a free pass on the issue. That free pass did not happen. From The Guardian:
The ruling of the court of justice of the European Union (CJEU) does not immediately end such transfers, but requires data protection authorities (DPAs) in individual member states to vet the sending of any new data to make sure people’s personal information remains protected according to the EU’s data protection laws (GDPR).
The complaint, which goes back to October 2014, was lodged by Austrian privacy activist Max Schrems. He argued, following the Snowden revelations, that the privacy of European citizens could not be guaranteed if their data was sent to the US, given the evidence of widespread eavesdropping by the country’s National Security Agency (NSA), and the fact that the US legal system only protected the rights of US citizens.
Schrems’ initial complaint led to the overturning of the EU/US “safe harbour”, which had governed data transfer between the two countries, and the creation of a new treaty, the EU/US “privacy shield”. This latest ruling has overturned that policy too.
“At first sight it seems the court has followed us in all aspects,” Schrems said in a statement. “This is a total blow to the Irish DPC [data protection commission] and Facebook. It is clear that the US will have to seriously change their surveillance laws if US companies want to continue to play a role on the EU market.”
“The court is not only telling the Irish DPC to do its job after seven years of inaction, but also that DPAs have a duty to take action and cannot just look the other way,” he added. “This is a fundamental shift going far beyond EU-US data transfers. Authorities like the Irish DPC have so far undermined the success of the GDPR. The court has clearly told the DPAs to get going and enforce the law.”
So, it wasn’t exactly a total victory for privacy necessarily. The hope was that data would simply not be transferred overseas. Still, it mandates oversight before data is sent overseas in the first place.
European Digital Rights (EDRi) is hailing this ruling as a major victory nevertheless. They called this a landmark ruling that invalidates the US/EU Privacy shield law. From EDRI:
Today, 16 July 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield. The ruling proves a major victory for EU residents on how their personal data is processed and used by platforms like Facebook. The decision mandates the need to bring strong privacy legislation in the US and and generally a close scrutiny to data protection systems in place to avoid the misuse and unnecessary handling of private data of EU residents.
The huge power of US intelligence services, as disclosed by Edward Snowden in 2013, proved that the data protection and privacy rights of EU residents are not sufficiently protected. We cannot allow any foreign agency to track and surveil our communities with such a disregard for fundamental rights.
“Today’s European Court of Justice ruling is a victory for privacy against mass surveillance”, says Diego Naranjo, Head of Policy at EDRi. “This is a win both for Europeans, whose personal data will be better protected, and a call for US authorities to reform the way intelligence service operate.”, he further adds.
At its core, this case is about a conflict of law between US surveillance laws which demand surveillance and EU data protection laws that require privacy. The CJEU has decided today to bin Privacy Shield and instead reinforce that Standard Contractual Clauses (SCCs). SCCs which is one of the ways in which companies can make data transfers need very close scrutiny or should be suspended, if protections in the third country cannot be ensured. As noyb notes in their first reaction, Facebook and similar companies may also not use “SCCs” to transfer data as DPC must stop transfers under this instrument. The ruling is great news for all of those defending human rights online.
Max Schrems, chairman of None of Your Business (NYOB), is the man who brought this lawsuit in the first place. So, he is one of the key players in all of this. Schrems issued a statement on the ruling. It reads, in part:
Schrems: “I am very happy about the judgment. It seems the Court has followed us in all aspects. This is a total blow to the Irish DPC and Facebook. It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market.”
Schrems: “The Court clarified for a second time now that there is a clash between EU privacy law and US surveillance law. As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley.”
“This judgment is not the cause of a limit to data transfers, but the consequence of US surveillance laws. You can’t blame the Court for saying the unavoidable – when shit hits the fan, you can’t blame the fan.”
Herwig Hofmann, law professor at the University of Luxembourg and one of the lawyers arguing the Schrems cases before the CJEU: “The CJEU has invalidated the second Commission decision violating EU fundamental data protection rights. There can be no transfer of data to a country with forms of mass surveillance. As long as US law gives its government the powers to vacuum-up EU data transiting to the US, such instruments will be invalidated again and again. The Commission’s acceptance of US surveillance laws in the Privacy Shield decision left them without defence.”
We tried digging around for reaction from Facebook, but so far, we haven’t found it yet. We did, however, find comments from the Irish Data Protection Commission. Their statement reads partly as follows:
The DPC commenced these proceedings in 2016 precisely because it was concerned that, properly understood, the CJEU’s Safe Harbour judgment of 2015 was to be read as indicating that, for reasons associated with the structure of the legal system in operation in the United States, EU-US data transfers were inherently problematic. Moreover, this was so, whatever the legal mechanism by which such transfers were conducted.
While constrained, in some respects, by facts particular to Mr Schrems’ complaint against Facebook, to include Facebook’s reliance on the Standard Contractual Clauses (SCCs) transfer mechanism, the DPC brought these proceedings – and resisted objections from both Facebook and Mr Schrems – specifically in order to secure a decisive statement of position from the CJEU in relation to the key issues of principle at stake when an EU citizen’s personal data is transferred to the United States.
Today’s judgment provides just that, firmly endorsing the substance of the concerns expressed by the DPC (and by the Irish High Court) to the effect that EU citizens do not enjoy the level of protection demanded by EU law when their data is transferred to the United States. In that regard, while the judgment most obviously captures Facebook’s transfers of data relating to Mr Schrems, it is of course the case that its scope extends far beyond that, addressing the position of EU citizens generally.
The Court also agreed with the DPC’s view that, whatever mechanism is used to transfer data to a third country, the protection afforded to EU citizens in respect of that data must be essentially equivalent to that which it enjoys within the EU.
Reflecting the complexity of many of the legal issues it addresses, the judgment (and, indeed, the case as a whole) has many layers, each of which will require careful consideration in the coming days and weeks.
So, a lot of reaction already pouring in. We might hear some further reactions in the days ahead. For now, this is definitely a major development in the world of European privacy. We’ll keep an eye out for potential fallout from all of this. Still, a big day for privacy rights advocates and organizations.
Drew Wilson on Twitter: @icecube85 and Facebook.