The EU’s top court is deciding whether Facebook’s method of transferring personal data from the European Union to the United States sufficiently protects EU citizens’ right to privacy.
The landmark case stems from leaks by Edward Snowden about US ‘mass surveillance’ in 2013, with the judgement likely to have far-reaching implications for how Facebook and other EU businesses transfer data across the Atlantic.
The Irish data authority, the Data Protection Commissioner (DPC), is arguing that current mechanisms for transferring European data from the EU to the US are not adequately protecting EU citizens from potential surveillance by US intelligence authorities.
Facebook argues that these data transfer mechanisms do not go beyond what is legal under EU law. Meanwhile, Austrian privacy activist Max Schrems views US surveillance as a violation of EU privacy laws, but that European data authorities such as the DPC already have the legal tools needed to protect EU personal data.
The issue centres on standard contractual clauses (SCCs), a mechanism by which Facebook and other companies transfer personal data from the EU to the US. SCCs are designed to safeguard EU personal data when transferred to a third country outside of the EU.
From Snowden to ‘Schrems II’: How we got here
The complex case is six years in the making. In 2013, former CIA contractor turned whistleblower Edward Snowden leaked the existence of PRISM, a National Security Agency (NSA) spying programme that forced tech companies to give US intelligence agencies access to data of millions of people around the world. Documents released by Snowden suggested that Facebook was part of the PRISM arrangement.
Enter Austrian privacy lawyer Max Schrems, who had already been toe-to-toe with Facebook over its use of facial recognition software in Europe – and won.
Following the 2013 Snowden revelations, Schrems lodged a complaint with the Irish DPC that Facebook, in its transferring of data from the EU to the US via a legal mechanism known as Safe Harbor, could not protect his data from surveillance by US intelligence agencies once it was located in servers on US soil.
At first, the DPC rejected the case and it was referred to the Court of Justice of the European Union (CJEU). Then, in 2015, the CJEU ruled that Safe Harbor was invalid, striking it down with immediate effect. The CJEU also ruled that data protection authorities, including the DPC, could investigate such complaints.
The European Commission and the US agreed upon a new framework to replace Safe Harbor: Privacy Shield.
The DPC then revealed that Facebook had not in fact used the now-defunct Safe Harbor arrangement. Instead, Facebook had been using SCCs to transfer data between the EU and the US. Schrems then adapted his complaint, arguing that SCCs still allows the NSA to access the data of European citizens.
After a few months of investigating, in 2016 the DPC then filed a lawsuit against Schrems and Facebook at the Irish High Court. This allowed the DPC to refer questions to the CJEU. The Irish High Court, having found that the US government does engage in “mass processing” of European personal data, then referred the case to the CJEU.
The hearing took place on the 9 July 2019. The ongoing case (officially known as Case C-311/18) has been dubbed ‘Schrems II’, following Schrems’ previously lodged complaints.
Facebook data transfer case: Where they stand
The three parties in the case each agree and disagree on overlapping issues. The DPC is the applicant in the case, while Facebook Ireland Ltd (Facebook’s Irish subsidiary) and Max Schrems are the defendants.
Both the Irish DPC and Schrems take the view that US surveillance laws violate the rights to privacy, data protection and redress under EU law.
But while they agree on this point, they differ on whether SCCs are a suitable mechanism to protect European data from US ‘mass surveillance’.
The DPC says that SCCs are invalid for protecting data transferred from the EU to the US.
Schrems, however, views SCCs as an adequate solution for protecting European data from US surveillance – provided SCCs are correctly applied and enforced by the DPC.
“We are proposing a measured solution,” Schrems said in a statement before the case. “The Irish DPC must simply enforce the rules properly, instead of kicking the case back to Luxembourg over and over.
“This case has been pending for six years. Over these six years, the DPC has actually decided in a mere 2-3% of the cases that were brought before it. We don’t have a problem with ‘Standard Contractual Clauses’, we have a problem with enforcement.”
Meanwhile, Facebook views the current transfer of data between the EU and the US as adequate, and that US law does not go beyond what’s legal under EU law.
Jack Gilbert, associate general counsel for Facebook, said in a statement that:
“Standard contractual clauses provide important safeguards to ensure that Europeans’ data are protected once transferred overseas.
“SCCs have been designed and endorsed by the European Commission and enable thousands of Europeans to do business worldwide.”
Verdict contacted the DPC, but had not received a response at the time of writing.
What happened at the hearing?
The case was heard yesterday before the Grand Chamber of the Court of Justice in Luxembourg. It saw legal arguments presented for the validity of transfer mechanisms such as SCCs to safeguard EU data protection rights.
Bridget Treacy, partner and lead of the UK Privacy and Cybersecurity Practice at law firm Hunton Andrews Kurth, told Verdict:
“Supporters of the SCCs argued that they contain sufficient safeguards – i.e. they reinforce data subject rights, impose obligations on the data exporter and on the importer to respect EU law and enable data protection authorities to take enforcement action, including the possibility of suspending data flows – and that accordingly the SCCs’ transfer mechanism itself should not be invalidated.”
Facebook warned that invalidating data transfers would have immense implications for trade.
Facebook: The effect of an invalidation of data transfer on trade would be immense and would have WTO implications for the EU. #EUdataP
— Laura Kayali (@LauKaya) July 9, 2019
“They also asked the CJEU to separate the issue of the validity of the SCCs from any analysis of third-country laws (in particular, US laws) which they argued is irrelevant in this case,” added Treacy.
Schrems told Verdict via email:
“It seems everyone agrees that the DPC should have dealt with the issue of US surveillance, instead of sending it back to Luxemburg another time. The case is now before the DPC without a decision for six years. All parties agreed that there is no need to invalidate the SCCs, as they allow the DPC to suspend data flows anyways.
“Otherwise there were basically views that ‘mass surveillance’ should somehow not be subject to EU law or treaded towards a lower standard – but really no one argued that they actually comply with EU law.”
Facebook: "End of the internet" drama coming out, when in fact there are many different tools for necessary transfers and not all US companies are covered by the FISA.
— Max Schrems ???? (@maxschrems) July 9, 2019
The court also heard statements from representatives of the US government and several EU nations, who “emphasised the importance of national security activities and the need to find an appropriate balance between national security interests and data protection rights”, said Treacy.
What are the implications of the data transfer case?
Facebook is the defendant in this case, but data privacy experts have said that the court’s decision could impact the way thousands of businesses process European personal data.
When Safe Harbor was struck down in 2015, companies had SCCs to turn to as an alternative mechanism to transfer data across the Atlantic.
“If either [Privacy Shield or SCCs] or both are struck down the practical alternative for businesses relying on these transfer mechanisms is unclear,” said data protection lawyer Robert Wassall, who is the director of legal services at cybersecurity firm ThinkMarble.
“However, perhaps in anticipation of the outcome, the European Commission announced on 13 June 2019 that it will update the SCCs, (although it is not clear whether this work will be completed prior to the court’s rulings).”
Treacy said that if data transfer mechanisms are invalidated “the day to day operations of organisations around the globe, involving transfers of EU personal data, will be thrown into disarray”.
Similarly, Tanguy Van Overstraeten, global head of data protection at law firm Linklaters, told Reuters that such a decision could “impact the global economy”.
However, Schrems told Verdict that such arguments are “BS” and “fear-mongering”.
“We heard the same stories when the Safe Harbor was invalidated – and it did not come true,” he said.
He added that the “necessary data flows” – such as sending an email or booking a hotel in the US, are exempt from the rules being contested because they fall under ‘derogation’ in Article 49.
However, Treacy said that “derogations – such as consent – are not currently available for repeated, mass or structural data flows”.
The Brexit issue
Further complicating the matter for the UK is Brexit.
“Of course, for businesses in the UK the situation will be even more uncertain if the UK leaves the EU without an agreement on 31 October 2019,” said Wassall.
“At this stage, the most sensible course of action is to keep a close eye on these cases as they develop, whilst at the same time, suitable alternatives to Privacy Shield and the SCCs are considered.”
So, what should companies do?
“In the absence of any period of grace, adopting a ‘wait and see’ approach during the period between the judgment and the European Commission’s decision on new sets of standard contractual clauses, risks a fine of €20m or 4% of the global annual turnover,” said Treacy.
“Clearly this not a practical solution. At a minimum, organisations should ensure they have identified potentially affected data flows, and start to consider whether any of the admittedly limited alternative transfer mechanisms may provide a solution to enable any or all of their data flows to continue.”
The non-binding opinion of attorney general Saugmandsgaard Øe will be read on 12 December this year, while the judgement is expected in spring 2020.