nmann77 - stock.adobe.com

European court to decide legality of EU-US data sharing in dispute between Schrems and Facebook

A ruling by the European Court of Justice will have ramifications for hundreds of thousands of companies that share data with the US. The case aims to balance US surveillance laws with the rights of EU citizens to keep their data private

Europe’s top court will decide on Thursday whether the legal agreements used by companies to share data between Europe, the US and other countries are in breach of European law.

The European Court of Justice’s (ECJ) decision could cause disruption for companies that rely on contractual agreements known as standard contractual clauses (SCCs) to share data overseas in compliance with European data protection laws.

Businesses are also bracing themselves for the “nuclear option” that the court may opt to strike down Privacy Shield, the overarching agreement that allows Europe and the US to share data, without falling foul of Europe’s data protection laws.

The case, brought by the Irish data protection commissioner Helen Dixon, is part of a long-running battle fought by Austrian lawyer Max Schrems against Facebook Ireland. Schrems is challenging the legality of the social media company’s transfer of personal data to the US.

At its heart is the clash between Europe’s General Data Protection Regulation (GDPR), which gives European citizens the right to data privacy, and US mass surveillance legislation, which give the US intelligence agencies access to the data from companies such as Facebook once it reaches US shores.

The Irish High Court has referred 11 questions to the European Court of Justice, which will give its response this week.

Decision ‘critical for international trade’

For companies that rely on SCCs and Privacy Shield to share data overseas, there is a lot riding on the court’s decision.

“The importance is huge, because the case is questioning the legal mechanism that everyone takes for granted that has been in operation for decades to transfer data from Europe to anywhere else in the world,” said Eduardo Ustaran, a partner at law firm Hogan Lovells.

“Part of international trade is processing, exchanging and sharing personal data. So this case, which talks about whether that’s lawful or not, is absolutely crucial”
Eleonor Duhs, Fieldfisher

Eleonor Duhs, director of the privacy and information law group at law firm Fieldfisher, said the case could have implications for international trade.

“Part of our way of doing international trade is about processing, exchanging and sharing personal data,” she said. “So this case, which talks about whether that’s lawful or not, is absolutely crucial. And the question is, can that continue?”

According to the Business Software Alliance, one of the parties in the case, as of October 2019 more than 5,000 companies across the US relied on Privacy Shield. Over 100,000 companies use SCCs to share data with the US and other countries.

Advocate General: Ireland’s Data Protection Commissioner should take action

The European Court of Justice normally – but not always – follows the opinion of the Advocate General.

In December 2019, the Advocate General, Henrik Saugmandsgaard Øe, issued a preliminary opinion that found standard contractual clauses were lawful.

He argued that responsibility for SCCs should fall into the hands of national data protection supervisors – in this case the Irish Data Protection Commissioner – to suspend data transfers if they fail to meet EU law.

Although Saugmandsgaard Øe found that the European Court of Justice did not need to make a decision on Privacy Shield, he did raise serious questions about its legality.

“I have doubts about the validity of the finding that the US guarantees, in the context of their intelligence services…an adequate level of protection,” he said.

It is far from certain, however, that the European Court of Justice will follow Saugmandsgaard Øe’s recommendations.

According to people familiar with the proceedings, in contrast to Saugmandsgaard Øe, the judge presiding over the case appeared to take the view that the court could not rule on standard contractual clauses without also ruling on the validity of Privacy Shield. 

There are a range of scenarios that the court could consider, ranging, at the most extreme, from invalidating SCCs or Privacy Shield, or both.

The court could also choose to keep SCCs as they are, but give companies more responsibility for ensuring they comply with EU data protection law.

And it may argue that the Irish Data Protection Commissioner, Helen Dixon, already has the powers she needs to annul individual SCC agreements, such as the agreement between Facebook Ireland and Facebook Inc in the US.

Scenario 1: Court invalidates SCCs

For businesses, the worst-case scenario would be a decision by the court to declare standard contractual clauses invalid.

“That would be huge,” said Fieldfisher’s Duhs, “because that’s the most usual mechanism used to transfer data.”

Research by the International Association of Privacy Professionals shows that around 88% of international transfers rely on SCCs.

“If the court says SCCs are not lawful, that is really, really significant and really worrying,” she said.

Scenario 2: Court invalidates Privacy Shield

It is possible, though less likely, that the court may decide to invalidate Privacy Shield.

Facebook introduced legal arguments about Privacy Shield late into the case, arguing that if US surveillance law is not a bar for Privacy Shield, then it should not be a barrier for SCCs.

Nevertheless, there is precedent here. Back in 2015, the Court of Justice ruled that Privacy Shield’s predecessor, Safe Harbour, was invalid.

Then the court found that Safe Harbour was unable to prevent large-scale access by the US intelligence authorities to data transferred from Europe, and therefore did not provide an adequate level of data protection. 

Scenario 3: Court delays decision on Privacy Shield

One likely outcome is that the ECJ will wait for another case before deciding on the future of Privacy Shield.

That case may not be long in coming. Privacy Shield faces a separate legal challenge from the French online privacy and anti-censorship group La Quadrature Du Net (LQDN) and others, in the General Court of the EU, a lower court than the Court of Justice.

They argue that Privacy Shield breaches the fundamental rights to privacy under the Charter of Fundamental Rights of the European Union, that Privacy Shield fails to assure European citizens effective remedies against misuse of their data in the US, and that it does not offer equivalent protection to EU data laws.

The EU and the US have held intensive discussions on the future of Privacy Shield, anticipating that even if it is not invalidated, this time around, it may come in for criticism from the ECJ.

Scenario 4: Court puts onus on companies to police SCCs

Another scenario is that the European Court of Justice follows the Advocate General by allowing SCCs to remain valid.

But it will put the onus on companies to ensure that when they exchange data with the US, they are doing so in compliance with EU law.

That could mean requiring US companies to disclose transparency reports about their disclosure of data to US intelligence services, and it could require them to oppose national security requests for data that conflict with EU law.

“You would need to top up SCCs with a contract that provides greater transparency. You can have a contract that says if you have disclosure, make sure they comply with law, require a court order, only respond in a minimal way,” said Hogan Lovells’ Ustaran.

Scenario 5: Data protection commissioners will police SCCs

The court may, however, choose to reinforce the role that data protection commissioners already have in policing the adequacy of standard contractual clauses.

This is an option that the Irish data protection commissioner, Helen Dixon, rejected in the dispute between Schrems and Facebook.

“As a result of not [suspending Facebook’s data sharing with the US], there’s been four years of data flows that shouldn’t have taken place between Facebook Ireland and Facebook Inc for 250 million or 300 million Facebook users”
Gerard Rudden, Ahern Rudden

Dixon argued that if she took action in Ireland, that risked creating a lack of harmonisation across the EU. She referred the matter to the European Court of Justice for clarity.

Gerard Rudden, partner at Ahern Rudden, who represents Schrems, regards a decision by the European Court of Justice to require Ireland’s data protection commissioner to suspend data flows from Facebook to the US as the best outcome for his client.

“That is what we have sought and that is what the Advocate General has recommended to the court,” he said.

The data protection commissioner could have suspended Facebook’s data sharing with the US four years ago, without a diversion to the ECJ. 

“As a result of not doing this, there’s been four years of data flows that shouldn’t have taken place between Facebook Ireland and Facebook Inc for 250 million or 300 million Facebook users,” said Rudden.

“What we say is that it’s unnecessary for Facebook to transfer all of this data to the US. It might be necessary for them for their structural reasons and for their profitability. But it’s not actually strictly necessary,” he said.

Schrems: Impact of decision could be limited

Schrems argues that the potential impact of a court ruling that makes data transfers to the US more difficult has been exaggerated by companies and lobby groups.

If the case goes the way of the Advocate General’s opinion, and puts the onus on data protection authorities to suspend data sharing with the US, the majority of organisations sharing data with the US will not be affected.

The companies that will be affected are “electronic service providers”, including Facebook, that have legal obligations to share personal data with the US National Security Agency, and other US government organisations.

“SCCs can still be used in certain industry sectors in the US. For example, defence, airlines, hotels, manufacturing, logistics – all of that does not fall under these US surveillance laws. So there is no reason to stop the data transfer here,” he said.  

Other companies may decide simply to store their data in Europe. “That’s often cheaper for companies because there’s just less compliance cost. You don’t need lawyers, you don’t need paperwork, you can just get a server more or less overnight.”

Data transfers will not dry up immediately

Whatever the decision, data transfers between the EU and the US or the EU and other countries will not stop overnight. “I think there would have to be a grace period,” said Duhs.

“I can’t see them enforcing straightaway against companies. I think data transfers are part of international trade and that needs to keep going, particularly in the current crisis where we’ve all had so much strain on resources. I think, you know, suddenly stopping all data flows would be a huge barrier for trade,” she said. 

“The world is not going to stop, but regulators will encourage businesses to find other mechanisms to transfer their data,” said Ustaran.  

“Businesses will be under pressure to justify to their compliance teams, their auditors, that their operations are lawful. They will need to come up with ways to mitigate the privacy of their data when they transfer data overseas.”

The European Commission is developing new standard contractual clauses and is likely to accelerate that work if the court finds problems with the existing SCCs.

Nevertheless, the transition period may be difficult for companies, said Duhs, and will inevitably take up time and resources. “At a time when businesses are struggling with resource anyways, this would be very unwelcome, I think, and problematic.”

Implications for Brexit

The European court’s decision may also have implications for the UK after Brexit. Data transfers from the UK to the EU will be unaffected until 2024.

The big question is whether the EU concludes that the UK offers EU citizens adequate protection for their data, under the UK’s surveillance law, the Investigatory Powers Act.

If not, companies will need to rely on standard contractual clauses to transfer data from the EU to the UK. “We won’t yet know what the outcome of these negotiations will be,” said Duhs.

Max Schrems’ battle with the EU and the US

26 July 2000: The European Commission makes a decision to allow data transfers between the EU and the US between organisations that self-certify as being compliant under Safe Harbour. European regulators have the right to suspend data transfers if the principles of Safe Harbour are breached.

2008: Austrian lawyer Max Schrems starts using Facebook.

1 December 2009: The EU Charter of Fundamental Human Rights is given legal status. Article 7 provides for the respect for private and family life. Article 8 requires the protection of personal data.

January 2013: Facebook’s chief operating officer, Sheryl Sandberg, lobbies world leaders in a series of one-on-one meetings to water down proposals for the law that ultimately became the General Data Protection Regulation (GDPR).

May 2013: Edward Snowden reveals the interception and surveillance of telecommunications and internet by the US National Security Agency (NSA) on a massive global scale.

6 June 2013: The Washington Post reveals the existence of the Prism program which enables the NSA to collect personal data, including emails, photographs and videos, from internet providers, including Microsoft, Google and Facebook.

25 June 2013: Max Schrems makes a formal complaint to the Irish Data Protection Commission against Facebook Ireland. He cites probable cause that Facebook is breaking the Irish Data Protection Act and the European Data Protection Directive by providing “mass access” to data on European citizens to the NSA.

25 July 2013: The Data Protection Commission Ireland rejects Schrems’ complaint, arguing it is frivolous and vexatious.

31 July 2013: The Guardian newspaper reports the existence of a top secret NSA program, X Keyscore, that enables it to collect nearly everything an internet user does online.

18 June 2014: In the Irish High Court, judge Desmond Hogan asks the European Court of Justice to determine whether the Irish Data Protection Commission is bound by the Safe Harbour Agreement. The judgment found that the US routinely accesses personal data on a “mass and undifferentiated basis”.

25 March 2015: The European Court of Justice begins considering the privacy case brought by Max Schrems. The case has implications for the legality of Safe Harbour, which permits data transfers between the EU and the US.

6 October 2015: The Court of Justice rules that the Safe Harbour agreement that allowed EU-US data transfers is invalid, following Schrems’ complaint.

20 November 2015: Facebook Ireland signs an agreement with Facebook Inc to transfer data on Facebook’s European customers to the US using standard contractual clauses (SCCs), as an alternative to Privacy Shield.

1 December 2015: Schrems files an updated complaint with the Irish DPC. He asks the Irish data protection commissioner to make a ruling prohibiting transfers of data between Facebook Ireland and Facebook Inc in the US on the grounds that Facebook Inc is illegally making his data available to US intelligence through the Prism collection program.

2016: The Irish Data Protection Commissioner files a law suit against Schrems and Facebook in the Irish High Court to refer further questions to the European Court of Justice.

28 June 2016: The US Department of Justice argues that the legal case brought by the Irish Data Protection Commission against Facebook and Max Schrems raises issues of national security.

8 July 2016: Facebook and Irish business claim in court that a legal challenge to SCCs could cut 1% from Europe’s GDP if it succeeds.

19 July 2016: In an unusual move, the Irish Court joins the US government to the case. The European Privacy Information Centre, a non-government organisation, the Business Software Alliance and Digital Europe are also joined to the case.

26 July 2016: The Irish High Court agrees a date for a three-week hearing into the legality of data transfers between the EU and the US.

7 February 2017: The Data Protection Commission Ireland begins legal action in the commercial court in Dublin against Facebook and Schrems. Helen Dixon argues that the court should require the European Court of Justice to decide if transatlantic data transfer channels breach privacy rights of EU citizens. The US government argues that the case could have sweeping commercial ramifications.

3 October 2017: The Irish High Court decides to ask the ECJ to rule over the validity of data transfers between the EU and the US. The court’s ruling over the safeguards to protect EU data against collection by the US NSA under its Prism and Upstream programs.

11 October 2017: Lawyers for the US government argue that it is “critically important” that its views are heard when a Dublin court raises questions over the legality of data transfers between the EU and the US with the ECJ.

January 2018: Justice Caroline Costello announces that the court will take its time to formulate questions to put to the ECJ, following four days of legal argument. Facebook makes an application to correct “certain factual errors” made in an earlier ruling in October 2017.

2 May 2018: Facebook fails a belated attempt to delay Dublin’s High Court by referring key questions that could decide the lawfulness of data transfers between Europe and the US to the European Union’s Court of Justice.

12 April 2018: The Irish High Court proposes 11 questions for determination by the European Court of Justice that will test whether companies can legally transfer data to the US in the light of disclosures by Edward Snowden that the US is engaged in large-scale surveillance of EU citizens.

9 May 2018: The Irish High Court refers 11 questions over the validity of SCCs and Privacy Shield to the ECJ.

1 November 2018: Facebook makes an unprecedented appeal to the Irish Supreme Court in an attempt to halt the Irish High Court referring questions over the validity of EU-US data transfer agreements to the European Court of Justice.

21-23 January 2019: The Supreme Court in Dublin hears a three-day appeal from Facebook against a decision by the Irish High Court to refer 11 questions about the legality of data transfers between Europe and the US to the ECJ, in which the US government gives evidence. The Irish Data Protection Commission argues that Facebook is attempting to head off an adverse finding by the European court that SCCs are illegal.

12 December 2019: The Advocate General Henrik Saugmandsgaard Øe finds in a primary opinion that standard contractual clauses are lawful, but raises questions over the impact of US surveillance on the legality of Privacy Shield.

Read more on Managing IT and business issues