Max Schrems has won his case, leading to EU-US Privacy Shield being declared as invalid by the Court of Justice of the EU. However, standard contractual clauses remain acceptable, as long as the companies involved can prove they have undertaken a review of the adequacy of data privacy in any third-party country. The US privacy regime does not meet the criteria for respecting fundamental rights under the "EU Charter of Fundamental Rights."
In short this means businesses need to assess the adequacy of their data processing arrangements in the US. With the Privacy Shield set aside, the US is back to being in the position where its privacy regime is not "adequate" in the eyes of the EU.
What does this mean in real terms? From a user perspective, there should be no immediate impact, but there will be a greater move to require companies' use and processing of data clearer. Interestingly, a more open approach - based on open data and the role of open source - may be in order and the only way to ensure this.
We may see companies immediately suspending data flows to the US to avoid large fines or, as Schrems was calling for in his blog this morning, the local DPA's making orders to stop these activities. That is critical as the CJEU makes recommendations that will require local action to implement. Questions on the local DPA's ability and resourcing to do this are already being raised.
The history of these data privacy challenges
Schrems, who is the founder of the privacy enforcement platform None of your Business, brought this action as an individual whilst conducting a campaign against Big Tech's collection and use of personal data. He started this action as a law student with a subject access request to Facebook in 2011, ironically prompted by a lecture by a Facebook staff member on data privacy and his perception of the lack of understanding around European laws.
In 2013, Schrems challenged the "Safe Harbor" arrangements which were utilised for years by organisations across Europe to facilitate trans-Atlantic flow of personal data via the Irish Data Protection Commissioner. Safe Harbor provisions allowed this to take place as long as "adequate protection'" was put in place. It was not lawful to transfer data outside the EU to any country that did not have adequate protection enshrined in its law that was rated as equivalent to that required in Europe.
Safe Harbor was therefore the sticking plaster process for this and meant that any arrangement with a Cloud Provider or a Software-as-a-Service provider could work on a trans-Atlantic basis despite divergence between European and US privacy regimes.
As an in-house lawyer at the time when this was brought in, adding Safe Harbor to commercial agreements involving customer data was standard practice for many years prior to the first Schrems decision. However, when the Court of Justice of the European Union (CJEU) ruled in his favour in 2015 to confirm that this was not adequate, it not only rocked the status quo but created a huge workload for business requiring new processes and amendment of all their existing commercial arrangements involving any personal data. For some businesses this was almost every agreement that they had.
The CJEU's decision then was based on a number of reasons including that the scheme allowed for government interference in the protections of individuals' data privacy. The EU had added a Charter of Fundamental Rights to its Data Protection Directive, while governmental activities in the US with respect to data access and monitoring had been perceived as becoming more invasive.
Almost a decade after his campaign against Facebook's use of his personal data began, in what is becoming known as Schrems 2.0, we have seen Schrems back in court in front of the CJEU challenging the key data transfer mechanisms that organisations have used to replace Safe Harbor. These are called "Model Clauses" or "Standard Contractual Clauses".
These have replaced Safe Harbor in commercial agreements, allowing organisations to adopt processes to facilitate the international transfer of customer data to the US and other states deemed not to have adequate data privacy regimes. In reality, they are sticking plasters 2.0, with the effect of allowing personal data to be stored internationally by synthesising an equivalent environment or standard of data privacy in the recipient state or country.
Austrian Schrems argued in this second case brought via the Irish Data Protection Commissioner and the Hamburg and Belgian Data Protection Authorities that the Privacy Shield was inadequate. Further, he argued that Standard Contractual Clauses are not adequate protection on the basis that Facebook participates in surveillance actives in the US, such as its alleged involvement in the NSA's PRISM mass surveillance activities, which is incompatible with the EU Charter on Fundamental Rights. His reasoning is that this provides loop-holes in the Model Clauses that allow mass surveillance on EU citizens.
The IDPC referred the case to the Irish High Court which in turn referred it to the CJEU whose 16 July decision. Today's decision makes it clear that Standard Contractual Clauses are acceptable, but they have to be backed up with specific facts and proof that due diligence has been carried out to assess the adequacy of the privacy and surveillance regime in the countries where the data will be processed. In the case of the US, with the setting aside of the Privacy Shield, this will be an uphill battle.
This will make the role of the data protection and data privacy team at any organisation involved in cross-border transfers of data even more important than GDPR has. They will have to prove that their organisations have taken this process seriously.
Why open approaches will matter more in future
Schrems comes at a time when international relationships on a political level are impacting technology in a profound way, the consequences of which are yet to be fully understood.
We increasingly see a focus on Digital Sovereignty across Government, and data privacy is one key aspect of this.
Digital Sovereignty is in large part a consequence of world events. At a time when global collaboration is increasing, in parallel, in a Pandemic world, we are looking locally. Governments increasingly want to re-focus their relationships with technology and with technology providers in the local domain.
There are two competing goals here, with one goal focused on protecting citizens and supporting data privacy with localisation initiatives, at least in part in reaction to the reach that Big Tech firms have and in part as a consequence of activities and restrictions of other governments. On the other hand, governments see the value of data to businesses in their countries and to their own national policy goals.
Inevitably this conflict can lead to concerns in balancing the rights of individuals, of government organisations and of private businesses around data. To solve this, every individual and business has to be able to see what requirements and privacy restrictions exist and how they are applied in a consistent manner.
This creates an ideal opportunity for open source and open data approaches. Not only does this combination increase transparency to promote an individual's privacy rights, but in a platform economy the infrastructure on which almost all global cloud and platform services are built has open source software within their infrastructure.
An open source infrastructure not only allows inexpensive services to be provided to us currently, services that we have become used to in our personal and business lives but also for those services to be swiftly, simply and potentially interoperably replicated at a local level. By making data rights and uses more easily understood, the playing field is not only level, but also fair. This open approach can help companies use data to benefit them and their customers, but also ensure that all citizens have their rights respected, wherever they happen to be.
The decision today provides guidance on how the legal side of data privacy will be understood in Europe for the foreseeable future. Local implementation will now follow and it will be interesting to see where this leaves a post-Brexit UK.
With industry having made a significant commitment to GDPR, businesses will not want to see a massively different regime in place. Of course, any proposed differences in approach with the US would likely have a knock-on effect on the processing of EU data in the UK. It is likely this will create significant additional costs to UK businesses as well as the inevitable pushback this would bring from privacy groups. The inevitability of an open approach is therefore even greater.
Amanda Brock is CEO of OpenUK
Schrems 'pretty much done with waiting' for a resolution to the Facebook privacy case after seven years and five court cases
We need a single digital identity to authenticate us at work, prove who we are to our energy company, and let us log in seamlessly to our favourite news site
The government skipped essential data privacy impact assessments in its rush to get the system up and running
Why companies don't need to turn to surveillance technologies to push for remote-working productivity
There are ways to promote collaboration without having to resort to micromanaging or using intrusive surveillance tools
'We are taking this very seriously,' Pompeo says