Date: 24 July 2020
The protection on the transfer of personal data from the EU to third countries existed prior to the inception of GDPR. The below timeline of the ECJ case Data Protection Commissioner v Facebook Ireland & Maximillian Schrems aims to take the reader through the legal background of data transfers between the EU and US.
Who is Maximillian Schrems?
Maximillian Schrems also known as Max Schrems is an Austrian activist and author who became known for campaigns against Facebook for privacy violation, including its violations of European privacy laws and alleged transfer of personal data to the US National Security Agency (NSA).
What was the origin of Mr. Schrems’ complaint to the Irish Data Commissioner?
This entire case before the ECJ was triggered following a university lecture by Facebook’s lawyer at the University Mr Schrems attended in America. He then decided to write his term paper on Facebook's lack of awareness of European privacy law and requested the personal data Facebook stored on him pursuant to the European Right of access to personal data provision. Mr Schrems was astound to receive a CD containing over 1,200 pages of data on him. He filed a first round of complaints against Facebook with the Data Protection Commissioner (DPC) in Ireland, being the jurisdiction in which Facebook had its European headquarters. Facebook was audited under European laws and had to delete some files and disable its facial recognition software.
What is the EU-US Safe Harbour Agreement?
In 2013, Mr Schrems filed a complaint against Facebook Ireland Ltd with the DPC aiming to prohibit the transfer of data from Ireland to the US. Mr Schrems based his complaint on EU data protection law, which does not allow data transfers to non-EU countries, unless the transferor company can guarantee "adequate protection". The DPC rejected the complaint, saying that it was "frivolous and vexatious" and that there was no case to answer. Mr Schrems pursued the matter to the Irish High Court for judicial review of the DPC’s decision, which was then referred to the ECJ with the High Court Judge noting that European laws on privacy prevailed over Irish laws.
Mr Schrems argued that the EU- US Safe Harbour system, being the principles in place at the time to protect the transfer of personal data between the EU and the US, violated his fundamental right to privacy, data protection and the right to a fair trial. This argument arose following the revelations of whistle blower Edward Snowden, which questioned the European Commission’s executive decision on the “adequate protection” provided by the EU-US Safe Harbour system.
In 2015, the ECJ declared the EU-US Safe Harbour agreement invalid and that individual data protection authorities could suspend data transfers to third countries if they violated EU rights.
How did the European Commission deal with EU-US data transfers following the invalidation of the EU-US Safe Harbour Agreement?
Following the invalidation of the EU-US Safe Harbour Agreement, the European Commission proceeded to adopt the EU-US Privacy Shield to accommodate data transfers from the EU to the US.
The new framework laid down the requirement set out by the ECJ following the invalidation of the EU-US Safe Harbour Agreement and aimed to protect the fundamental rights of anyone in the EU whose personal data is transferred to the US.
How did Facebook continue to transfer personal data despite the invalidation of the EU-US Safe Harbour Agreement?
Following the ECJ ruling, Facebook continued to transfer the personal data of its users between Europe to the US by relying on standard contractual clauses (pre-approved contractual agreements) and by doing so it claimed that it incorporated appropriate safeguards to data subjects/users.
On 2 December 2015, Mr Schrems resubmitted his original complaint against Facebook with the DPC. Despite the fact that Facebook did not rely on the Safe Harbour Agreement for its data transfers but rather on standard contractual clauses, as referred to above, the complaint sought to enforce the ECJ’s judgement on Facebook.
In the complaint, Mr. Schrems argued that these standard contractual clauses also incorporate exceptions for cases of illegal mass surveillance, and thus the ECJ ruling applies to these contractual clauses as well. The DPC referred the matter to the ECJ.
The importance of GDPR in the Schrems case
Under the GDPR, data may only be transferred to a “third country” (ie outside the EEA) where, broadly,
there is a European Commission adequacy decision; and/or
there are appropriate safeguards in place, such as standard contractual clauses or binding corporate rules; and/or
the data subject has given their explicit consent.
Immediately following the adoption of GDPR in 2018, Mr Schrems filed complaints in Ireland against Google and Facebook for coercing their users into accepting their data collection policies. On 18 January 2019, Mr Schrems filed further GDPR complaints against Amazon, Apple Music, DAZN, Filmmit, Netflix, SoundCloud, Spotify, and YouTube.
On 16 July 2020, the ECJ declared the European Commission’s decision on the adequacy of the EU-US Privacy Shield invalid as, in brief, US national security requirements were still given primacy.
Further, the ECJ ruled that the European Commission’s decision on standard contractual clauses is valid, so these can continue to be used. However, the transferor must ensure that the data subjects are “afforded a level of protection equivalent to that guaranteed within the EU by the GDPR. In doing so, the ECJ explained that this requires the transferor company to consider the standard contractual clauses it has agreed to as well as the accessibility of such data by the third country’s public authority (for example the NSA) by virtue of its national laws (for example the FISA Amendments Act of 2008 adopted by the US for the collection of internet communication under the PRISM program).