The Court of Justice of the European Union hearing in case 311/18, also known as "Schrems II," stretched arguments to the limit Tuesday.
In a mammoth eight-hour session, the court heard from the Irish Data Protection Commissioner, Facebook, the Electronic Privacy Information Center, DigitalEurope, the Business Software Alliance, the European Commission, the European Data Protection Board, the U.S. government as well as several EU countries and representatives of Max Schrems himself.
Following a complaint to the Irish DPC by Schrems about the transfer of his personal data from Facebook Ireland to Facebook in the U.S. more than five years ago — and after years of to-ing, fro-ing and appeals – the DPC’s questions are finally being assessed by Europe’s top court.
According to the court, the central question is whether “EU law applies to the transfer of personal data by a private company from an EU member state to a private company in a third country for commercial purposes, and may be further processed in the third country by its authorities for purposes of national security and of law enforcement.”
In simpler terms, the question is whether U.S. law on the access of national security agencies to the personal data of non nationals, the Foreign Intelligence Service Act, breaks European data protection laws. And if so, does that invalidate currently legal data transfer mechanisms?
Schrems argues that, as per the Edward Snowden revelations, U.S. national security services have unfettered access to Europeans’ data in breach of European law.
His lawyer, Eoin McCullough, told the court: “When data is transferred to Facebook in the U.S., this high level of protection is undermined by certain U.S. laws, and that is true of any transfer mechanisms, whether standard contractual clauses, Privacy Shield or other any other contractual arrangement. U.S. law requires Facebook to assist the U.S. in surveillance of non-U.S. persons.”
The looming question here is, in the case, does the Irish DPC need to consider simply standard contractual clauses — the data transfer mechanism being challenged by Schrems here — or SCCs alongside other data protection frameworks, such as Privacy Shield? Should the DPC take a holistic approach, or should each mechanism stand or fall on its own? This is key, since if both mechanisms were ruled invalid, it would place businesses in a hugely difficult position.
"The hearing today has more at stake than the first Schrems/EU-US Safe Harbor case because this time around it may impact international data transfers not only from the EU to the U.S., but from the EU to the entire world where standard contractual clauses are relied upon," said Gabriela Zanfir-Fortuna, senior counsel at Future of Privacy Forum. "At the same time, the successor of the Safe Harbor, the EU-US Privacy Shield, is also on the table. This explains why the picture of parties and interveners is also significantly more complex, including not only EU institutions and member state governments, but also industry associations and the U.S. government."
Unusually, Schrems is aligned with Facebook on the issue of whether SCCs and Privacy Shield should be grouped together in a potential invalidation case, asserting that the DPC could have long ago dealt with the issue directly related to SCCs without referring the question to the European court.
“The Irish Data Protection Commission caused this whole circus for three years, when they can totally solve the issue themselves,” said Schrems via Twitter. “It’s interesting that both industry [and] lobby groups see the same 'solution' to the problem as we do. It’s not often that, as a consumer, you agree with the industry more than with the regulator,” he added.
Facebook, along with the two trade organizations represented at the hearing, fear the fallout if the Privacy Shield arrangement were to be struck down.
In what Schrems described as “end of the internet drama,” Facebook lawyer Paul Gallagher told the court that if SCCs were invalidated, “the effect on trade would be immense.” He also submitted that not all U.S. companies are covered by FISA — which would allow them to share personal data with law enforcement agencies — and there was no evidence that Facebook, in particular, unduly handed data over to national security agencies.
Both the Irish government and the European Commission seemed to oppose the DPC’s decision to refer the question upwards to the high court.
The Commission argued that if a country has weak legislation in place, it can prevent the EU from adopting adequacy decisions — like Privacy Shield — but it doesn’t necessarily apply also to SCCs. The CJEU found the Commission wrong in approving adequacy for Privacy Shield’s predecessor Safe Harbor in 2015 and would not welcome a similar fate for Privacy Shield.
Simon McGarr, of McGarr Solicitors in Ireland, said: “It’s clear that the EU Commission is not thrilled to have been put in the position the DPC’s application would require of it. For the Commission, it would have been preferable if the DPC would have taken action on a piecemeal, case-by-case basis on specific data transfers. Nonetheless, the DPC’s application followed on the CJEU imposing a duty to act in the earlier Schrems case law. It remains to be seen in the court’s judgement whether the Commission, or the DPC’s interpretation of the extent of that duty, is accepted by the court.”
As for predictions as to what the court will find? It's hard to say, according to Zanfir-Fortuna.
"As for the standard contractual clauses part, it is possible the court will only uphold the data protection authority's powers to suspend a transfer to a certain jurisdiction based on a case-by-case analysis, rather than invalidating the entire mechanism, given that standard contractual clauses are linking EU-based controllers and processors to controllers and processors in virtually all jurisdictions in the world, and it's difficult to envision a general finding that would deem all possible uses of the SCCs being in collision with the EU fundamental rights framework."
Eduardo Ustaran, partner at Hogan Lovells, also raised the possibility that the court might ”uphold the validity of SCC for transfers of data to the U.S., because of the U.S. government commitments, but render them invalid in the absence of similar commitments in other jurisdictions. So essentially SCCs would become okay for transfers to the U.S. but not okay for transfers to, say, Russia or China.”
"If the DPC loses," said Daragh O' Brien of Castlebridge, "the DPC goes back to Dublin and has the authority to what she wants to SCCs without asking for permission.”
The EU court’s Advocate General Henrik Saugmandsgaard Øe said he will give his non-binding opinion in the case December 12 this year, with a full decision expected by early 2020.
Photo by Christian Wiediger on Unsplash