With the release of the Irish High Court’s decision to refer questions on the adequacy of standard contractual clauses to the Court of Justice of the European Union, there is a new “Schrems Case” back in the spotlight. Commonly referred to as Schrems 2.0, this case’s complex background is worth exploring due to its potential to jeopardize continued trans-Atlantic data flows from the European Union to the United States.
Schrems 2.0 is the continuation of a complaint brought against Facebook Ireland Ltd. by Austrian citizen Maximilian Schrems before the Irish Data Protection Commissioner. He originally alleged that Facebook Ireland’s data sharing agreement with Facebook, Inc., its American parent, violated Schrems’ rights under the Charter of Fundamental Rights of the European Union because of Facebook Inc.’s cooperation with the United States’ intelligence agencies.
As the name “Schrems 2.0” suggests, this is not the first time the case has climbed Europe’s judicial ladder. Schrems’ suit has already brought one set of questions to the CJEU — Schrems 1.0 — which resulted in the court declaring the Safe Harbor trans-Atlantic data transfer agreement invalid for failing to adequately protect the rights of EU citizens.
Recap: Max Schrems & Schrems 1.0
Schrems is an Austrian attorney and privacy advocate. In 2013, Schrems was distressed by the cooperation between the U.S. private sector and intelligence services revealed by former NSA contractor Edward Snowden. He was particularly perturbed by the relationship between social networking giant Facebook and the National Security Agency as it pertained to the company’s willingness to disclose EU citizens’ personal information.
Schrems filed a complaint with the Irish Data Protection Commissioner against Facebook Ireland, Ltd., alleging that the company’s transfer of Europeans’ personal data to parent Facebook, Inc. violated EU citizens’ rights under the Charter of Fundamental Rights of the European Union due to Facebook, Inc.’s participation in the surveillance activities of the United States. Schrems took particular issue with the PRISM and UPSTREAM mass surveillance programs, alleging that these programs’ existence invalidated a 2000 decision by the European Commission deeming the United States’ privacy protections “adequate.” The adequacy finding was required under the 1995 European Data Protection Directive because the Directive prohibits the transfer of personal data to a third country “which does not ensure an adequate level of protection.”
Schrems’ complaint was initially dismissed by the Irish regulator on grounds of frivolity; but Schrems appealed the regulator’s refusal to entertain his complaint to the Irish High Court.
In 2014, the Irish High Court certified two important questions to the Court of Justice of the European Union: first, whether national supervisory authorities were still permitted to examine US-EU data transfers after the European Commission’s 2000 decision, and second, whether the Safe Harbor framework violated the rights guaranteed to EU citizens under Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union. The CJEU determined a European Commission decision finding that a non-EU country’s level of protection met the standard of “adequacy” required by the European Data Protection Directive neither “eliminated or even reduce[d] the powers available to national supervisory authorities” pursuant to the Charter of Fundamental Rights and the Directive. On that point, however, the CJEU stressed that while national authorities retained the ability to examine EU decisions, the CJEU alone retained the authority to declare an EU act (such as a Commission decision) invalid. If a national authority considered a Commission decision invalid, the authority would need to “bring proceedings before the national courts so that [the courts might] refer the case to the Court of Justice.”
On the second question, Schrems’ original complaint alleged that the Safe Harbor framework was fundamentally incompatible with Articles 7, 8, and 47 of the Charter on Fundamental Rights of the European Union. Article 7 provides that “everyone has the right to respect for his or her private and family life, home and communications.” Article 8 states “everyone has the right to the protection of personal data concerning him or her,” and mandates that such data must be “processed fairly for specified purposes and on the basis of the person concerned or some other legitimate basis laid down by law.” According to Article 7, “everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.” Article 8 further authorizes enforcement of the rules via independent authority.
Article 47 guarantees a “right to an effective remedy before a tribunal” to “[e]veryone whose rights and freedoms [are] guaranteed by the law of the Union.” It also requires a “fair and public hearing within a reasonable time by an independent and impartial tribunal previously established by law.”
In its decision invalidating the Safe Harbor framework, the Schrems 1.0 Court agreed with Schrems’ assessment — specifically holding that “a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of [the Directive] read in light of the Charter” was required to meet the adequacy standard of the Data Protection Directive. Declaring the 2000 “adequacy” decision of the Commission invalid, the Court specifically cited “legislation permitting public authorities to have access on a generalized basis to the content of electronic communications” as incompatible with Article 7, and “legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data” as violating the judicial protection guarantee of Article 47.
Launching “Schrems 2.0”
As a result of Schrems 1.0, the Irish High Court reversed the Irish DPC’s decision not to investigate Schrems’ original complaint. Meanwhile, Facebook, Inc. switched to “standard contractual clauses” to transfer EU data to the U.S., to which Schrems responded by updating his complaint with the DPC to include this new transfer mechanism.
In 2016, the DPC issued a draft decision resolving its investigation of Schrems’ revised complaint, finding against the social media giant — and indicating the regulator’s belief that “standard contractual clauses provide insufficient protection to EU Citizens.” Because the clauses are authorized by a decision of the European Commission, however, the DPC alleged it lacked the authority to suspend data transfers on its own, and referred the case to the Irish High Court with the expectation of a subsequent referral to the CJEU.
Prior to referring these questions to the CJEU, the Irish High Court solicited expert testimony in response to the Irish DPC’s draft opinion from Schrems and Facebook, who the DPC had unusually included as named defendants in its submission to the High Court. The testimony, the full text of each party’s submission available here, is worth summarizing as a way of understanding the referral to the CJEU.
Schrems’ Expert
Schrems enlisted U.S.-based attorney Ashley Gorski to provide an expert opinion on United States surveillance law and intelligence practices. Gorski is a staff attorney with the American Civil Liberties Union National Security Project. Her testimony focused first on three United States legal authorities: Section 702 of the Foreign Intelligence Surveillance Act, Executive Order 12333, and Presidential Policy Directive 28. Gorski alleges that U.S. surveillance activities authorized under FISA EO 12333 include the “bulk” collection of non-U.S. persons’ information, including the information of EU citizens. After discussing those authorities, Gorski examined barriers to individual redress in the United States legal system, and concluded that “U.S. surveillance law is extremely permissive … [f]or the vast majority of individuals subject to Section 702 and EO 12333 surveillance, there has to date been no viable avenue to obtain meaningful redress.”
Gorski specifically noted that the FISA Amendments Act of 2008 changed FISA Section 702 and permitted the United States government to acquire foreign communications without either probable cause or individualized suspicion, including communications between U.S persons and a non-U.S. person abroad, so long as “foreign intelligence” was a “significant purpose” of the collection. Additionally, Gorski noted the United States’ reliance on Section 702 to authorize the PRISM and UPSTREAM programs — PRISM “involves the acquisition of communications content and metadata directly from U.S. companies like Facebook, Google, and Microsoft.” UPSTREAM, in contrast, involves “tapping directly into the Internet backbone inside the United States” to carry out “mass copying and searching of Internet communications flowing into and out of the United States.”
Gorski also discussed EO 12333, the primary authority for the United States’ extraterritorial intelligence gathering. Gorski alleged that programs and intelligence gathering taking place pursuant to EO 12333 are not authorized by any statutes, nor are they subject to judicial or legislative oversight — instead, they are regulated only by the internal policies of the U.S. Executive Branch. Although some policies may limit the ways in which data gathered under EO 12333 is used, there is little question that these policies permit the initial collection of tremendous amounts of data.
Gorski disputed the sufficiency of both the Foreign Intelligence Surveillance Court and the reforms mandated by Presidential Policy Directive 28 in meeting the guarantees of judicial oversight and individual redress required by EU law. According to Gorski’s testimony, while PPD-28 states that “all persons should be treated with dignity and respect” and that “all persons have legitimate privacy interests in the handling of their personal information,” the directive does little to impose “meaningful constraints” on the United States’ collection of information.
On the question of redressability, Gorski focused on the general inability of private individuals to obtain a judicial remedy due to the standing and state secrets doctrines, and she contested the sufficiency of governmental reform efforts such as the creation of the Privacy and Civil Liberties Oversight Board and the Privacy Ombudsperson. Because individuals are not specifically notified that their information has been provided to intelligence agencies, they cannot typically meet the “injury” requirement necessary to bring suit in U.S. courts. The “state secrets” doctrine is a privilege allowing the government to block disclosure of information in a lawsuit where disclosure might harm national security, and Gorski’s testimony alleges that is often invoked to bar the disposition of national security cases.
Considering Gorksi’s testimony before the High Court, it may be instructive to recall the CJEU’s language in Schrems 1.0: “To establish the existence of an interference with the fundamental right to respect for private life, it does not matter whether the information in question relating to private life is sensitive or whether the persons concerned have suffered any adverse consequences on account of that interference.” In the first decision, the CJEU appeared to explicitly reject the core concept of “standing” as understood in U.S. courts.
Pro-Adequacy Testimony
Facebook, via its legal representatives, enlisted professors Stephen Vladeck of the University of Texas School of Law and Peter Swire of the Georgia Institute of Technology to offer testimony on the adequacy of remedial measures available to EU citizens. Vladek and Swire submitted 398 pages of legal analysis in support of the claim that the U.S. not only has privacy protections that meet the requirements of EU law, but actually exceed the protections offered by many EU member states. Both Vladeck and Swire focused primarily on statutory and administrative constraints within the United States government, including the expanded role of the FISC, the PCLOB, and the Privacy Ombudsperson created within the State Department by the Privacy Shield. Additionally, both took issue with Gorski’s description of the standing and state secrets doctrines’ collective function as an absolute bar to judicial remedy in the post-Snowden environment.
Professors Swire and Vladeck broadly promoted two themes: first, that the internal government restrictions on U.S. intelligence-gathering are more robust than the DPC gives credit for, and second that external remedies to information-gathering exist in the U.S. and are often superior to options available in the EU. Both testimonies provided detailed descriptions of the composition and operation of the FISC in relation to FISA and information collected pursuant to Section 702. Vladeck argued for the sufficiency of the FISA warrant/FISC oversight system as comparably similar to the general warrant requirement in criminal cases. Vladeck also argued that the Privacy Shield, particularly due to the creation of the Privacy Ombudsperson within the State Department, is substantially more robust than the Safe Harbor framework invalidated by the CJEU in 2015.
The High Court also permitted the United States to submit an amicus brief given the sensitive nature of the case and the U.S.’s “significant and bona fide interest in the outcome of [the] proceedings.” The United States reiterated many of the same arguments presented by Vladeck and Swire — that the creation of PPD-28, the adoption of the Privacy Shield (and its creation of the Privacy Ombudsperson) and the various statutory remedies served to provide the “essentially equivalent” protections required by the EU. The U.S. argues that, “the oversight mechanisms described [in its brief] all serve as remedial measures in a broad sense.” The U.S. brief also emphasized that the subject of Schrems’ complaint (the collection of EU citizens’ data from U.S. companies after its transfer to the U.S.) should limit the consideration of the United States’ surveillance authorities as they pertain to intelligence gathered abroad, and made the novel allegation that the DPC decision wrongly conflated the “adequacy” requirement applied to destination countries by Article 25 of the directive with the efficacy of Commission approval of “standard contractual clauses” under Article 26. Finally, the U.S. examined the national intelligence-gathering authorities of EU member states and reiterated Swire’s argument that U.S. law provided E.U. citizens remedies that were, at minimum, equivalent to many EU member states, and superior to some.
The Irish High Court Judge Caroline Costello was apparently not swayed by these adequacy arguments, however, and has decided to refer questions about the EU Commission’s findings on contractual clauses to the CJEU. While the specifics of the referral questions have not yet been published, her decision outlines three basic questions:
- Should the DPC or court conduct its own adequacy analysis of the U.S. system?
- Should the DPC or court analyze remedial options for EU citizens in the U.S.?
- Are whatever limitations on remedy EU citizens face proportionate in the face of preserving others’ rights and freedoms?
Considering IAPP data shows 88 percent of member companies currently use standard contractual clauses to transfer PII from the EU to the U.S., you can be sure all eyes will be on the CJEU and their opinion on these questions.
Irish DPC reacts
The Irish Data Protection Commissioner published this statement following the High Court’s decision:
“The Commissioner welcomes the High Court’s judgment and its decision to refer a number of questions to the CJEU, as requested by the Commissioner.
“The transfer of personal data to the US under the standard contractual clauses mechanism (“SCCs”) raises important issues for the protection of EU citizens’ data protection rights. Now that the High Court has confirmed it shares the Commissioner’s concerns about the protection of those rights in the context of EU/U.S. data transfers, the Commissioner hopes these issues will be addressed by the CJEU as soon as possible to provide certainty for data subjects and controllers alike. In that context, the Commissioner acknowledges that many businesses rely on SCCs to transfer data from the EU to the U.S. It is important to note that today’s decision does not invalidate the SCCs (nor the Privacy Shield); neither does it prohibit their continued use for the purpose of data transfers to the US or elsewhere. Rather, it invites the CJEU to consider whether, under EU law, SCCs in their present form can and should be retained as a basis for the transfer of personal data from the EU to the U.S.”