Professor Paul Schwartz and I recently edited the Schrems II decision for our Information Privacy Law casebook. Schrems II is short for Facebook Ireland Ltd. v. Maximillian Schrems — the second challenge by Maximillian Schrems to the transfer of data between the EU and US. In Schrems I, the European Court of Justice (CJEU) invalidated the Safe Harbor Arrangement, which was a special arrangement to transfer personal data from the EU to the US. Schrems II invalidated Privacy Shield and put other data transfer mechanisms into significant doubt. Editing the opinion was truly a challenging task, as the court’s prose is incredibly formal, wordy, and dry. After whittling it down to a few pages, I think I understand it a lot better, and I have the following reflections on the opinion as well as where we go from here.
Privacy Shield is dead and the Standard Contractual Clauses (SCC) are in a coma on life support.
The headline from the CJEU’s decision was that Privacy Shield was invalid as a means to transfer personal data to the U.S. but the Standard Contractual Clauses (SCC) survived. US companies initially breathed a big sign of relief, but then they began to have the dark disturbing realization that the impact of the decision was far more dire. A close look at the decision reveals that the SCC don’t really survive, at least not for the US. As I note below, the logic of the decision also indicates that BCRs are in the same position as the SCC. The result is that all of the mechanisms to transfer data from the EU to the US won’t work.
US surveillance law has significant problems that need a fix.
The CJEU found that the SCC cannot work as a means to transfer EU personal data to the US without some kind of additional protections against US government surveillance. The CJEU’s problem isn’t that the US engages in a lot of surveillance. Instead, the CJEU noted several problems with US surveillance law that will not be easy to fix. As the CJEU explained, the US lacks some key protections and limitations in its law:
(1) US law lacks “effective legal remedies for data subjects.” Schrems II ¶ 128. There isn’t much recourse to a person in the EU whose data is gobbled up by US surveillance agencies. Indeed, even people in the US have difficulties challenging government surveillance because the government can maintain the secrecy of the surveillance and then get people’s constitutional or legal challenges to the surveillance thrown out of court because people can’t prove that they are under surveillance. In Clapper v. Amnesty International, 568 U.S. 398 (2013), the US Supreme Court held that a group of plaintiffs claiming that they were likely under surveillance and had to take expensive measures to avoid that surveillance lacked standing because they could only speculate as to whether they were, in fact, under surveillance.
(2) US law lacks a “principle of proportionality” to ensure that data collection and use by the government only occurs when “necessary” to meet legitimate interests or “to protect the rights and freedoms of others.” Schrems II ¶ 174. Under US law, government surveillance and data collection can occur without much limitation and without much justification of necessity.
(3) US law lacks sufficient controls over use and retention of personal data gathered by the government. The CJEU states that there must be “clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards, so that the persons whose data has been transferred have sufficient guarantees to protect effectively their personal data against the risk of abuse.” Schrems II ¶ 176.
These are all valid criticisms of US surveillance law. Congress and the courts have failed in their responsibility to provide adequate oversight of government surveillance. The courts have failed to provide people with an adequate means of challenging government surveillance.
The cost of the US having poor surveillance law — and of the overreaching and illegal actions of the NSA and other surveillance agencies in the past — is that other countries don’t trust us. The US has failed to take sufficient steps to fix the problems in its laws.
Complaining about the EU’s standards is not effective.
I’ve heard a lot of complaining about the EU’s standards during the litigation of the case: “But EU countries are just as bad!” some commentators say. “The EU is being hypocritical. They are demanding a higher standard for other countries than for their own.”
These criticisms miss the mark. The things that the CJEU is asking for with US law aren’t outrageous or impossible. I think that the demands made of foreign surveillance law are reasonable. There must be a way for people to raise objections and legal challenges. There must be an important need and justification for the surveillance. And, the surveillance must be controlled by law, with adequate oversight. These are fairly basic things, and unfortunately, US surveillance law flunks. It ought to be fixed. It is bad for our citizens, bad for others, and, because of the CJEU’s opinion, bad for commerce. I wish the US would avoid trying to defend its bad law and actually fix it. Although the Fourth Amendment and standing decisions of the Supreme Court can’t readily be fixed by Congress, the three overall criticisms of the CJEU could readily be addressed via legislation.
Schrems II has worldwide implications.
Based on the CJEU’s criteria for adequate surveillance law, a number of other countries will be in a similar position to the United States. The CJEU is sticking to its principles, which is quite laudable, but it will come at a high cost. Transferring data outside the EU will become very difficult when it comes to quite a number of countries, including some very large economies. There is a big potential economic cost to the EU here.
Having strong consumer privacy laws won’t save the day.
Having strong consumer privacy law protections will not make a country’s law adequate, even if those protections are as strong or stronger than the GDPR. The problems with adequacy also stem from federal surveillance law.
I heard talk that California was hoping to receive its own adequacy determination because of its strong body of consumer privacy laws. But the reasoning in Schrems II suggests that no matter how strong California’s law is, it won’t matter because California can’t stop federal surveillance authorities from gathering data.
BCRs are in the same sinking boat.
Binding corporate rules (BCRs) suffer from the same problems as the Standard Contractual Clauses (SCC), so BCRs are not the solution for data transfer. BCRs will not stop the government from accessing personal data.
Data controllers and recipients of data must stop transfers on their own.
There is a duty for each data controller and recipient of data in each country outside the EU to investigate and guarantee that the recipient country’s law is adequate. If they cannot claim it is adequate based on the standards set forth in Schrems II, then they cannot transfer the data. Thus, companies transferring data about people in the EU to the US (or to other countries) have a duty to stop transferring data on their own. They shouldn’t wait to be stopped by the supervisory authority.
Supervisory authorities have a large role, as each member nation’s supervisory authority must evaluate adequacy.
Each EU member nation’s supervisory authority must determine if a recipient country’s law is adequate. There could be disagreements between different EU nations about whether a particular country’s law is adequate. If so, the issue would be determined by the European Data Protection Board (EDPB).
Each EU member nation’s supervisory authority can examine whether there are “other means” to ensure adequate protection beyond the SCC. At ¶ 111 of Schrems II, the court says: “If a supervisory authority takes the view, following an investigation, that a data subject whose personal data have been transferred to a third country is not afforded an adequate level of protection in that country, it is required, under EU law, to take appropriate action in order to remedy any findings of inadequacy, irrespective of the reason for, or nature of, that inadequacy.” And at ¶ 113, the court states: “[T]he supervisory authority is required . . . to suspend or prohibit a transfer of personal data to a third country if . . . the standard data protection clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law cannot be ensured by other means, where the controller or a processor has not itself suspended or put an end to the transfer.”
Contractual protections will often not be sufficient to create adequacy.
In the United States, surveillance law often doesn’t respect contract. For example, under the poorly-conceived Third Party Doctrine of Fourth Amendment law, the U.S. Supreme Court has held that people lack a reasonable expectation of privacy in personal data held by third parties, even if those third parties have promised them privacy in a contract. I have never understood why contract can’t create a reasonable expectation of privacy. Last time I checked contract law, contracts are enforceable and are the backbone of modern commerce, and it is reasonable to expect them to be followed. But many Supreme Court justices apparently forgot what they learned during their contracts class in law school. The result of the Third Party Doctrine is that people lack the ability to challenge government access to their data in the hands of third parties under the Fourth Amendment. My thoughts on the Third Party Doctrine are here.
At ¶ 113, the CJEU states that when personal data is transferred between an organization in the EU and one in a third country, the SCC “are not capable of binding the authorities of that third country, since they are not party to the contract.” There must be something more to protect the data from government access, as contract isn’t enough.
There can be “supplementary measures” that could ensure an adequate level of protection
At ¶ 133, the CJEU states: “In so far as those standard data protection clauses cannot . . . provide guarantees beyond a contractual obligation to ensure compliance with the level of protection required under EU law, they may require . . . the adoption of supplementary measures by the controller in order to ensure compliance with that level of protection.”
The CJEU, however, doesn’t state what these “supplementary measures” would be. The only thing I can think of is encryption of the data. I am not sure what else will prevent the government from obtaining the data.
Where do we go now? What are the possible options to transfer personal data from the EU to the US?
There are several possible options to transfer personal data now from the EU to the US:
(1) Fix US surveillance law. This would be great, but don’t bet on it.
(2) Negotiate a new Privacy Shield arrangement. The problem is that a new arrangement would have to provide a lot of limitations on government surveillance involving EU personal data, plus a right to pursue remedies in court. I’m not sure that the US will provide much greater protections than it provided in Privacy Shield. Then, there’s the problem of what to call it. We had Safe Harbor, then Privacy Shield, so now what? Privacy safe . . . privacy lock . . . privacy blindfold . . .
(3) Encrypt all personal data from the EU to the US. This might be the main way that organizations transfer data to ensure that the US government can’t snoop into it. But organizations would have to prevent US authorities from obtaining or demanding the encryption keys, and that might be difficult.
(4) Keep EU data in the EU. Organizations could just try to keep the data in the EU, though that might not be practical.
(5) Find an exception to transfer data. The CJEU noted that there may be ways to transfer data. In particular the court noted at ¶ 202:
As to whether it is appropriate to maintain the effects of that decision for the purposes of avoiding the creation of a legal vacuum, the Court notes that, in any event, in view of Article 49 of the GDPR, the annulment of an adequacy decision such as the Privacy Shield Decision is not liable to create such a legal vacuum. That article details the conditions under which transfers of personal data to third countries may take place in the absence of an adequacy decision under Article 45(3) of the GDPR or appropriate safeguards under Article 46 of the GDPR.
Article 49 of the GDPR specifies “derogations for specific situations” to transfer data from the EU to third countries. This provision lists several ways data can still be transferred in the absence of an adequacy decision or in the absence of appropriate safeguards. These exceptions include explicit consent of the data subject, necessary for the performance of a contract between the data subject and the controller, necessary for important reasons of public interest, necessary for legal claims, necessary to protect vital interests of the data subject or of other persons, among other things.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.