What is at stake in the Schrems 1.0 and 2.0 cases?
The Schrems 2.0 case which – just this April – gained impetus, concerns, first and foremost, an assessment of the compatibility with EU law of data privacy standard contractual clauses adopted by the European Commission in several decisions. In practice, these clauses are the most widely used data transfer instrument, allowing businesses to transfer personal data relatively freely from the European Economic Area to third countries, at the same time ensuring the necessary protection for the main stakeholders – EU citizens.
The case itself is a continuation of the high-profile case initiated by Maximilian Schrems, which in autumn 2015 led to the “sinking” of the Safe Harbor programme, which allowed data to be transferred to US companies (Schrems 1.0). It was the result of the 2013 revelations of Edward Snowden, who exposed the practices of American special services related to accessing the data of Europeans processed by American technology giants such as Google or Facebook.
Questions about Commission decisions and more
Among the prejudicial questions referred to the Court of Justice of the European Union by the Irish High Court in the context of the Schrems 2.0 case, question 11 – the last of a long list – concerns the compatibility with the EU Charter of Fundamental Rights of three Commission decisions currently in force that introduce standard contractual clauses: two of which refer to transfers between data controllers and one to transfers of data to a processor in a third country. On the basis of the clauses annexed to the last of these decisions (Commission Decision 2010/87/EU) personal data are currently transferred from Facebook Ireland (the data controller for social network users in the EU) to the US company Facebook, Inc. (data processor from a third country, i.e. the USA).
Other questions concern related issues of equal importance to the EU data transfer regulation. For example, question 1 focuses on the application of EU law in this complex factual and legal situation: on the one hand, it is clear that the transfer operations between Facebook Ireland and Facebook, Inc. are of a commercial nature (thus falling under the provisions of EU Treaties and Directive 95/46 and now under the GDPR); on the other hand, the data transferred in this way to the US may be used by third country public authorities for national security purposes, such as combatting terrorism, and this does not fall within the scope of EU law, including Directive 95/46 and the GDPR.
Several questions focus on the compliance of US law (the solutions it provides) with the Charter of Fundamental Rights, including its Articles 47 and 52. When formulating the questions, the Irish Court included a question on the compatibility with EU law of the Privacy Shield programme, which replaced Safe Harbor. This happened despite the fact that Facebook does not use this transfer instrument in this context. Maximilian Schrems himself did not raise this issue in his complaint either. However, this could have very significant practical consequences: the risk of invalidating the Privacy Shield is becoming ever more real, taking into account the criticism recently levelled out in its name by the European Parliament.
The question of the “foundations” of the EU transfer regulation
Against this background, question 7 seems to be the most difficult, and the possible impact of the European Court’s answer the most far-reaching. It is worth quoting it in its entirety:
“Does the fact that the standard contractual clauses apply as between the data exporter and the data importer and do not bind the national authorities of a third country who may require the data importer to make available to its security services for further processing the personal data transferred pursuant to the clauses provided for in the SCC Decision preclude the clauses from adducing adequate safeguards as envisaged by Article 26(2) of the Directive [95/46/EC]?”
Although the question refers to an EU Directive from 1995, which is no longer in force, the answer to this question will also have an impact on the approach to the solutions adopted in the GDPR. Article 46 of the GDPR also provides for the possibility of data transfers based on “appropriate safeguards”, including model clauses, which are referred to in the GDPR as “standard data protection clauses”.
Moreover, while the other questions, in particular Question 11, concern specific Commission decisions which, even assuming that they are annulled by the Court, can be “improved” in some way, for example by adopting a further package of such decisions, which already meets the Court’s expectations, the importance of answering Question 7 may be much more important. This question is not so much about specific Commission decisions as about the model clauses themselves.
The question, like a magnifying glass, focuses on a specific conflict – which we must deal with in the context of regulations concerning international data transfers – between, on the one hand, the so-called territorial approach and, on the other hand, the so-called organisational approach. The first assumes the admissibility of transferring data outside the secure area where they can be processed (i.e. outside the EEA), provided that in the target country solutions are in place to protect personal data at the appropriate level (i.e. dedicated regulations, including rules regulating public authorities’ access to and use of data). The second approach focuses on specific instruments binding exporters and importers of data (organisations, hence the name), which include data transfer agreements, including those based on model solutions. These, by their very nature, are not binding on entities which are not parties to an agreement (e.g. parties to a transfer agreement), and in particular they do not refer to public authorities in third countries.
If model clauses were to be considered as providing “appropriate safeguards” only if they were also binding on third country public authorities, it may undermine their design and, moreover, may significantly weaken the organisational approach and even other relevant transfer instruments, such as binding corporate rules and codes of conduct. Thus, it is crucial for privacy professionals to closely follow the development of the Schrems 2.0 case and to start analysing what legal basis for international data transfers companies, especially multinational corporations, have in place.