On July 16, 2020 the Court of Justice of the European Union (CJEU), also informally known as the European Court of Justice or the supreme court of the European Union, rendered a judgment of gargantuan proportions in the Schrems II Case concerning the transfer of personal data by the ubiquitous behemoth called Facebook Inc.
The significance of the case filed by one Mr. Maximillian Schrems, an Austrian national, is immediately discernible from the glitzy constellation of the parties, namely, the Governments of the United States, UK, Germany, Ireland, Belgium, The Netherlands, France, Austria, Poland, Portugal, Czech Republic, as well as the European Parliament, European Commission, European Data Protection Commissioner, among others.
Mr. Schrems, a user of the Facebook social network since 2008, filed a complaint with the CJEU requesting, in essence, that Facebook Ireland Limited be prohibited from transferring his personal data to its US parent company, Facebook Inc. on grounds that the law and practices in the US did not ensure adequate protection of his personal data against the surveillance activities of governmental security agencies.
Mr. Schrems claimed that under US law, Facebook Inc. was required to make available the personal data transferred to it by Facebook Ireland to the National Security Agency (NSA) and Federal Bureau of Investigations (FBI). He, therefore, sought orders to prohibit Facebook Ireland from transferring his personal information to the US.
The evidence before the court showed that US law allows NSA to intercept data in transit to the US by accessing underwater cables on the floor of the Atlantic Ocean and to process such data before its arrival in the US. It also requires operators of the internet backbone to allow NSA to copy and filter internet traffic flows in order to acquire communication from, to or about non-US nationals.
In its defence, the US Government argued that there exists a data transfer mechanism between the EU and the US known as the EU-US Privacy Shield Framework which ensures an adequate level of protection of personal data transferred from the EU to organisations in the US. The court, however, found that the principles of the Framework were limited and US authorities could indeed derogate from them and proceed to access personal information on grounds of national security, public interest or domestic legislation.
The US Government also admitted that it did not grant data subjects actionable or enforceable rights against US authorities through US courts.
The evidence also showed that US law did not afford EU citizens a level protection equivalent to that guaranteed by European law. Complaints by data subjects could only be referred to the Privacy Shield Ombudsperson, who, although described as ‘independent’ was found to be an officer in the US State Department appointed by the Secretary of State and to whom he reported. He was, therefore, not a judicial officer capable of issuing binding orders against government intelligence authorities.
Guided by the provisions of the General Data Protection Regulation (GDPR), the CJEU ruled in favour of Mr. Schrems and held that where personal data of EU residents is to be transferred outside the EU, the destination country must have appropriate safeguards, enforceable rights and effective legal remedies which are equivalent to those guaranteed by the GDPR within the EU.
Where it is proved that contractual clauses are not respected or cannot be complied with in the destination country, the national data protection regulator should prohibit the transfer since such clauses are not binding on governmental authorities.
Where the data controller or processor is unable to take adequate additional measures to guarantee protection of the personal data, the regulator is required to suspend or prohibit the transfer of the data to the country concerned.
Where personal data has already been transferred to a country that does not provide equivalent protection to those guaranteed within the EU, the regulator should order such information and all copies of it to be returned and destroyed in their entirety.
Finally, the court held that the data subject must have the possibility of bringing legal action before an independent and impartial court in the destination country for redress of their grievance concerning access, rectification or erasure of their personal information. Therefore, where, like in the US, legislation does not provide for the possibility for an individual to pursue legal remedies for breach of his personal information through an independent and impartial court, transfer of data to such country should be prohibited.
This decision will have far-reaching implications on US multinationals whose subsidiaries collect personal data from clients across the world and instantaneously ship it to the US via automated means.
Since most data protection laws, including the Kenyan Data Protection Act, are modelled on the GDPR principles, the CJEU’s interpretation is likely to be adopted by data protection regulators around the world. This will make it harder for personal information to be transferred outside the country, especially to the US, due to the gaps in the protection mechanisms that have been identified by the court in this case.
Multinationals will have to re-think their model of data sharing and storage and more specifically, where their cloud servers are to be located. Those, like Facebook, which have their cloud storage in the US should expect an avalanche of claims by data subjects, not only from the EU but all countries with GDPR-compliant laws, for unlawful transfer of their personal data to the US.
The decision deals a heavy blow to providers of cloud data storage services which are borderless. Since the US is unlikely to relax its security laws in response to CJEU’s decision, US-based cloud service providers may have to re-locate their servers to Europe which, thanks to the GDPR, has the most developed data legislation in the world. This is an expensive and disruptive undertaking.
The case also lays bare the ineffectiveness of standard contractual clauses which purport to give data subjects a false sense of protection while, unbeknown to them, the data is made available to third parties including governmental agencies. Facebook Ireland had unsuccessfully argued that there was no breach since its parent company was bound by contractual clauses to safeguard the personal information of their clients. The court, however, found that snooping intelligence authorities were not bound by such clauses since they were not party to the contract between the two companies.
The judgment will have a significant negative impact on e-commerce which, by definition, is borderless. Since data has become the new oil, its free movement across different geographies is essential for the advancement of economic and social life. When a large market like the US is blacklisted by a court of CJEU’s stature, the implications cannot be over-emphasised.
To end on a positive note, the Schrems II case will certainly jolt countries across the world to enact GDPR-compliant laws and potentially catalyse a global wave of harmonising data protection laws.
The article was also published in the Business Daily on 11 August 2020 and can be accessed here.