Schrems II – European Court of Justice Invalidates US-EU Privacy Shield

For those of you keeping score at home, it is Max Schrems 2, Facebook 0.  On July 16, 2020, thirty-three-year-old Austrian lawyer and privacy advocate, Max Schrems beat Facebook in the European Court of Justice . . . again.  In Schrems I in 2015, the ECJ invalidated the US-EU Safe Harbor framework, and last week (Schrems II) they threw out its replacement, the US-EU Privacy Shield in which more than 5,300 organizations participate.  The decision has been called a “tsunami in the privacy community that threatens to massively disrupt trans-Atlantic commerce“.

How We Got Here

The ECJ Decision


Under the European Data Directive and its successor, the General Data Protection Regulation, data of a European subject may be transferred out of the EU via an approved framework like the US-EU Privacy Shield, through approved Standard Contract Clauses (SCC), binding corporate rules approved by the relevant data protection authority or certain limited derogations (consent, necessity or compelling interest).

In December 2015, Schrems filed a new complaint with the Irish Data Protection Commission challenging Facebook’s data transfer under SCCs. The Irish High Court, in turn, referred the matter to the ECJ expressing doubts about the adequacy of the level of protection under U.S. law and this called into question the EU’s assessment in implementing the Privacy Shield since “the United States carries out mass and indiscriminate processing of personal data that might expose the data subjects to a risk of a violation of [their] rights” under the EU Charter.

In its decision, the ECJ found the EU’s approval of the Privacy Shield to be invalid since U.S. surveillance programs are not limited to what is strictly necessary and proportional as required by EU law and the ability to submit complaints to a State Department appointed ombudsman for U.S. surveillance does not satisfy the data subject’s right to an effective remedy under the EU Charter (even though no such right is available to most EU citizens).

The ECJ upheld the use of SCCs, but the controller must verify on a case-by-case basis whether the law of the destination country ensures adequate protection under EU law or provides additional safeguards to ensure it does. If they cannot satisfy these conditions they must cease further transfers and the data recipient must return or destroy the data received; while data subjects whose data was transferred improperly may have a claim for damages.

What Next?

The European Data Protection Board, in FAQs released the week after the ECJ decision, made it clear there is no grace period after the ECJ decision because “U.S. law assessed by the Court does not provide an essentially equivalent level of protection to the EU” (even though one was provided after Schrems I).  While European Data Protection Authorities are still evaluating the decision, those that have commented are split as to whether Schrems II means no data may be transferred to the United States under SCCs or whether they may continue provided additional safeguards are implemented.

Schrem’s NOYB – European Center for Digital Rights has released a list of common questions and next steps for EU companies.

The U.S. Department of Commerce acknowledged that, as a result of Schrems II, the Privacy Shield

is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. This decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework.

That means U.S. companies must still comply with the Privacy Shield while exploring whether they may transfer data using an SCC or some form of derogation.

Some in the United States are callling for punitive measures against the EU for, in essence, breaching the deal reached through the Privacy Shield which include imposing heavy tarrifs on EU goods.  In addition, in stands to reason that Schrems II would be used to invalidate data transfers to repressive regimes such as China and Russia, which could lead to economic conflict with those nations as well.