For those of you who score at home, it’s Max Schrems 2, Facebook 0. On July 16, 2020, 33-year-old Austrian lawyer and lawyer specializing in data protection, Max Schrems, beat Facebook before the European Court of Justice. . . once again. In Schrems I in 2015, the ECJ declared the Safe Harbor framework of the US and the EU invalid and last week (Schrems II) discarded its replacement, the US-EU Privacy Shield, in which more than 5,300 organizations participate. The decision has been described as a “tsunami in the data protection community that threatens to massively disrupt transatlantic trade”.
How we got here
The decision of the ECJ
According to the European Data Protection Directive and its successor, the General Data Protection Regulation, data of a European subject can be transferred out of the EU via an approved framework such as the US-EU Privacy Shield through approved standard contractual clauses (SCC) that are binding on companies from the competent data protection authority approved regulations or certain limited exemptions (consent, necessity or imperative interest).
In December 2015, Schrems filed a new complaint with the Irish Data Protection Commission against Facebook’s data transfer within the framework of SCCs. The Irish High Court in turn referred the matter to the ECJ and expressed doubts about the adequacy of the level of protection under US law. This challenged the EU’s assessment of the Privacy Shield implementation, as “the United States is doing mass labor and indiscriminately processing personal data that could expose data subjects to the risk of injury [their] Rights ”according to the EU Charter.
In its decision, the ECJ found the EU’s approval of the Privacy Shield to be invalid, as US surveillance programs are not limited to what is strictly necessary and proportionate under EU law and the possibility of complaints to a US-appointed US Submit to Ministry of Foreign Affairs Monitoring does not fulfill the data subject’s right to an effective remedy under the EU Charter (although most EU citizens do not have such a right).
The ECJ confirmed the use of SCCs, but the controller must examine on a case-by-case basis whether the law of the destination country guarantees adequate protection under EU law or offers additional protective measures to ensure this. If you cannot meet these conditions, you must stop further transmissions and the data recipient must either return or destroy the received data. Affected parties whose data has not been properly transmitted can assert a claim for damages.
In frequently asked questions, which were published one week after the ECJ decision, the European Data Protection Board made it clear that there is no grace period after the ECJ decision, as “the US law of the EU as judged by the Court of Justice is not essentially equivalent Protection level “(although one according to Schrems I) was made available. While the European data protection authorities are still scrutinizing the decision, those who have submitted comments are divided on whether Schrems II means that SCCs will not allow data to be transferred to the United States or whether it will continue to do so provided additional safeguards are implemented .
Schrems NOYB – European Center for Digital Rights has published a list of common questions and next steps for EU companies.
The US Department of Commerce acknowledged that because of Schrems II, the Privacy Shield
is no longer a valid mechanism for compliance with EU data protection regulations when transferring personal data from the European Union to the USA. This decision does not release participants in the EU-U.S. Privacy Shield from their obligations under the EU-U.S. Privacy Shield.
That means U.S. companies must continue to comply with the Privacy Shield while examining whether they can transfer data using an SCC or an exemption.
Some in the United States are calling for penalties against the EU for essentially violating the agreement reached through the Privacy Shield, including imposing heavy tariffs on EU goods. In addition, it stands to reason that Schrems II will be used to invalidate data transmissions to repressive regimes like China and Russia, which could also lead to economic conflicts with these nations.