Schrems v. Data Protection Commissioner

• Schrems I |
• Schrems II |
• Legal Documents |
Resources |

Summary

Two of the most important international privacy cases in recent history arose from complaints against Facebook brought to the Irish Data Protection Commissioner by an Austrian privacy advocate named Max Schrems. In the complaints, Mr. Schrems challenged the transfer of his data (and the data of EU citizens’ generally) to the United States by Facebook, which is incorporated in Ireland. The first Schrems case (“Schrems I”) led the Court of Justice of the European Union on October 6, 2015, to invalidate the Safe Harbor arrangement, which governed data transfers between the EU and the US. After that case was remanded to the Irish data protection authority, the Commissioner filed a second suit (“Schrems II”) in the Irish High Court to determine whether the “standard contractual clauses” used by Facebook to authorize the transfer of personal data to the U.S. post-Safe Harbor provide adequate protection for E.U. citizens. EPIC has been selected by the Irish High Court to provide an amicus submission in Schrems II to “counterbalance” the submission of the U.S. Government.

Top News

• Second Legal Challenge Launched Against "Privacy Shield": La Quadrature du Net, a French privacy organization, has launched a legal challenge to “Privacy Shield,” a controversial framework for the transfer of personal data from Europe to the United States. This lawsuit follows a similar  challenge brought by the Irish group Digital Rights Ireland. "Privacy Shield" was the response of EU and US politicians after the European Court of Justice determined that there was insufficient legal protection for transatlantic data transfers. NGOs in the United States and Europe had urged the adoption of a comprehensive framework for data protection and said that Privacy Shield was not adequate. EPIC also testified before Congress on the need to update US privacy law. EPIC is currently participating as amicus curiae in related case brought by privacy advocate Max Schrems. (Nov. 3, 2016)
• Privacy Advocates Challenge EU-US Data Transfer Agreement: An Irish privacy organization is challenging the EU-US framework for transferring personal data, the "Privacy Shield," in the European high court. This challenge follows a decision last year invalidating the previous framework, "Safe Harbor." In that case, the Court of Justice for the European Union concluded Personal data transferred to the United States lacks adequate legal protection. EPIC is participating as amicus curiae in a related case brought by privacy advocate Max Schrems. EPIC also recently submitted a brief to the European Court of Human Rights in a challenge to UK surveillance. (Oct. 27, 2016)

More top news

EPIC's Rotenberg Outlines Need for International Privacy Framework (Jun. 17, 2016) +

Speaking at the Council of Europe in Strasbourg, EPIC President Marc Rotenberg outlined the need for the US to ratify the International Privacy Convention. Rotenberg said it was "unlikely that the Privacy Shield will survive another trip to Luxembourg." The Privacy Shield is a proposed arrangement for EU-US data transfers that has come under criticism from European consumer groups, NGOs, privacy officials, and the EU Data Protection Supervisor. In 2009, more than 100 privacy groups and experts endorsed the Council of Europe Privacy Convention. In 2010 members of the EPIC Advisory Board urged then Secretary of State Hilary Clinton to seek US ratification of the Privacy Convention.

Top European Privacy Official Rejects EU-US "Privacy Shield" (May. 31, 2016) +

The European Data Protection Supervisor has determined that "Privacy Shield is not robust enough to withstand future legal scrutiny." He called for changes in the draft arrangement to permit data transfers to the United States. "Significant improvements are needed," said Giovanni Buttarelli. The Article 29 Working Party, the European Parliament, and a coalition of EU and U.S. consumer organizations have also opposed the data transfer proposal. Citing rampant data breaches in the United States, NGOs have urged strong safeguards for privacy and data protection.

European Parliament Requires Changes to Privacy Shield (May. 26, 2016) +

The European Parliament called for changes in the draft arrangement to permit data transfers to the United States. The Parliament said that officials must "fully implement" privacy recommendations and negotiate further changes to the "Privacy Shield." The European Data Protection Supervisor is expected to issue an opinion on the data transfer arrangement next week. EPIC and other consumer and privacy organizations have said that the Privacy Shield fails to provide adequate safeguards for consumers.

TACD Opposes "Privacy Shield," Urges Rejection by EU (Apr. 7, 2016) +

The Transatlantic Consumer Dialogue has urged the European Commission to reject the "Privacy Shield," a proposal to continue the transatlantic transfer of personal data from Europe to the United States. TACD warned that Privacy Shield "does not adequately protect consumers' fundamental rights to privacy" and that it does not provide "effective and meaningful data protection." European officials are carefully reviewing the proposal. EPIC and a coalition of NGOs have urged the US to adopt a robust data protection law and end 702 surveillance. The TACD is a forum of more than 70 consumer organizations in Europe and the United States.

EPIC's Rotenberg Urges European Parliament to Condition "Privacy Shield' on End of 702 Surveillance (Mar. 17, 2016) +

Speaking before the European Parliament on "Privacy Shield," Marc Rotenberg outlined several flaws in the proposed EU-US data transfer agreement, including a weak privacy framework, lack of enforcement, and a cumbersome redress mechanism. In the short term, Rotenberg recommended that the EU condition acceptance of the Privacy Shield on the end of the "702 program," which permits bulk surveillance on Europeans by the US. EPIC along with other NGOs has urged the European Commission to rewrite the Privacy Shield, saying it fails to safeguard human rights and does not reflect changes in US law as required by the Schrems decision.

NGOs - "Privacy Shield" is Failed Approach for EU-US Data Protection (Mar. 16, 2016) +

More than twenty civil society groups has urged European leaders to oppose adoption of the "Privacy Shield" for EU-US data flows. The NGOs state that the political agreement fails to provide sufficient data protection and does not respect the decision of the European Court of Justice in the Schrems case. The groups said the US must make changes in domestic laws and international commitments to comply with the decision and permit transfers of personal data. EPIC has launched "Data Protection 2016" to support stronger privacy safeguards in the US.

"Privacy Shield" Released, New Questions Raised (Feb. 29, 2016) +

The text of the "Privacy Shield" was released today by European Commission and the US Department of Commerce. The arrangement was intended to bring EU-US data transfers in line with the recent decision of the European Court of Justice in the Schrems case. But the framework appears to provide less protection than the Safe Harbor arrangement it replaces. New exceptions take broad categories of personal data entirely outside the scope of the agreement. Max Schrems said "this is far from what the Court required and does not seem like a stable solution." Privacy experts will now assess the text and determine whether it provides an adequate basis for the transfer of personal data. EU and US NGOs have urged the US to update its privacy laws.

European Commission Wrongly Denies EPIC's Request For "Privacy Shield" (Feb. 26, 2016) +

The European Commission has wrongly denied EPIC's Freedom of Information request for the text of the "Privacy Shield." The Commission said the adequacy decision about Safe Harbor is "in preparation" and "negotiations with the U.S. are still ongoing." The Commission confused the text of the political agreement, known as "the Privacy Shield," with a legal determination about whether the agreement meets EU data protection law. EPIC will pursue public release of the Privacy Shield, which was previously announced, and then the release of the adequacy determination when it is final. EU and US Consumer and privacy organizations have opposed the agreement because it fails to provide adequate privacy protections.

Department of Commerce: Privacy Shield "does not exist" (Feb. 10, 2016) +

As a response to EPIC's Freedom of Information request for the "Privacy Shield," the Commerce Department responded that "the record you requested does not exist." EU and US officials celebrated earlier this month that the EU and the US reached an agreement for transatlantic data transfers but they did not make the agreement public. Apparently there was nothing to make public since the agreement does not exist. The EPIC FOIA request is designated DOC-ITA-2016-000577.

EPIC Seeks Release of "Privacy Shield," Secret Data Transfer Agreement (Feb. 4, 2016) +

EPIC has filed emergency Freedom of Information requests with the US and the EU for release of a secret agreement for the transfer of personal data across the Atlantic. A new framework was required by a recent decision of the European Court of Justice. But European and American consumer organizations say the "Privacy Shield" does not provide adequate protection for the transfer of personal data. EPIC stated, “The public has a right to know whether this agreement provides adequate legal protection.” EPIC previously obtained the secret EU-US Umbrella Agreement in FOIA litigation.

Privacy Commissioners to Review "Privacy Shield" (Feb. 3, 2016) +

The Article 29 Working Party, the association of European Data Protection Commissioners, has said it will review the adequacy of the "Privacy Shield" proposal for transborder data flows. The Working Party said there must be (1) clear and precise rules, (2) a "necessary and proportionate" standard for data collection and access, (3) independent oversight, and (4) effective remedies for the individual. The Working Party also said it must first receive the relevant documents to assess the legal force of the arrangement and whether it will resolve "wider concerns raised by the Schrems judgement."

Anticipating Annulment, EU-US Negotiators Sign Off on "Privacy Shield" (Feb. 2, 2016) +

Disregarding a decision of the European Court of Justice, negotiators for the US Commerce Dept., the FTC, and the European Commission have agreed to allow the continued transfer of consumer data without adequate legal protection. A virtually identical arrangement was recently struck down by the Court in the Schrems case as a violation of multiple rights of Europeans, including rights to privacy, data protection, and effective redress. Consumers in the US have also expressed concern about rising levels of data breach, identity theft, and financial fraud. EPIC and many EU and US consumer organizations urged negotiators to establish strong safeguards for the transfer of personal data.

Schrems Responds to US Lobby Groups on Safe Harbor (Jan. 29, 2016) +

In a brief but clearly argued letter to European data protection authorities, Max Schrems writes that "attempts by lobby groups and the US government to 'reinterpret' or 'overturn the clear judgement of the Union's highest court are fundamentally flawed." Schrems brought the successful case to the European Court of Justice that struck down the Safe Harbor arrangement. The Schrems letter, released on International Data Protection Day, also states that a new transfer agreement must provide "protection against government surveillance and "essentially equivalent" protection against the commercial use of data by certified companies." Max Schrems received the 2013 EPIC Champion of Freedom Award.

"Clock is ticking" on Safe Harbor, says European Consumer Organization (Jan. 29, 2016) +

BEUC, the consumer organization of the European Union, has urged European policy makers to accept a revised Safe Harbor arrangement only if it complies with the Schrems decision and "guarantees that EU citizens' fundamental rights are upheld when their data is exported to the United States." Last year, 40 consumer privacy organizations in Europe and the United States urged US Secretary Pritzker and EU Commissioner Jourova to take specific steps to close the widening EU-US data divide. Secretary Pritzker has been unwilling to meet with consumer organizations.

EPIC v. DOJ: EPIC Prevails, DOJ Releases Secret EU-US Umbrella Agreement (Jan. 25, 2016) +

After months of delay, the Department of Justice has finally released to EPIC the full text of the EU-US Umbrella Agreement. EPIC sued the DOJ last year after the agency failed to act on EPIC's FOIA request for the secret agreement. Today's release comes on the heels of EPIC's opposition to the agency's attempt to further delay the Agreement's release. The Umbrella Agreement outlines data transfers between EU and US law enforcement agencies, and is the basis for the Judicial Redress Act currently before Congress. EPIC has criticized the legislation, and recently urged the Senate to delay action on the bill until the DOJ releases the Umbrella Agreement and the Judiciary Committee holds a hearing on the legislation.

EPIC Urges Senate to Postpone Action on Judicial Redress Act (Jan. 16, 2016) +

Today EPIC urged the Senate Judiciary Committee to postpone action on the Judicial Redress Act until the Department of Justice releases a secret data transfer agreement on which the bill is based. The so-called Umbrella Agreement outlines data transfers between law enforcement agencies in Europe and the United States. EPIC has sued the DOJ for release of the document. EPIC also urged the Senate Committee to conduct a public hearing on Privacy Act modernization following the massive data breach at the office of Personnel and Management.EPIC previously wrote to the House Judiciary Committee to recommend updates to the Privacy Act.

EPIC Seeks Default Judgment in Umbrella Agreement Lawsuit (Jan. 6, 2016) +

In its fight to obtain a copy of the EU-US Umbrella Agreement, EPIC asked a federal court in Washington, D.C. today to grant default judgment against the Department of Justice. EPIC sued the agency to obtain the secret agreement, which concerns the transfer of personal information between the EU and US. After the DOJ failed to answer EPIC's complaint, the court entered default against the agency. The Agreement is central to pending legislation, which the Senate Judiciary Committee is set to debate this month yet the DOJ has not made the document available to the public or to Members of Congress.

European Institutions Conclude Data Protection Reform (Dec. 15, 2015) +

The EU Commission, Parliament and Council reached an agreement on a comprehensive new privacy law after four years of negotiation. The General Data Protection Regulation establishes common privacy rules across Europe and creates strong enforcement power. The law will be fully applicable in about two years. The new law is a "major step forward for consumer protection and competition," said Jan Philip Albrecht. Sophie In’t Veld said, "The EU will now have the most extensive data protection laws in the world and will set global standards." EPIC, and many consumer privacy organization have urged the US to modernize domestic privacy law. EPIC President Marc Rotenberg told USA Today, "The U.S. will need to update privacy laws to safeguard U.S. consumers and maintain trade relations with Europe."

Senate Postpones Action on Weak EU-US Privacy Measure (Dec. 12, 2015) +

The Senate Judiciary Committee has "held over" the Judicial Redress Act, industry-sponsored legislation regarding the transfer of personal data on Europeans to the United States. European legal experts have stated that the measure does not provide meaningful protections for the data of Europeans. Forty NGOS have recommended substantial changes to privacy law in the US and the EU to make possible the continuation of transborder data flows. EPIC has also recommended specific changes to the Judicial Redress Act. European data protection agencies are expected to begin enforcement actions against US companies after January 30, 2016. According to Govtrack, the Judicial Redress Act has a "1% chance of being enacted."

Austrian Supreme Court to Consider Schrems' Case against Facebook (Dec. 4, 2015) +

The Austrian Supreme Court will decide if the Schrems case against Facebook can be brought as a class action. "The 'class action' is not only legal but also the only reasonable way to deal with thousands of identical privacy violations by Facebook," says Schrems. EPIC frequently works to protect the interests of Internet users in facing common violations of privacy rights.

Schrems Pursues Legal actions to Block Data Transfers to the US (Dec. 2, 2015) +

EU Privacy Advocate Max Schrems made new legal moves following the judgment of the European Court of Justice that struck down the Safe Harbor data transfer pact. He filed complaints with data protection officials in Ireland, Germany and Belgium to to block Facebook data transfers to the United States. Schrems says he wants to "ensure that this very crucial judgment is also enforced in practice when it comes to the US companies that are involved in US mass surveillance." NGOs in the Europe and the United Stated have urged governments to update domestic privacy laws and strengthen international commitments to enable the continued transfer of data between the EU and the US.

NGOs Reject "Safe Harbor 2.0," Urge EU and US to Protect Fundamental Rights (Nov. 12, 2015) +

Leading human rights and consumer organizations have issued a letter to urge the US and the EU to protect the fundamental right to privacy. After the Schrems decision the parties are now renegotiating the invalidated Safe Harbor arrangement. The groups warned that without significant changes to "domestic law" and "international commitments," a Safe Harbor 2.0 will almost certainly fail. NGO leaders call for a comprehensive privacy framework in the US, commitment to strong encryption and ending mass surveillance on both sides of the Atlantic.

European Commission Issues Guidance on Data Transfers Post-Schrems (Nov. 6, 2015) +

The European Commission has published guidelines for EU-US data transfer after the invalidation of the Safe Harbor framework. The Commission explained that the Safe Harbor case "underlined the importance of fundamental right to data protection." The Commission also emphasized the ongoing role of the independent data protection agencies and the Article 29 Working Party. Negotiators are attempting to create a revised arrangement. NGOs have said that fundamental rights must be protected in all data transfers. In testimony before Congress, EPIC recommended several updates to US privacy law. EPIC's Marc Rotenberg said "these changes will benefit consumers and businesses on both sides of the Atlantic."

EPIC Sues for Release of Secret EU-US "Umbrella Agreement" (Nov. 4, 2015) +

EPIC has sued the Department of Justice to obtain a secret agreement between the United States and the European Union concerning the transfer of personal information. US and EU officials finalized the so-called "Umbrella Agreement" in September, but had kept the final document secret even as Congress was voting on provisions to implement the text. "The DOJ has withheld from the public the text of an Agreement that is central to legislation currently pending before Congress and critical to a related negotiation between the United States and the European Union that implicates the fundamental rights of Americans and Europeans" wrote EPIC in the FOIA lawsuit.

EPIC to Call For Comprehensive Overhaul of U.S. Privacy Law (Nov. 2, 2015) +

In testimony before the US Congress, EPIC's Marc Rotenberg is expected to say that the recent decision of the European Court confirmed what everyone already knows, US privacy law is not adequate. "Our country suffers from an epidemic of data breaches and identity theft. And all the data indicates these problems are getting worse." EPIC, consumer allies, and privacy experts are urging the Congress to enact the Consumer Privacy Bill of Rights, modernize the Privacy Act, create an independent privacy agency, and ratify the International Privacy Convention. "These changes will benefit consumers and businesses on both sides of the Atlantic."

Civil Society Leaders in Amsterdam Issue Declaration on Fundamental Rights (Oct. 28, 2015) +

Leading digital rights and consumer privacy organizations meeting in Amsterdam have issued a declaration "Fundamental Rights are Fundamental." Calling attention to the recent success of Max Schrems and the failure of self-regulation, the organizations said the "Bridges" report is "remarkably out of touch with the current legal reality and what we need to do to address it." The NGO leaders also criticized the organizers of the Amsterdam conference for "the failure to engage" many new challenges to data protection, including "Big Data" and drone surveillance. Privacy campaigner Simon Davies wrote, "There has never been a moment in history when the privacy regulator community needs to do more to restore trust and relevance. Instead, this week signals a new low in that trust."

After FOI Request, EPIC Obtains Secret "Umbrella Agreement" from the EU Commission (Oct. 23, 2015) +

The EU Commission, in response to a freedom of information request, has released to EPIC the text of the EU-US data transfer agreement. US and EU officials finalized the so-called "Umbrella Agreement" in September, but had kept the final document secret. EPIC has filed multiple FOIA requests with US federal agencies and the European Commission to obtain public release of the document. The Agreement, alongside the Judicial Redress Act, is a key document in the aftermath of the European court decision striking down the Safe Harbor arrangement. Legal scholars who have reviewed the agreement have concluded it is deeply flawed. EPIC continues to pursue the public release of the Agreement from US federal agencies.

House Passes Faux Privacy Bill (Oct. 21, 2015) +

The House of Representatives has passed the Judicial Redress Act of 2015, which—contrary to its stated purpose—fails to extend Privacy Act protections to non-U.S. citizens. In a letter to Congress, EPIC explained that the bill does not provide adequate protection to permit transborder data flows and recommended changes to ensure protections for all personal information collected by U.S. federal agencies. Congress moved to advance the bill after announcement of the recently concluded but secret EU-US "Umbrella Agreement". EPIC submitted a Freedom of Information request for the Umbrella agreement, and recently filed an administrative appeal challenging the agency's denial of expedited processing.

Case Against Facebook Moves Forward in Ireland (Oct. 20, 2015) +

Following the ruling that invalidated the Safe Harbor arrangement, the Irish High Court has declared that the Irish Data Protection Commissioner is "obliged to investigate" Max Schrems' complaint and must follow "fair procedures under Irish and EU law." The Commissioner pledged a "quick and swift procedure." Facebook's last minute motion to join the procedure was denied. "The Schrems case underscores the need for the U.S. to strengthen its right to privacy," EPIC's Marc Rotenberg told the Washington Post.

European Data Protection Authorities Conclude Data Transfers under Safe Harbor Now Unlawful (Oct. 17, 2015) +

Following the landmark ruling that invalidated the Safe Harbor data transfer arrangement, the Article 29 Working Party, composed of privacy officials across Europe, issued a preliminary statement. They called for solutions "enabling data transfers to the territory of the United States that respect fundamental rights." They concluded that "transfers that are still taking place under the Safe Harbour decision after the CJEU judgment are unlawful." Also, Standard Contractual Clauses and Binding Corporate Rules will not provide an adequate basis. EPIC, US and European consumer organizations have urged lawmakers in the United States to update US privacy law.

European Court Strikes Down "Safe Harbor," Focus Shifts to Adequacy of US Privacy Laws (Oct. 6, 2015) +

In a stunning decision, the European Court of Justice today ruled that the transatlantic "Safe Harbor" data pact is invalid. Consumer organizations and civil liberties groups in Europe and the United States applauded the outcome. Safe Harbor had been widely criticized for failing to provide adequate data protection for users of Internet-based services. The European Parliament earlier recommended against renewal of Safe Harbor. Max Schrems, the Austrian law student who brought the case, praised the judgement and said the "solution will very likely require severe changes in US law" not "just an update to the current 'safe harbor' system." @maxschrems @EUCourtPress

EPIC Expresses Support for Advocate General Opinion in Schrems Case (Sep. 28, 2015) +

In a statement issued today, EPIC supported a recent opinion of the Advocate General of the Court of Justice of the European Union which found that the Safe Harbor Arrangement was invalid. Safe Harbor has operated for several years as a substitute for the legal protections that would otherwise be required for the transfer of personal data across national borders. EPIC said that Safe Harbor has "given rise to significant concerns on both sides of the Atlantic about the adequacy of the privacy and security afforded personal information." Earlier today the US Mission issued a statement calling into question the opinion of the Advocate General. The Mission stated that the PRISM program, operating in conjunction with Safe Harbor and involving the mass surveillance of EU citizens, is "duly authorized by law, and strictly complies with a number of publicly disclosed controls and limitations."

Decision by EU Legal Advisor Signals End of "Safe Harbor" (Sep. 23, 2015) +

An opinion by the top advisor for Court of Justice of the European Union indicates that the "Safe Harbor" arrangement, which permits the transfer of personal data to the US without legal protection, will come to an end. Under Safe Harbor, US companies self-certify compliance with EU data protection law. But the Advocate General has found the arrangement fails to protect privacy and should be declared invalid. Max Schrems, who initiated the case in Ireland, stated "This finding, if confirmed by the court, would be a major step in limiting the legal options for US authorities to conduct mass surveillance on data held by EU companies." The European Digital Rights Initiative also supported the decision. EPIC has recommended that the US update the Privacy Act to protect EU citizens and ratify the international convention for privacy protection.

Background

The Law of Data Transfers: the Data Protection Directive, Safe Harbor, and Privacy Shield

The Schrems cases address one of the core tensions between EU and US privacy law, and the international agreements and contracts that have been used to address the data protection gap. The key issue in both cases is whether US law ensures adequate protection for personal data, as required to permit international data transfers under EU law.

Unlike in the United States, the default rule in the European Union is that data transfers are prohibited; a transfer of personal data is permitted only if certain criteria are met. The European Data Protection Directive is the EU law embodying this norm. The Directive states that transfer of personal data to a third country may take place only if that country ensures an adequate level of data protection. The Directive also provides that the European Commission may find a third country ensures an adequate level of protection. If the Commission adopts a decision to that effect, the transfer of personal data to the third country concerned may take place.

In July 2000, the European Commission adopted a decision declaring that the United States provides for adequate safeguards for data protection. The decision of the Commission was based on the Safe Harbor framework. The Safe Harbor arrangement consisted of data protection principles to which to which American companies could subscribe voluntarily in order to engage in cross-border data transfers. Thus, the protections for user data relied on the self-assessment and self-certification by private companies.

As is discussed in greater detail below, in October of 2015, the Court of Justice for the European Union ruled that the Safe Harbor framework was invalid.

Shortly thereafter, the EU and US began negotiating a replacement agreement: the EU-US Privacy Shield. The European Commission adopted Privacy Shield on July 12, 2016, and US companies have begun to self-certify and transfer data under the agreement. However, the Privacy Shield shares many of the same problems as the Safe Harbor framework, including the reliance on self-certification by US companies.

Schrems I (Safe Harbor): Max Schrems v. Irish Data Protection Commissioner

This case arose from proceedings before the Irish Data Protection Commissioner (DPC) brought by Max Schrems, an Austrian PhD student and privacy activist.

The data that Mr. Schrems, a Facebook user, provided to Facebook was transferred from Facebook’s Irish subsidiary (Facebook Ireland) to Facebook’s servers located in the United States (Facebook, Inc.). Mr. Schrems lodged a complaint with the Irish data protection authority, taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency), the law and practices of the US offer no real protection against surveillance by the US of the data transferred to that country. The Irish authority rejected the complaint, on the ground, in particular, that in a decision of 26 July 2000 the Commission considered that, under the ‘safe harbour’ scheme, the US ensures an adequate level of protection of the personal data transferred.

Mr. Schrems appealed the decision of the DPC before the Irish High Court. The Court decided to stay the proceedings and to refer the following question to the CJEU for preliminary ruling:

May and/or must the national data protection supervisory authority conduct his or her own investigation of the adequacy of data protection in a third country or the Commissioner is absolutely bound by the Commission’s decision?

On September 23, 2015, Advocate General Yves Bot issued his opinion on the case. The Advocate General's opinion indicated that the Safe Harbor arrangement, which permitted the transfer of personal data from the EU to the US, must end because the arrangement failed to provide the requisite legal protection under EU law and thus "must be declared invalid." The CJEU issued its ruling on October 6, 2015, agreeing with the Advocate and invalidating Safe Harbor. The Court ruled that (1) national data protection authorities have the right to investigate the adequacy of data transfers under the EU-US Safe Harbor arrangement or any other arrangements concluded pursuant to an adequacy decision by the European Commission for that matter, and (2) the Safe Harbor arrangement should be invalid due to the lack of adequacy.

Schrems II (Standard Contractual Clauses): Irish Data Protection Commissioner v. Facebook and Max Schrems

Following the CJEU ruling, Mr. Schrems filed a renewed complaint with the Irish DPC based on Facebook’s use of “standard contractual clauses” to authorize EU-US data transfers, which provided the basis for a new case in the Irish High Court. Soon after the CJEU decision, the Irish High Court quashed the Irish DPC’s previous decision not to investigate Facebook Ireland regarding the allegations in Mr. Schrems’s first complaint. The Irish DPC then commenced an investigation. The Irish DPC considered two key issues: does the US provide adequate legal protection to EU users whose data is transferred, and, if not, could standard contractual clauses (SCCs) used by Facebook Ireland and Facebook, Inc. to regulate the transfer of that data raise the level of protection and still render transfer permissible? Simultaneously, Mr. Schrems updated his complaint with the DPC against Facebook, and he contended that U.S. surveillance law is not in line with the requirements laid down by EU law including the judgment of the CJEU in the Safe Harbor decision. The CJEU found that the US must make changes to its “domestic laws” and “international commitments” in order to provide essentially equivalent privacy and data protection to the European Union. Additionally, Mr. Schrems argued the SCCs fail to provide the adequate legal protection necessary to otherwise permit data transfers.

In May of 2016, the Irish DPC issued a Draft Decision announcing its preliminary position: that US law fails to adequately provide legal remedies to EU citizens and the SCCs could not address the deficiency in US law. As a result, the Irish DPC suggested the contractual clauses at issue were invalid under EU law. However, the Irish DPC found that, as a representative of one nation in the EU with limited authority, it did not have the ability to declare the clauses invalid under EU law; the Irish DPC argued that standard contractual clauses issued under the broader authority of the European Commission had been deemed by that Commission to authorize data transfers. The Irish DPC argued that, without a finding that the clauses are indeed invalid, they cannot complete its investigation into Facebook.

As a result, the Irish DPC brought the case back before the Irish High Court and is seeking a preliminary ruling from the CJEU on the validity of the standard contractual clauses. The High Court named EPIC amicus curiae in the case, which will be heard in February 2017.

EPIC’s Interest

The Irish High Court accepted EPIC's application to participate in Schrems II as the only NGO from the United States. EPIC will provide the Irish Court, and likely the CJEU, with a perspective on U.S. surveillance law to “counterbalance” the views offered by the U.S. Government. EPIC recently joined a case before the European Court of Human Rights concerning the activities of British and U.S. intelligence organizations. EPIC has appeared as a "friend of the court" in almost 100 cases in the United States concerning emerging privacy and civil liberties issues.

EPIC has provided expert opinion to decision makers during the negotiations about data transfers between the EU and the US. EPIC has urged both sides to respect the decision of the Court of Justice of the European Union in the Safe Harbor case and provide adequate protections for personal data in transatlantic transfers. EPIC and a coalition of EU and U.S. consumer organizations have opposed the Privacy Shield arrangement.

Speaking before the European Parliament on "Privacy Shield," Marc Rotenberg outlined several flaws in the proposed EU-US data transfer agreement, including a weak privacy framework, lack of enforcement, and a cumbersome redress mechanism. In the short term, Rotenberg recommended that the EU condition acceptance of the Privacy Shield on the end of the "702 program," which permits bulk surveillance on Europeans by the US.

In ACLU v Clapper EPIC petitioned the Supreme Court to halt the disclosure of the telephone records of millions of Americans, arguing that FISC did not have statutory authority to compel Verizon to turn over all domestic telephone metadata to the National Security Administration (NSA).

As a member of the Trans Atlantic Consumer Dialogue (TACD), EPIC has been advocating for adequate safeguards for transatlantic data transfers and the revision of the Safe Harbor arrangement. Since its formation in 1998, TACD has developed into a thriving network of over 75 leading organizations representing the consumer interest on both sides of the Atlantic. TACD previously criticized Safe Harbor for its lack of effective means of enforcement, redress, and accountability for privacy violations. The has called upon the US to develop legal means to safeguard the privacy of US consumers based on Fair Information Practices as articulated in the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Most recently, the TACD counseled against the adoption of the Privacy Shield, urging the US to first put in place an enforceable, comprehensive legal framework supporting privacy.

News

• Joe Uchill, US to Join Irish Facebook Case, The Hill (July 19, 2016)
• RTE News, US govt can join legal action over data transfers - High Court (July 19, 2016)
• Glyn Moody, In “an unusual move,” US government asks to join key EU Facebook privacy case, Ars Technica (June 13, 2016)
• Cryptic Safe Harbor Pact 'Privacy Shield': Public, Possibly Soon, Forbes, February 6, 2016
• EU-US Privacy Shield offers flimsy protection, InfoWorld, February 5, 2016
• The new Safe Harbor agreement: Will it survive Europe’s paranoia?, American Enterprise Institute, February 5, 2016
• U.S. and European Officials Fail to Reach Agreement for New Data Transfer Deal, JDSupra, February 4, 2016
• U.S. and Europe in ‘Safe Harbor’ Data Deal, but Legal Fight May Await, New York Times, February 2, 2016

More news

Negotiators miss deadline for transatlantic data agreement, The Hill, February 1, 2016

EU lawmakers skeptical new data deal will hold up in court, The Hill, February 1, 2016

EU-US Safe Harbor: Judicial Redress Act Vote Delayed, Forbes, January 21, 2016

EU regulators could freeze data transfers with US, The Hill, January 21, 2016

EU wants tougher privacy controls in new Safe Harbor, The Hill, January 19, 2016

Glyn Moody, Safe Harbor 2.0 framework begins to capsize as January deadline nears, ars technica (November 16, 2015)

Jacob Fischler, Fortify New US-EU Data Transfer Pact, Privacy Groups Urge, Law360 (November 16, 2015)

Natalia Drozdiak and Stephen Fidler, EU Justice Chief Vera Jourova Speaks on Negotiating New Safe Harbor Pact, The wall Street Journal (November 12, 2015)

NGOs Reject "Safe Harbor 2.0", Urge EU and US to Protect Fundamental Rights (November 12, 2015)

Brooke Gladstone, Safe Harbor No More, NPR OnTheMedia (October 16, 2015)

Safe Harbour ruling: MEPs called for clarity and effective protection, European Parliament Justice and Home Affairs (October 15, 2015)

Robert Levine, Behind the European Privacy Ruling That’s Confounding Silicon Valley, The New York Times (October 9, 2015)

Julia Powles, Tech companies like Facebook not above the law, says Max Schrems, The Guardian (October, 2015)

Amie Stepanovich, Opinion: With pervasive government surveillance, there are no safe harbors, The Christian Science Monitor (October 8, 2015)

Elizabeth Weise, Europe's top court rejects 'Safe Harbor' ruling, USA Today (October 6, 2015)

Andrew Griffin, Jamie Merrill, European court rules 'Safe Harbour' treaty that saw Facebook hand over user data to US is invalid, after challenge by student, Independent (October 6, 2015)

World Wide Web Foundation, Privacy before Profit: European Court of Justice Rules “Safe Harbor” is invalid (October 6, 2015)

TV Interview with Max Schrems, ORF TVTECH (October 6, 2015)

Leo Kelion, Facebook data transfers threatened by Safe Harbour ruling , BBC (October 6, 2015)

European Digital Rights, Safe Harbor: European Court Advocate General says Agreement should be declared invalid (September 23, 2015)

Mark Scott, European Court Adviser Calls Trans-Atlantic Data-Sharing Pact Insufficient, The New York Times (September 23, 2015)

Owen Bowcott, Facebook case may force European firms to change data storage practices, The Guardian (September 23, 2015)

Yves Eudes, Pourquoi l’accord Safe Harbor sur les données personnelles cristallise les tensions, Le Monde (September 25, 2015)

Patrick Beuth, Facebook braucht eninen Plan B, Die Zeit (September 23, 2015)