Maximillian Schrems was a PhD student in Austria when he decided to participate in a study abroad program with Santa Clara University. While Schrems was at Santa Clara, Ed Palmari, Facebook’s privacy lawyer, spoke to his class. It was during this lecture that Schrems received the ammunition that he needed to challenge the legitimacy of EU–U.S. data transfers. Based on Palmari’s presentation, Schrems believed that Facebook lacked complicity of the EU’s privacy regulations. Upon his return to the EU, Schrems took what he learned from Palmari and embarked on litigation that has challenged the way the U.S. treats data privacy. Schrems’s actions have forced many companies to drastically amend their current business practices regarding U.S. data transfers from overseas locations. What started with a harmless study abroad presentation quickly spawned, arguably, the most influential privacy based litigation for US corporations.
I. The Directive: The Mechanism that Regulates for EU-US Data Transfers
The U.S. and the EU view privacy differently: in the EU, there is a fundamental right to privacy; whereas, in the U.S., the right to privacy is far less structured.1 The EU’s broad fundamental right to privacy also covers the privacy of personal data that companies collect. This is a common practice among many large tech corporations that collect and store personal user data in order to improve their platform. The EU Data Directive (Directive) is the specific mechanism meant to govern and protect such data.2 The Directive has intentionally left the definition of “personal information” broad; thus, this mechanism is easily able to govern the user data collected by these large tech companies.
The Directive is a European mechanism meant to govern European companies; however, many of the corporations collecting and storing user data are not actually located in the EU. Instead, many of these companies are based in the U.S. For this reason, the Directive seems to have a rather broad reach. Pursuant to Article 25 of the Directive, any company that transfers user data belonging to a European must ensure adequate safeguards for that data. This means any non-European based company in possession of such user data must treat that data as any European based company would. Given the aforementioned tensions between the EU and the U.S. regarding the general notion of privacy, the Directive’s high bar for protecting user data has proven difficult to reach for many U.S. based companies.3
In 2000, the EU and U.S. attempted to remedy this tension through the Safe Harbor arrangement.4 Under this arrangement, U.S. privacy standards were deemed “adequate” pursuant to Article 25. Therefore, U.S. based companies could opt to follow the prescribed data protection principals when transferring data across borders. One important caveat is that these prescribed principals were merely voluntary, leaving each participant responsible for its own certification.5 Because it was left up to each individual corporation to implement and adhere to the privacy principals, there were strong doubts as to the level of protection that international user data actually received.
II. The Original Action: Schrems I and the Safe Harbor Arrangement
In 2013, the U.S.’s treatment of personal data under the Safe Harbor arrangement was finally challenged. After completing his U.S. study abroad, Schrems returned to the EU and promptly filed a complaint with the Irish Data Protection Commission (DPC). Heavily based on Edward Snowden’s then-recent revelations concerning U.S. intelligence surveillance, Schrems alleged that his personal data, when transferred to the U.S., was not being properly safeguarded.6 More specifically, Schrems believed, based on Snowden’s allegations, that the U.S. failed to adhere to the Safe Harbor arrangement. Schrems argued that the U.S. was no longer “adequate,” a prerequisite any company had to meet in order to transfer data. If the U.S. was no longer “adequate” pursuant to Article 25, as Schrems alleged, then such cross-border data transfers between the EU and U.S. were violations of the Directive. Schrems used Facebook Ireland’s, a subsidiary of Facebook, Inc., data transfer from Ireland to servers in the U.S. to make this claim. According to Schrems’ argument, Facebook’s transfer of data to an “inadequate” country was a violation of Article 25, thus a violation of Schrems’ fundamental right to privacy.
Although he initially faced some difficulties advancing his case, Schrems’ complaint, questioning the adequacy of the EU-U.S. Safe Harbor arrangement, eventually reached the Court of Justice of the European Union (CJEU). The CJEU found in favor of Schrems, holding that the Safe Harbor arrangement was invalid because it failed to provide adequate privacy protections.
Under normal circumstances, only U.S. citizens can bring suit in the US. Although EU citizens could opt to appeal to the Federal Trade Commission (FTC), the FTC has no private right of action. Thus, any complaint to the FTC has the likelihood of being unsatisfactory. Also, the Safe Harbor arrangement prescribed principals that only apply to companies that transfer data across borders. However, these principals do not bind the U.S. government; therefore, if the U.S. government were to utilize some of the transferred data, there is no remedy for European citizens. The lack of remedies for EU citizens impacted the CJEU’s finding that the Safe Harbor arrangement was invalid.
The CJEU’s holding in Schrems I greatly impacted U.S. companies because the mechanism that allowed for cross-border transfers, the Safe Harbor arrangement, was now gone. Post-Schrems I, the EU and the U.S. rushed to negotiate a quasi-solution for the problems. One temporary solution included the Privacy Shield.7 This Privacy Shield bears a strong resemblance to the Safe Harbor arrangement with the addition of a special ombudsman, which allows EU citizens to bring data privacy concerns. On the surface, the addition of this ombudsman seems promising; however, there is no requirement that the ombudsman report his findings. Therefore, just like the Safe Harbor Arrangement, the Privacy Shield’s ombudsman lacks accountability. In addition to the Privacy Shield, the U.S. passed the Judicial Redress Act. The Judicial Redress Act allows EU citizens to file suit in U.S. courts, subject to various exceptions. Although the above solutions provide some remedies, the lack of accountability and oversight mirrors the same problems present in the now-invalid Safe Harbor arrangement. Moving forward, there must be major amendments to U.S. policy before any form of privacy protection in the US meets the high EU standard.
III. The Maverick Continues: Schrems II and the Standard Contractual Clauses
Immediately after the CJEU’s holding invalidating the Safe Harbor arrangement in Schrems I, Schrems filed another complaint alleging that Facebook’s standard contractual clauses (SCC) were invalid. These SCCs are common boiler-plate contract clauses that provide for EU-U.S. data transfers. Currently, this case is in front of the CJEU. At the lower level, the Irish High Court suggested that because these SCCs are mere contract clauses not conditioned upon any actual finding of adequate privacy protections, the transfers enacted pursuant to these SCCs do not, alone, constitute adequate protections.8 Furthermore, the Schrems I decision held that U.S. data privacy protections and remedies were inadequate. Therefore, because U.S. policy itself is inadequate, it is unlikely that SCCs can compensate for the existing inadequacies.9 However, the Irish High Court lacks the jurisdiction to decide on the adequacy of these SCCs. For this reason, the case was sent to the CJEU.
IV. Potential Schrems III: The Binding Corporate Rules
In addition to the Safe Harbor and the SCCs, a Binding Corporate Rule (“BCR”) is a third way in which a company may be found adequate pursuant to Article 25.10 The BCR incorporates a much higher standard than what was provided for by the Safe Harbor arrangement and the SCCs. Before a company can be deemed adequate via the BCR, that company must demonstrate that they have put in place certain controls and mechanisms to safeguard personal data. Unlike the SCCs and Safe Harbor, this is a very strenuous process that requires actual accountability and oversight. Once approved, that company alone, not the country, may transfer data across borders.
Given Schrems’ past actions, challenging both the Safe Harbor Agreement and the SCC provisions, perhaps we will have a Schrems III on the horizon. However, as noted above, BCRs are different from the Safe Harbor and the SCCs. It is foreseeable that the requirements, cost, and accountability may allow the BCRs to withstand the stringent EU standards for data protection.
The CJEU’s invalidation of the Safe Harbor Agreement sent U.S. corporations into a frenzy. Although the EU and U.S. were quick to respond, the Privacy Shield and Judicial Redress Act are merely crutches to limp the dead law along until a better solution is proposed. Although we are still awaiting the CJEU’s decision in Schrems II, it seems likely the SCCs, just like the Safe Harbor Act, will be invalidated. If this is the case, then two of the main mechanisms used by many corporations to transfer data between the EU and U.S. are no longer available. This only leaves the BCR. Given Schrems’ previous action, Schrems III could be a future case that examines the adequacy of the BCR. However, given the oversight and accountability elements of the BCR, it may withstand the high standards of the CJEU. Given the total failure of the Safe Harbor Arrangement and the likely failure of the SCCs, it seems probable that the U.S. will need to strengthen its data privacy regime before companies can resume transferring personal data overseas.
1. The U.S. Supreme Court has failed to take any concrete position on such a right. The Supreme Court case, Griswold v. Connecticut, 381 U.S. 479 (1965), was the first time the United States recognized a right to privacy. However, Justice White, most famously, grounded his decision in certain “penumbras” of privacy that other constitutional rights cast. Unlike the stand-alone fundamental right to privacy in Europe, this decision failed to root the right to privacy in one specific constitutional right. A few years after Griswold v. Connecticutwas passed down, the Supreme Court decided Whalen v. Roe, 429 U.S. 589 (1977). In this decision, the Court was very careful to neither accept nor reject the right to privacy.
2. The Directive’s twin goals include: safeguarding data protection rights while still allowing for the free flow of data. The General Data Protection Regulation (GDPR) has been passed and will replace the Directive on May 25, 2018. Although the Directive is being replaced by the GDPR, this does not affect the CJEU’s invalidation of the Safe Harbor Arrangement. Rather, the GDPR works to impose new obligations on “controllers” and “processors” of personal data. For more information on the GDPR’s effect see Caroline Krass et. al., A GDPR Primer For US-Based Cos. Handling EU Data: Part 2, Law360(Dec. 13, 2017, 1:18 PM), https://www-law360-com.ezproxy.law.wustl.edu/articles/993634/a-gdpr-primer-for-us-based-cos-handling-eu-data-part-2.
4. For more information on the Safe Harbor Program see Martin A. Weiss & Kristin Archick, U.S.-EU Data Privacy: From Safe Harbor to Privacy Shield, Congressional Research Service, https://fas.org/sgp/crs/misc/R44257.pdf at 5-6.
6. For more information regarding Schrems’ allegations, see Elaine Edwards, All You Need to Know in the Max Schrems-Facebook Case, The Irish Times (Feb. 6, 2017 16:19 pm), https://www.irishtimes.com/business/technology/all-you-need-to-know-in-the-max-schrems-facebook-case-1.2965482.
8. Adam Finlay & Paul Lavery, Validity of Standard Contractual Clauses to be referred to CJEU, Lexology (Oct. 4, 2017) https://www.lexology.com/library/detail.aspx?g=3fc97ee8-a900-46ad-a575-ec27576d9f7a. See alsoMcCann FitzGerald, Schrems II Update – Questions for CJEU Still Under Consideration, Lexology (Jan. 23, 2018), https://www.lexology.com/library/detail.aspx?g=8ac1bd53-1dc1-45a0-9240-8c625f809354; John Cahir, Schrems II—Data Transfers Questioned Again, A&L Goodbody(Oct. 4, 2017), https://www.irelandip.com/2017/10/articles/cyber-risk-data-privacy/schrems-ii-data-transfers-questioned/.
10. Allen & Overy, Binding Corporate Rules, (Mar. 2016), http://www.allenovery.com/SiteCollectionDocuments/BCRs.pdf at 5.