The Court of Justice of the European Union (CJEU) issued its decision on a data protection that now become popular as Schrems II.
Many expert see this judgment as one that will have far-reaching impact on data privacy issues and the related challenges, particularly on how (and whether) data can be transferred out of European borders.
Quick Facts about the Schrems II
What is Schrems II?
Schrems II is a case in the CJEU (Case C-311/18) regarding data privacy. Its judgment was delivered in Luxembourg on 16 July 2020.
Who are the parties in Schrems II?
The Data Protection Commissioner vs Facebook Ireland Ltd, Maximillian Schrems. Intervening parties were: The United States of America, Electronic Privacy Information Centre, BSA Business Software Alliance Inc., and Digitaleurope.
Why Facebook Ireland?
That’ s because Facebook has its European headquarters in Ireland.
What is the judgement of Schrems II?
The CJEU ruled that the (data) “protection provided by the EU-US Privacy Shield is invalid”. It further asked authorities to stop transfer of personal data. Till date, such transfer was done through Standard Contractual Clauses (SCCs) in various agreements.
The full judgement can be read here.
What or Who is Schrems?
Maximilian Schrems (commonly referred to as Max Schrems) is an Austrian lawyer and activist. He is particularly well-known for his campaign against Facebook for its data privacy violations.
Why is this judgment called Schrems II?
Max Schrems has first filed a case against Facebook in 2011 with the Irish Data Protection Commissioner. He withdrew it in 2014, claiming the did not receive proper procedure.
On the site Europe-v-facebook(dot)org, he said that he had not been granted procedural rights, which, he said “…observers assumed …may be based on political and economic considerations in Ireland.” (Source)
In 2013, meanwhile, Schrems filed a complaint against Facebook in Ireland. The objective of the complaint was to prevent Facebook from transferring data from Ireland to the US. This case came to be known as Schrems I.
Upon conclusion of the the case, the Irish High Court officially referred the case to the CJEU, “with eleven questions to address related to the validity of the SCC” (Source: Wikipedia).
This is now known as Schrems II.
What was Schrems I about?
As said above, Schrems I was about enforcing prohibition on Facebook from transferring data to the US from Ireland.
What will be the impact of Schrems II?
It is difficult to summarize all the impacts of such an important judgement so quickly. However, here are two of the most obvious ones:
- The CJEU found the US data protection inadequate when measured against the GDPR. It will now be difficult (or impossible) to transfer data to the USA from EU.
- Many countries, including India, do not have clear data protection laws. So they used to rely on contractual obligations when dealing with EU companies. One likely outcome is that practically no data will be leave the EU border.
The Schrems II judgment explained
The CJEU bases its Schrems II judgment on the following two main factors:
1. The US surveillance programs aren’t always limited to what is absolutely essential. That means the program could potentially have access to personal data of more people than what was strictly necessary. This fails to meet Article 52 of EU Charter on Fundamental Rights.
“Any limitation on the exercise of the rights …must be provided for by law…. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union…”Article 52
2. With respect to the US surveillance, there is no judicial redress. As a result, data subjects do not exercise their right to an effective remedy. This violates Article 47 of the said Charter, which says:
“Everyone…has the right to an effective remedy before a tribunal in compliance with the conditions laid down in this Article.“Article 47
What about the Standard Contractual Clauses (SCCs)?
The judgment upholds the validity of SCCs.
However, till date, SCCs were accepted as blanket clauses. That means any and all SCCs were assumed to permit transfer of personal data. This has now been rejected.
Now the validity of SCCs will have to be looked into on a case-to-case basis. That means companies would be required to:
- verify whether the laws of recipient country (the country where the data is being transferred) provide adequate protection of data, and
- if the recipient country does not have relevant laws, the company must arrange to:
- provide additional protection measures, or
- stop such data transfer, or
- must return or destroy the data if it has already been transferred earlier.
How Schrems II impacts Indian companies
While the Schrems II judgment is clearly in light of EU-US privacy shield, the impact will be felt by all countries.
We classify into the impact of Scrhems II on Indian companies under three heads:
- Limits and exceptions
Processes to be followed
- Re-evaluate agreements: India does not have privacy laws. Hence, data privacy professionals and legal experts will need to revisit their legal agreements and the SCCs.
- Check for sufficient protection: Companies will have to verify if their data transfer comes with adequate protection that meets EU standards.
- Carry out assessment: When transferring personal data, a transfer adequacy evaluation and assessment will have to be carried out.
- Understand ‘Consent’: Transfers based on consent must be explicit, specific and informed. Further, consent must be revokable. As an Indian company, you’ll want to establish this.
Laws to be respected
- Build around these regulations: Consent for data collection, including its purpose and use, will have to be reviewed under Article 4(11) (Definition of consent), Article 7 (Conditions for consent), Article 46 (Appropriate safeguards for transfer) and Article 49 (Partial suppression of law, called Derogation), among others.
- Treat each case as unique: IAPP (link below) points out that the SCCs “…must be approved on a company-by-company basis by DPAs”.
- Don’t make rules out of exceptions: When you transfer data by citing public interest, it cannot become a rule. They must be limited to clear and specific situation. Further, they must be subject to scrutiny to verify if there’s adequate public interest involved. Importantly, the public interest angle must be one that is “recognized in EU or Member States’ law.”
Limits to be applied
- Ensure immediate correction: If you have been relying purely on the EU-US shield, you must note that there is “no grace period”. Any transfer that was based purely on the EU-US shield stands illegal today. In other words, it requires prompt correction.
- It’s applicable to all countries, not just the US: The judgment was issued specifically with the EU-US privacy shield in context. However, the FAQ by European Data Protection Board (EDPB) clearly states that “.. the threshold set by the Court for transfers to the U.S. applies for any third country.” That means Indian companies enjoy no exception and are required to follow the judgment.
- The law is clear – Protect, Return or Destroy the data: If you cannot provide adequate protection as laid down by the EU, you need to return or destroy the data.
- Data exporter and Data importer are responsible: Finally, the FAQ clearly states that it is the responsibility of data exporter and the data importer to ascertain that the level of protection required by the EU is met by Indian laws.
Presentation on Schrems II and its impact on India
You can watch here the Slideshare presentation on how Schrems II impacts India:
Suggested further reading:
- EDPB FAQs on Schrems II
- Mint article by Rahul Matthan, where he talks about data localization as one possible outcome.
Featured Image source: Screengrab from a video on Europa.eu
Disclaimer: This article is meant to be purely informative. The author does not claim to be a trained legal professional and this article does not purport to be a legal document.