Schrems II and the Future of Privacy
Attorney, CIPP/US, CIPP/E, CIPM
On July 16, Austrian lawyer and privacy activist Max Schrems received his second sweeping data privacy ruling. It was Schrems who – as a 23-year-old law student - filed a complaint against Facebook in Ireland that eventually led to overturning the Safe Harbor adequacy decision. Now, in what might be the most significant ruling in years from the Court of Justice of the European Union, the Court has invalidated the US – EU Privacy Shield.
The Privacy Shield permitted an exchange of personal data from the EU to non-EU countries (including the USA), which was otherwise prohibited under the General Data Protection Regulation (GDPR). Generally, GDPR prohibits such data transfers unless certain safeguards were proven to protect privacy interests. The Privacy Shield was provided to USA and other non-EU organizations who demonstrated adherence to GDPR. Social media platforms, cloud storage services, and communication services such as Amazon, Facebook, and Zoom rely on Privacy Shield to operate.
In practice, the Schrems II finding means that any company currently relying on the Privacy Shield for international transfers must now find a different method of protecting data. But more striking is the tone of the ruling, which relays an indictment of the U.S. government’s internet surveillance programs. In a subtle warning in the opinion, the Court stated Standard Contractual Clauses will remain valid with the caveat the importer and exporter are able to comply with all duties listed in the clauses.
In Schrems II, the court states:
Neither section 702 of the FISA, nor E.O. 12333, read in conjunction with PPD-28, correlates to the minimum safeguards resulting, under EU law, from the principle of proportionality, with the consequence that the surveillance programs based on those provisions cannot be regarded as limited to what is strictly necessary.
In those circumstances, the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by the US public authorities of such data transferred from the European Union to the United States, which the Commission assessed in the Privacy Shield Decision, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required, under EU law, by the second sentence of Article 52(1) of the Charter.
Under current FISA law section 702, the NSA has access to internet communications coming into the U.S. via the submarine Transatlantic cable. Virtually all data transfers happen by way of underground wire traveling across the Atlantic Ocean; therefore, the NSA would have the power to surveil any data transfer from the EU to the US. Section 702 allows the Federal Government to routinely collect and search the online communications of private American citizens without a warrant, arguably violating their Fourth Amendment rights in the process. Currently, Congress must renew this law every few years and it is set to expire at the end of 2023.
The most troubling surveillance ability of the NSA is their ability to perform “about” collection. Normally, data is collected or intercepted as either to or from target surveillance. This is like placing rules on your Outlook inbox. You enter an email address and collect all communications coming from that email address; however, “about” collection is far broader. “About” collection involves messages that are not necessarily to or from a target but may include a reference within the body of the communication. This is also referred to “Upstream” surveillance. Upstream surveillance takes place on the internet backbone – the network of cables, switches, and routers carrying domestic and international internet communications, where the NSA has installed surveillance equipment at hundreds of points allowing them to collect and analyze vast amounts of internet traffic in bulk.
This kind of bulk or mass surveillance is in direct violation of the Charter of Fundamental Rights of the European Union. Even if a company formerly using the Privacy Shield decides to start using standard contractual clauses for data transfers, they would still have to be able to comply with all the duties within the clauses which, given the current NSA surveillance programs, would be impossible.
I anticipate this lack of proportionality of surveillance will be an issue until the law is changed, and that will not happen until at least 2023. Predictably, Secretary of Commerce Wilbur Ross immediately called the ruling “deeply disappointing,” and the conservative NSA establishment in the United States is already calling for “retaliation” in the form of tariff threats. Many U.S. companies will face a difficult challenge over the next 3 years, but the economic hit from this decision may force large tech companies like AT&T and VERIZON to terminate their NSA assistance or risk their business.
Brandon Stevens practices in Seattle, Washington. He is one of a handful of attorneys carrying CIPP/US, CIPP/E, and CIPM certifications. Reach out to Brandon on LinkedIn or at Brandon@NapierandGeorge.com.