Max Schrems has spent the last decade (give or take) as a young man on a mission. His aim has been to force attention on the issue of US surveillance and European data privacy. Every day, data is shipped to the US or passes over US servers as part of the activities of the big the companies.
Austrian Schrems was a young law student in 2011, studying at the University of Santa Clara when he was lectured on data privacy by a Facebook lawyer. Horrified by what he heard, Schrems wrote his term paper on the lack of awareness of European data privacy. He then sent a subject access request which elicited 1,200 pages of his own personal data. This was followed with a complaint to the Irish Information Commissioner, the data protection authority where Facebook’s European head office is based.
Companies which collect data in the EU often have it “processed” by third party companies, with servers outside the EEA. This outsourced data processing is governed by the law of the country in which it takes place. European law, however, requires that if data is collected in Europe, any processing outside of the European Economic Area (EEA) must reach the same standards set out for personal data in European law.
An adequacy test is applied to the laws in countries beyond the EU to ensure that European citizens can rely on the same standard of data privacy wherever in the world the processing of their personal data occurs.
To transfer data outside the EEA, the organisation which collected the data — generally referred to as the “controller” — is responsible for its activities and also those of any third-party processors. This is something is managed via a “data processor agreement.”
The US is perhaps the best example of a country whose data privacy laws do not meet the adequacy test imposed by European Laws. In recent decades, businesses have fallen back on standardised documentation.
As an inhouse lawyer, when I worked on any deal with third parties that might host personal data outside the EEA, I would include standard wording called a “Safe Harbor.” This was the case from Google to Salesforce — and any other cloud provider or company providing online or digital services.
This kind of arrangement was a standardised and generally accepted “sticking plaster” which brought the processing activities up to the standard required by European Laws, despite the fact that the laws in the US where the data was to be processed were not “adequate.”
The outcome of Max Schrems’s first litigation in 2015, now referred to as “Schrems 1”, was also influenced by the Edward Snowden revelations that the US National Security Agency was allegedly spying on international citizens. Following these, the European Commission found that the Safe Harbor system was inadequate and was therefore overturned.
This finding was on the basis that it would violate Schrems’s right to privacy, data protection and a fair trial under the EU’s Fundamental Rights Charter. The European Court held that individual countries’ data protection authorities could suspend data transfers to third countries if it violated EU rights, as the US was deemed to do.
This decision had a massive impact on business as all commercial agreements that might involve outsourcing of personal data or services had to be reopened, reviewed and amended. It was clearly a huge cost to business.
The Safe Harbor sticking plaster was quickly replaced with a new approach called the EU-US Privacy Shield, alongside pre-approved model clauses referred to as “Standard Contract Clauses” or “Model Clauses”. Businesses have come to rely on these as they did the Safe Harbor arrangement before them. Even Big Tech companies themselves collect data via their European Companies and enter similar arrangements within their groups.
The decision in Schrems 2 on Thursday 16th July invalidated the adequacy of the EU-US Privacy Shield but confirmed the ongoing use of Model Clauses where proof of data protection and privacy is found. Going forward, businesses have to focus on whether the criteria for meeting fundamental rights under the EU Charter are met.
This means that, while arrangements with other countries can continue on a business as usual basis, personal data cannot be sent to the US under these arrangements without additional due diligence. US Government surveillance activities, such as PRISM, are not considered to be in-line with European law.
Nobody could have escaped the European Union’s General Data Protection Regulation implementation in the UK which saw updates in privacy policies and confirmation of mailing list participation across the UK, at massive cost to business, in May 2019.
Despite Brexit — and the opportunity to change the UK’s data privacy regime by moving away from GDPR — businesses are unlikely to want to incur yet more cost in further changes to UK data protection laws.
UK businesses, struggling to recover from lockdown and the economic impact of the pandemic, desperately need to work with European customers and to have data flows between the UK and the European Union after Brexit. Business needs stability, and the opportunity to conduct trade with European citizens cannot be impeded further.
A number of European countries — and for the European Commission — have been grumbling about the US’s privacy protections for some time and shown a general concern over the US’s treatment of European Citizens’ data. The preponderance of surveillance activities and overreaching for data have pushed many Europeans towards a more local alignment of tech standards, and proposals for a “European Cloud.”
The Schrems 2 decision is a further step along that path to localisation. There is not just local state desire for data sovereignty, but in fact a move to what might be called digital sovereignty.
What this means with respect to personal privacy in the UK, and our relationships with the US and Europe as we prepare for Brexit, is anyone’s guess. But what is sure it that a blow has been struck against Big Tech in Europe.