ECJ, Schrems 2 and (real-world) data protection in the EU

Sharing a perspective and a few facts.

---

Much has been said since the ECJ struck down the #PrivacyShield for US-EU data transfer. Earlier this week, James Sullivan, Jr. from the U.S. Department of Commerce shared a White Paper outlining the information that can help both US and EU organizations in this context.

Interesting that the ECJ focuses on aspects related to US intelligence laws – with apparently an incomplete review – to take a decision saying these wouldn’t meet EU data protection standards. This decision has a massive impact on so many people, while an overwhelming majority of EU citizens would have had no interactions with such intelligence laws anyway.

Frictions in international law are common and the constitutional order of the USA is different from the European Union. It is fair to say that both orders try to keep their position while engaging in moves that would potentially improve it: this is nothing really new either, and this is well illustrated by the current negotiations between the UK and the U.S. regarding a post-Brexit deal, for instance.

But what does (real-world) data protection look like in the EU?

For instance, a case brought by the Irish Council for Civil Liberties – this evidence includes a “proven case of electoral influence, profiling of people with AIDS and cancer, and a list of 968 companies that Google sends information to about the private things that we do and watch online”.

Recently, The Hamburg Commissioner for Data Protection and Freedom of Information fined for 35.3 Million Euro H&M’s Service Centre for Data Protection Violations.

That would deserve full research but things aren’t looking maybe that great: massive data breaches with no or little redress from DPAs (depending on the DPA), a very large proportion (90%) of websites not respecting citizens’ privacy and persons’ fundamental rights (access etc.) depending very much on controllers’ goodwill.

Now, extending the view expressed by the ECJ into everyday business practices on privacy, a blatant breach of GDPR in the EU comes from a number of UK businesses and their HR.

When people need to find employment and can’t rely on or don’t want to deal with agencies or job portals, their last option is to look for open roles on companies’ websites. The starting point to apply once a suitable position is found is an unconditional acceptance of their privacy terms – which one can’t discuss nor amend: either you are in entirely, blindly, either, well, good luck with your endeavours. But this is a problem you will experience only if you care about what you agree to and sign online. As many people don’t read those privacy terms, it’s all fine…for businesses and their HR who bend the law and flee their social and corporate responsibilities and GDPR compliance. Now, if you take the time to read these privacy terms, quite a few of them, outside the fact of being moreover often poorly worded, will contain a short clause saying that your data may be transferred outside the EU, including to countries with lower data protection standards. This was even spotted on some blue-chip consultancies that, when you look at another page of their website, sell you world-class GDPR compliance advisory.

The above cases could be easily found by DPA / ICO investigators, should they wish to. It doesn’t need to lead to a fine: a reminder of the law and a delay to conform would suffice.

And we could bet that were the ICO fixing such irregularities with one big fish on the market, it wouldn’t take long for many others to quickly follow and align as it should, by themselves.

In this precise case, it appears the Schrems 2 decision could be a rather needed reminder, although GDPR article 3 already mentions it with very relative consistency, though, as we show it in a previous blog, for this case not to have to go that far. Interestingly, the Irish ICO rejected Mr Schrems’ complaint against FACEBOOK on that ground too while its powers and remit allow various moves.

---

Not enforcing the existing GDPR law by the Irish ICO allowed the case to go further at the ECJ level, and eventually hit the U.S. PrivacyShield without ‘killing’ any of the two related birds, FACEBOOK and the Irish ICO.

---

FACEBOOK, a now-notorious serial data breacher as it appears in news and judgments released so far, appeared however benefitting from an uncanny EU’s complacency a few months ago when its CEO, Mr Zuckerberg got ‘grilled’ by the EU on 23rd May 2018, the reader might remember.

As the Independent newspaper put it, “An opening statement by Mr Zuckerberg was followed by a long succession of meandering questions to the tech boss by MEPs – with the social network founder then given 15 minutes to answer questions at the end as he chose, with no right to follow-up for the questioners.”.

If the EU was so attached to the respect of its GDPR legislation by US companies, one can strongly believe a unique and very easy opportunity was missed, and not addressed until this Schrems 2 decision, which impact and consequences appear reaching farther than the initial issue.

Not enforcing the existing GDPR law by the Irish ICO allowed the case to go further at the ECJ level, and eventually hit the U.S. PrivacyShield without, however, ‘killing’ any of the two related birds, FACEBOOK and the Irish ICO.

Indeed, neither of both main protagonists, i.e. FACEBOOK or the Irish ICO, was impacted by this decision, but the U.S. Government and its commitment to national (and international) security, as their law wouldn’t be “adequate” with GDPR.

We regret that no helpful definition of ‘adequate’ could be found in the ECJ’s decision. For businesses willing to adapt their current privacy terms with this ECJ decision, it will be a certain intellectual and legal challenge. Indeed, as the common Privacy Shield framework was broken by the unilateral withdrawal by the EU, businesses will be left with contractual instruments to agree upon and implement ‘adequate’ data protection outside the EU. This will lead to a fragmentation of GDPR understandings regarding the international transfer of personal data and its implementations across hundreds of thousands if not millions of businesses, raising more issues at both levels of relative individual perceived ‘adequacy’ and compliance with GDPR. Still, the Court did not invalidate the European Commission’s decision on standard contractual clauses (SCC) regarding the transfers to data processors (SCC-C2P or -C2C for Controler-to-Processors and Controler-to-Controler respectively).

There are still possible choices between Standard Contractual Clauses (SCC, Binding Corporate Rules (BCR), Users consent, Legitimate Interest and a Contract, but this is far to be something made easier with this decision and will require impact assessments to be re-done or adapted, to say it in a nutshell.

Please keep in mind that as the UK should leave the UK by 31 December 2020, what will become from current data protection standards will depend on the outcomes of current negotiations (progress report: Parliament website and EU Commission), and the content of the Brexit Deal, but also new projects being under consideration or rolled out by 10 Downing Street (here for some of Mr Cummings’ views on fundamental rights and GDPR, National Data Strategy, here for instance, but most of what it will really be in the end is not known at this moment).

More GDPR order and discipline coming soon is doubtful, while more data privacy anarchy can’t be the intention of the ECJ, can it?

We can imagine, however, that the U.S. Department and many businesses complying fairly with what can resort sometimes as GDPR-swamps will only get more confused by this move, where the EU institution that has, through some of its national ICOs, such an erratic application and enforcement of its own legislation/regulation, takes such a bold move having for consequence a meddling-by-the-side with a foreign state’s internal order and affairs while leaving untouched, as we said earlier, the two main implicated organisations: FACEBOOK (which European HQ is in Ireland), and the Irish ICO. 

Your thoughts are very welcome. Thanks for reading.

---

Direct access to mentioned articles and references in this post:

1) Advocate General’s Opinion in Case C-311/18  |  Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems

2) Letter from Deputy Assistant Secretary James Sullivan on the Schrems II Decision  |  U.S. Department of Commerce

3) Case brought by the Irish Council for Civil Liberties (proven case of electoral influence, profiling of people with AIDS and cancer, and a list of 968 companies that Google sends information to about the private things that we do and watch online)

4) Facebook boss, Mark Zuckerberg, escapes embarrassing questions thanks to the EU’s offered grilling’s format of allowing him to answer all MEP’s questions in one go within c. 15 minutes, and no follow-up from questioners.

5) Independent, 23rd May 2019  |  “Mark Zuckerberg let off the hook by shambolic European Parliament grilling”

6) Updated UK’s ICO statement on the judgment of the European Court of Justice in the Schrems II case.

7) ECJ, JUDGMENT OF THE COURT (Grand Chamber), 16 July 2020  | In Case C‑311/18, REQUEST for a preliminary ruling under Article 267 TFEU from the High Court (Ireland), made by decision of 4 May 2018, received at the Court on 9 May 2018, in the proceedings (known as Schrems 2) 

8) CJEU Schrems 2 Judgment, Grand Chamber, 6th October 2020, on InfoCURIA Case-law website.

Thank you for your time and interest.

Please join us by subscribing to our Blog. Posts are occasional and written as thoughts come.

Please leave your comment at the bottom of this page to continue the reflection on this post.

If you are looking for a reliable, independent professional consultancy to assist you in getting through the mist and the storm and cutting through an often artificial complexity, please do get in touch with us for an informal discussion, or write to contact @ reasonmakesense .com (please remove spaces)

Get in touch to discuss freely; reason will Make Sense, with you and for you.

---

A few words about Reason

Share this post

• Mail
• Twitter logo to @ReasonPraxis