Last month’s ruling by the Court of Justice of the European Union (CJEU), ripping up the EU-US Privacy Shield and sewing doubt over alternative mechanisms, has put a cat among the pigeons of international data transfers.
Eponymous privacy campaigner Max Schrems’ underlying complaint targeted the tech giant’s use of a data transfer tool known as Standard Contractual Clauses (SCCs). Thousands of businesses make use of SCCs to carry out EU to US transfers of personal data, sometimes in addition to the now defunct Privacy Shield framework. An earlier ruling by the CJEU — following another Schrems complaint which also drew on the 2013 Snowden disclosures of US government mass surveillance programs — struck down the prior transatlantic ‘Safe Harbor’ arrangement.
SCCs were an existing alternative for businesses to plug the gap then until Privacy Shield came into effect. But the CJEU ruling of no US adequacy with EU privacy standards casts doubt on their continued use for these transfers. Facebook was using SCCs in the Safe Harbor era. Now, in the wake of the CJEU decision, it’s said it’s moving its Privacy Shield transfers to SCCs. So the tech giant has no visible ‘plan B’ if it’s ordered to suspend these data flows too.
In Schrems’ views the only way Facebook will be able to comply with the CJEU ruling is if it splits its infrastructure into two. And while other types of companies — such as cloud storage providers — may already separate data by regions owing to factors like latency or even cost, Facebook’s business simply doesn’t operate like that. It’s designed to draws data to its center.
“Facebook is probably the most [susceptible] to all of this,” says Schrems, discussing the ramifications of the CJEU ruling in an interview with TechCrunch. “For Facebook it’s really, really complicated as a company to comply with any of this.”
“There are parts that are necessary data transfers, and [Facebook] can continue to do that. So basically the message that I sent to an American friend, stuff like that. But that’s only a small percentage,” he continues. “So I think technically the approach they’d have to do is basically split Facebook in two. And then kind of reconnect the necessary data transfers. So you’ve basically federated. A bit like Diaspora was always designed to be; a federated social network where you basically have different parts and what’s necessary is communicated and what’s not necessary is not communicated.”
“They’re not going to do that without heaven and hell moving onto them,” he adds. “I guess — especially for Facebook — that the problem is we kind of have a case where the consequences are so extreme the pushback is obviously as extreme as possible… They know that without fundamentally restructuring the whole system they will never be able to comply with any of this — so they don’t.”
Schrems points to what happened historically with SWIFT financial data exchanges as a comparable scenario — where the fix was to move backups from the US to Switzerland “so only the data that is international and US is actually stored in the US and all the other transfer data is kept in Belgium and Switzerland”. “So you separate your backups and your situations and so on,” he says, adding: “It’s a lot of engineering.”
At this point most of the big tech companies have data centers in Europe. While newer social video sharing app TikTok recently announced plans to establish one Ireland for EU users’ data. But Schrems reckons there’s no easy way for Facebook to unpick all its EU data flows.
We asked Facebook for details on its legal basis for continuing to use SCCs but the company did not engage with questions on the topic. Nor did it respond when we asked for clarity on any ‘plan B’ if it’s ordered to stop using SCCs.
Beyond a massive engineering headache for the company, Schrems doesn’t see huge legal significance in a federated version of Facebook’s service that holds EU users’ data in Europe. But he argues such a split would send an important message about the rule of law.
“The law doesn’t differentiate if the data is processed in Europe or in the US on having to be compliant with it… So I don’t really think we can probably gain much from it. To me it’s more of a general question of companies having to respect the law or just getting away with it, over and over again, without really complying. I don’t think [it would be a gain] for direct compliance — it’s probably more of a big message that you don’t get away with it that would be important to send,” he says.
Can SCCs still be used for US transfers?
In the clash between EU privacy rights and US surveillance law, Europe’s highest court has made it clear it isn’t budging. At the same time, lawyers all over the region are busy grappling with the apparent contradiction of the CJEU finding US surveillance practices fatal to Privacy Shield yet not putting an indelible blocker on SCCs for data transfers over the pond. This other long-standing transfer mechanism — sometimes also referred to as ‘model clauses’ — could have been struck down too but wasn’t. So the court left the door ajar.
Law firms have seized on that to shape strategies for businesses to proceed using SCCs for US data transfers in a way that minimizes their risk — via performing detailed risk assessments and/or applying ‘special measures’, where possible. Given the rich seam of paid advice opportunities opening up it’s not hard to find European lawyers who believe SCCs can be made to work for some data controllers who want to continue (or start) bulk processing EU users’ data in the US.
This advice boils down to handling all of the associated bureaucracy around performing risk assessments over a particular data transfer and whether/how it falls under US surveillance law; for some it may also mean investigating technical and operational solutions, such as whether data could be encrypted in transit and the keys held by a EU entity that’s not subject to US law; and perhaps seeing whether policies can be applied and contractual language beefed up so that a US receiving entity which gets a law enforcement request for data is obliged to take steps to make sure there’s a real legal compulsion underpinning it.
In a public discussion on the topic hosted by the International Association of Privacy Professionals last month, Hogan Lovells partner, Eduardo Ustaran — one of the more bullish voices touting the ongoing value of SCCs for US transfers — made the case for building policy protections into contracts to require a level of push back and interrogation of US government agency requests for data.
“When the court talked about additional safeguards and making up for the lack of protection in the regime of the recipients… they’re talking about precisely that: Having that legal process in place — a contractual obligation — to question that request. And you will probably find that if that is in place only a very, very, very small minority of cases will lead to something that is a true conflict where the prohibition of data really needs to be given,” he argued.
“Even in that case, one needs to question whether that is actually within the parameters of what European law provides. Or outside those parameters. Because, again, what the court didn’t say was that all access to data is unlawful; it’s the one that’s not necessary, it’s disproportionate. So that’s what you need to get at. And that’s what we’re saying. I think there is definitely room for manoeuvre in that contractual document for the parties to that document to agree to what level of scrutiny they’re going to undertake when one of them receives a request.”
In the same discussion, Fieldfisher privacy, security and information partner, Renzo Marchini, suggested some data controllers may be able to determine they do not have any risk of European standards not being met for their particular data transfer.
“For some vanilla transfers there might simply be no risks,” he posited. “They might be outside of FISA [the Foreign Intelligence Surveillance Act] and so on. And you only get to additional safeguards, additional measures if you conclude that you need to do something more — and the court has allowed you to do something more.”
“They haven’t said what that’s got to be,” he added. “I hope the EDPB [European Data Protection Board] will give some certainty here and tell us what those things are.”
The lack of judicial redress linked to US surveillance law is a stickier problem, though. One Marchini accepted can’t be fixed with any amount of contractual spit and polish — and which, for businesses subject to FISA, will carry through as what he couched as “residual risk”.
“That simply goes to the risk assessment that’s carried out beforehand,” he said when pressed on that point. “So if you’re at risk and you can’t fix it technically, operationally, then you’re left with the residual risk that you haven’t fulfilled essential equivalence. There’s no way of avoiding that, I think. You’re not going to fix that gap in US law which the court found either… There’s a lack of judicial redress under FISA 702; you can’t fix it, but you might be able to conclude you’re not at risk under FISA 702.”
In Facebook’s case, there’s no plausible dispute the company falls under US surveillance laws — which means its wiggle room in the face of Schrems II is minimal. And so suddenly the company throwing all its eggs into the SCCs’ basket in the hopes that Europe’s regulators will ignore the CJEU’s instruction to step in looks high risk.
“One of the holdings of the Court of Justice was there is simply no legal redress whatsoever as a foreigner,” notes Schrems, adding: “I’ve had calls with people from industry and they said we know that we actually don’t have a legal basis but we just hope they’re going to be reasonable and not enforce it. Which is basically saying you’re working illegally and you hope the law doesn’t apply to you.”
“We’re now asking different companies and most of them say we don’t really know the legal basis — we’re waiting for guidance,” he adds. “The reality is the vast majority of them is simply now working illegally. Google and Microsoft and even Facebook put out ‘oh we’re still using SCCs because we read the judgement differently’.”
In another example, the IAB Europe suggests in an Q&A on the CJEU ruling that worried advertisers “seek guidance from your lead supervisory authority” — and then immediately suggests DPAs “may give leniency towards data transfers that took place under the Privacy Shield due to the sudden nature of this change in the law”. Although, on SCCs, the ad industry body is more circumspect, writing that compliance is now determined on a case-by-case basis and “will depend on the companies sending and receiving the personal data, the regulator in the target country, and the types of personal data”.
“To be honest I’m not super enthusiastic about data transfers because we have so many other privacy problems there probably are bigger issues. But the reason why I’m really getting more and more excited about this case is it just shows the vast ignorance on any of these decisions,” adds Schrems. “If the Supreme Court of the EU says for the second time you can’t do that and they’re just saying ‘oh I guess the law doesn’t apply to us or is not going to be enforced anyways’.
“With the data transfers you kind of understand why it’s complicated and you can’t change it overnight. Even in the Facebook complaint I filed in 2015 — back then I said you know they should at least have an order where, within a certain time period, they should have to stop the data transfers than say you’ve got to stop it overnight because that’s not going to happen. But they could, theoretically, order them to stop the data transfers within a year, for example. Which would give them enough time to actually comply with it.”
What happens next?
Individual EU regulators have generally been keeping their cards close to their chest since the CJEU ruling. And it remains to be seen what action Facebook’s lead supervisor, the Irish Data Protection Commission (DPC), will take as its next steps vis-a-vis Schrems’ seven-year-old complaint. All eyes are on Dublin.
More than two years since the application of Europe’s General Data Protection Regulation (GDPR), the regulator is no stranger to complaints that it needs to pick up the pace and get on with the job of enforcing major cross-border complaints against tech giants like Facebook. Though its counter argument to such criticism is that building robust cases that will stand up to legal challenge takes time.
In the meanwhile, guidance on the CJEU ruling put out by the EDPB emphasizes that international data transfers via SCC must be assessed on a case by case basis; and, if a data controller intends to keep using SCCs, it must inform the relevant EU supervisory authority — inviting scrutiny of these flows.
Combine that with the CJEU telling EU data protection agencies they have a duty to intervene and stop data transfers to places where they suspect people’s information is at risk and it’s hard to see how regulators can keep sitting on their hands in obvious cases involving FISA-subject entities.
One thing looks clear: The era of ‘tickbox’ data transfers to any international jurisdiction that lacks an EU data adequacy agreement is toast.
Taking that further, any third country that lacks a comprehensive data protection framework akin to GDPR probably isn’t going to be able to sustain ‘seamless’ access to the European market for long, if at all — which means, yes, the US; but also China, India, and so on (a post-Brexit UK also looks dicey on the adequacy front given its penchant for surveillance overreach; though some of that has already been dialled back via the courts).
And even though there are now noises on both sides of the Atlantic about cooking up a ‘Privacy Shield 2‘, barring enlightened reform of US surveillance law — or the impossible flip-side of Europe tearing up its charter of fundamental rights — any such respawned instrument would soon follow its predecessors into legal history.
As we said last month, all this sums to a lot more work for lawyers. And right on cue law firms are talking up contractual risk reduction strategies to sell concerned data controllers a way forward.
Cash-strapped regulators are also going to find more work piled on their plates now they have unequivocal instruction not to look the other way at lawbreaking data transfer ‘business as usual’.
Pressure is being applied to regulators by EU lawmakers too who want to see more joint working to ensure harmonious application of major rulings across the bloc’s patchwork of data authorities. Businesses need clarity, is the common refrain. And the role of the EDPB — whose current duties include issuing guidance and promoting pan-EU cooperation and consistency of regulatory application — looks set to become increasingly pivotal as more of these cross-border cases and pinch-points flare up.
The EDPB will need to take on more of a leadership, decision-making role vs its customary talking shop, per Schrems. “They will have to become a proper legal entity that does proper legal decisions because they will be tested in court,” he argues. “So far they got away with more political statements and so on. In both directions. There’s some things that they put out that are just going way too far, which the GDPR does not provide for. And there are other things where they’re miles away from the basics of what the GDPR says. [Their output] will have to become more like a proper legal analysis — that says this is what you have to do now.”
Unsurprisingly, for a privacy activist who’s been petitioning regulators to uphold his fundamental rights for so many years — and now with two adequacy-crushing CJEU rulings that bear his name — Schrems expresses plenty of frustration at the DPAs’ performance to date.
After so much time and legal energy it’s amazing to think his original complaint against Facebook’s use of SCCs is still unresolved. And that’s just one of many he’s filed, having spun up noyb: A not-for-profit European digital rights group dedicated to strategic litigation to defend privacy.
“The other problem is that that the authorities locally then also have to enforce [EDPB guidance] because there’s still a lot of talk,” he says. “We have decisions that, I can’t name them publicly — but we have ‘in between’ decision from the Irish DPC where they literally say yeah that’s what the EDPB says but we have a different view and we’re just going to decide the opposite way. And they’re not technically bound by these guidelines but if structurally they’re not upheld in Member States then, yeah, nothing’s going to happen.”
noyb also has pending cases that have been sitting with DPAs for as much as 1.5 years without a key authority providing feedback — because “they simply don’t talk to each other”.
“I mean just in daily practice. We have cases that are pending — like the forced consent stuff — where the Germans said they now called them every month in Ireland and there’s simply no answer,” he adds. “And so it’s not working on such a childish, basic level.
“So the problem that we’re having is this whole cooperation system is just so fundamentally not working. It could work if everybody tries to pull in the same direction. But right now they are rather all pulling in different directions.”
What does Schrems believe will happen with his Facebook SCCs complaint now the CJEU has finally weighed in?
“I have no clue to be honest. We’re now planning to do more and more turning up the heat a bit,” he says, nodding to the 101 complaints just filed by noyb against the use of SCCs for Facebook Connect and Google Analytics data transfers. “Fundamentally it’s a question of whether the data protection authorities take themselves seriously or if they continue to be like ‘FAQs’ that are just like ‘blah, blah, we don’t really tell you anything’. And which of the DPAs are going to start to take some enforcement measures.”
“People complain about the US a lot and US companies not being compliant with EU law… But the reality is we’re simply not enforcing these laws. And it’s a fundamental European problem that we don’t do that,” he adds. “I’m usually joking in Austria; one Google penalty would buy us up to four high speed rail tunnels through the Alps!”
There has been one Google penalty since the GDPR began being applied in May 2018 — levied by France’s CNIL in early 2019. But Schrems argues the €50M fine was woefully low, pointing out Austria slapped a larger penalty on its postal service (€80M) for trying to calculate people’s political interests based on their location and age in order to run a direct mailing service. And it’s clear Google’s behavioral ad-targeting personal-data-sink goes a lot deeper than a spreadsheet to sell direct mailing.
“If you never really enforce the law, if you never really put out a penalty, if the maximum penalty even from the CNIL was €50M — which was nothing — then there’s no reason to wonder why [tech giants] don’t comply,” adds Schrems.
The Irish DPC has also sought to package product launch delays as annual-report-worthy enforcement wins. But Schrems argues such stuff “fundamentally underestimates their power”. He also notes that noyb has instigated legal action against the DPC “for being inactive”, as he puts it.
“They’re oftentimes more happy to write a press release than to actually take the law and take the options that they have on the law and go for it,” Schrems adds, discussing the problem of EU DPAs generally not feeling willing or able to enforce. “That’s the reason why we’ve tried to push them with these complaints, the 101 complaints. Basically they can’t say that they haven’t a case on their table anymore.”
He likens the impact on Europeans’ fundamental rights of so much regulatory inaction as akin to having the right to vote but without access to a polling station most of the time.
“That’s a bit of how we do privacy,” he suggests. “And that’s a part of what we’re trying to do at noyb; just dig into that and just see, you know, there is a law, you breached it, now you pay for it. Because unless we actually push for that structurally, and bit by bit, we’re just going to be in this endless debate about privacy for the next 30, 40 years.
“I’m always telling myself it’s a bit normal because when we had the first time that we talked about workers’ rights — it still is a 100+ years ongoing debate about actually getting paid what your collective, bargaining agreement says. It’s not like any of these problems are done tomorrow or done forever but here the gap between reality and law is just so huge — and even huge companies just fundamentally do not comply — and that’s a bit exceptional. Because in other areas they at least pretend to comply. Or somehow comply if they’re a larger company with some reputation.”
Of course even massive financial penalties can amount to a parking ticket for tech giants. Witness Facebook’s smiles-all-round $5BN FTC settlement. Or Google’s $5BN antitrust fine for a still dominant Android OS. But Schrems’ point is you have to actually have functioning institutions issuing penalties to stand any chance of tackling such massive rights asymmetries. And, well, a law that’s not enforced is like a footpath no one walks; soon enough there’s weeds growing over it and pretty quickly you couldn’t even walk it if you tried.
“We’re not going to police the world by having a DPA behind each bush and ogling each click that everybody does. But if they, in general, have an enforcement pressure that companies have the feeling that ok if I don’t comply, bit by bit, I’m going to get caught for something… It’s a bit like with traffic,” says Schrems. “You know I’m not a fan of having a speeding camera around every corner but if once in a while you get a speeding ticket you kind of realize that going 160 on an autobahn is not a good idea and it generally keeps people to drive at 140 if 130 is legal. It keeps it somehow at a format that is somehow acceptable — and that’s totally missing in the privacy world.”
For now, the enforcement gap is being challenged by not-for-profits like noyb. It’s also increasingly viewed as an opportunity by class action style litigation funders — hoping to profit off of population-scale damages even if regulators won’t.
Schrems says noyb has managed to attract a crowdfunded annual budget of around €600k-€700k at this point — “all donated money for doing the job that regulators are actually paid to do” — although he’s recently been running ads on social media to try to get it to full target funding. “Technically noyb shouldn’t exist,” he jokes.
Clearly, though, Schrems has tapped into an appetite among Europeans for someone to champion their rights.
After years of regulatory inaction that has allowed data-mining giants to exploit people’s privacy without any meaningful consequences — sewing up the attention economic in the process — there’s a vacancy for privacy heroes to tackle the sorts of abuses Schrems and his team are worried about. Problems regulators have failed historically to act on, and which Europeans are still waiting for action on. (A two-year Commission review of GDPR in June acknowledged a lack of uniformly vigorous enforcement.)
“Right now we’re looking into a lot of the data brokers on the advertisement stuff,” says Schrems, when asked about his biggest privacy concern. “What’s kind of interesting in some countries — not all — the credit ranking agencies and what they do and why they think they can have data on every European and their financial situation without ever having consent or anything. So there’s tonnes of stuff that we’re looking on right now. I’m luckily not involved in all of it at the same time anymore.”