Schrems vs Facebook: David seems to have defeated Goliath
Back in 2011
In 2011, Max Schrems realized that Facebook was adopting a far from list of bahamas whatsapp phone numbers correct interpretation of the law. He then asked to receive a copy of all the data that the social network had about him. Result? A 1,222-page file containing data that had been deleted from his account.
The complaint sent to the Irish data protection authority was deemed insufficient for the authority to react. It would take another two years before, following revelations about surveillance carried out by the NSA ( National Security Agency ), Facebook was once again singled out for its questionable data management.
Questioning Safe Harbor
Safe Harbor is an agreement signed in 2000 between the European Commission and the United States Department of Commerce that aims to regulate the transfer of data to the United States by guaranteeing "an adequate level of protection". New appeals were then filed with various data protection authorities. Complaints were filed against Apple and Facebook in Ireland, but also against Skype in Luxembourg and Yahoo in Germany. The complaint against Facebook went all the way to the Court of Justice of the European Union, which simply invalidated Safe Harbor.
This is the "Chernobyl moment of the privacy debate", to use Max Schrems' words. Indeed, following the CJEU's decision, there was no longer a framework agreement. This meant, de facto, the birth of a certain legal uncertainty for American companies. As a result, the European Parliament intensified the renegotiation of Safe Harbor, which had been in the works since 2014 to give rise to the well-known General Data Protection Regulation (GDPR), which came into force on 25 May 2018.
And then?
One of the principles of the GDPR is not to transfer personal data to a third country that does not offer the same level of protection. However, the GDPR provides that in certain cases the European Commission may take decisions to override this principle. This was notably the case during the implementation of Safe Harbord. The establishment of standard clauses is also a means of transferring data to a third country.
Much effort was made when this European Regulation was adopted, but the wording, which is too vague, still leaves a lot of room for interpretation. The problem of surveillance practices in the United States has not been resolved either. Succeeding Safe Harbor, the Privacy Shield, which came into force on 1 August 2016, does not provide a miracle solution against the indiscriminate collection of data; nor does it provide a miracle solution against the use made of it for the benefit of American espionage. Once again, the terms chosen are variable geometry and the imperatives of "national security" are all too often invoked to justify data collection and mass surveillance.
Legal decisions
In December 2019, the opinion of the Advocate General of the CJEU Saugmandsgaard Øe was therefore highly anticipated in the continuation of the Schrems VS. Facebook case. In this case, the question of the transfer of data and the protection of this data arises in the context of the relationship between Facebook Ireland and Facebook US. It is clear from the opinion of the Advocate General that the transfer of data outside the European Union based on standard contractual clauses is not unlawful in itself, provided that the data exporter is able to guarantee respect for the fundamental interests of European citizens. However, the Court ruled in a previous decision that this was not the case for the United States, as the latter does not offer protection measures similar to those in Europe.
The latest twists and turns
On Thursday, July 16, 2020, the CJEU ruled and annulled the Privacy Shield. The standard contractual clauses, for their part, remain valid in principle. It is nonetheless up to the data exporter to verify that the regulations of the country of destination of this data offer the same guarantees. In the Court's judgment, it considers that, since the standard contractual clauses could not really be applied and, ipso facto, the transferred data sufficiently protected, it is then up to the supervisory authorities to suspend or prohibit such a transfer. The Court therefore declared on the one hand that Facebook and similar companies could not hide behind such clauses and, on the other hand, that the supervisory authorities must play an active role and take concrete measures to enforce the GDPR. The Court also made clear that US serfdom laws are in contradiction with fundamental rights applicable within the European Union, thereby de facto preventing the United States from respecting the same guarantees.
Conclusions
It is therefore up to European companies using American suppliers to be aware of the impact that such a choice can have. For example, a company that uses SaaS software with a CRM hosted or managed in the United States can no longer simply display a standard contractual clause to justify its compliance with the GDPR. It is essential that these clauses can be respected in practice, which is all too rarely the case given the number of American companies that escape surveillance laws. All these companies that are subject to American surveillance laws cannot validly use the contractual option of standard clauses provided for by the GDPR since American legislation requires them to violate them. It is undeniably preferable for European companies to collaborate with companies that respect the same rules as them and that have the same values: those that advocate respect for privacy!
