Personal data: the thunderstorm rumbles

Part one: international transfers of personal data

The Austrian activist Max Schrems was only a law student when his long fight to get Facebook to correctly apply European data protection legislation began. After being deeply impacted by Edward Snowden’s revelations about the NSA’s surveillance practices, he notably challenged in 2013 the possibility for the social network to export data to the United States.

In 2015, he won a victory with worldwide resonance before the Court of Justice of the European Union (CJEU). Until then, the United States was considered to offer an “adequate level of data protection” whenever an American entity importing information complied with the requirements of a U.S. Department of Commerce program called the “Safe Harbour”. The CJEU considered that the Commission underestimated the risks that the US anti-terrorism legislation posed to European data. It overturned the “adequacy finding”, calling into question the possibility for thousands of companies to send personal information across the Atlantic.

However, the United States has set up a replacement for the Safe Harbour programm, the “Privacy Shield”, which is supposed to guarantee the rights of European citizens more effectively. Max Shrems, who in the meantime founded the very active None of Your Business (NOYB) association, filed a new appeal. The CJEU ruled in the summer of 2020 in a “Schrems 2” decision. It found that the Foreign Intelligence Service Act and Executive Order 12333 did not provide a sufficiently tight framework for American surveillance programs (§184), and once again overturned the Commission’s decision on adequacy.

In Switzerland, the Federal Data Protection and Information Commissioner conducted his annual review of the Swiss – US Privacy Shield agreement in September 2020 and in turn found that the “shield” does not offer adequate protection. He pointed out, however, that “there is no case law in Switzerland comparable to that of the above-mentioned CJEU ruling. The Swiss courts, relying on Art. 6 of the Swiss Federal Act on Data Protection, could come to the same conclusions regarding access to data by the American authorities as the CJEU under the GDPR, but this question remains open to this day”.

Europe, on the other hand, is rocking into the unknown. Admittedly, the General Data Protection Regulation provides that in the absence of adequacy decisions, transfers to a third country are nevertheless possible on the basis of “appropriate safeguards” (Article 46). In particular, it remains theoretically possible to use the “European Commission’s standard contractual clauses” (SCC), a set of stipulations that must be inserted in an agreement between the European data exporting entity and the foreign importing entity. But what can a simple “miniature GDPR” of a purely contractual nature, placed far down in the hierarchy of norms, do against overly powerful anti-terrorism legislation? “Nothing”, one is tempted to answer. The CJEU explains more soberly that it is for the data exporter-importer duo to consider, together, whether the protection conferred on data by the contractual instrument is sufficient (§141). Such a global audit of the legislations in question seems beyond the reach of many data controllers, who are supposed to succeed where the powerful services of the European Commission have failed. If the protection provided by the SCC appears too weak, they will have to resort to “additional measures”, the nature of which is hard to see, and if this is still not sufficient, it will be mandatory to suspend processing (§113).

It must be understood that transfers from the EU to the US are not the only ones threatened, according to this reasoning. The judgment reminds us once again that the Commission’s adequacy decisions are likely to be overturned by a European judge: this could be the case tomorrow for Argentina, New Zealand or Japan. But most third countries have not, at any time, benefited from a decision of adequacy. For them, most transfers take place on the basis of the SCC, which are incredibly weakened by the Schrems 2 decision. It is therefore Europe’s (and perhaps Switzerland’s) ability to circulate personal data on a global scale that is potentially compromised. Many international economic, social and cultural flows require the circulation of personal information.

This seemingly grotesque situation is actually logical. The CJEU is sufficiently independent to oblige the European Union to draw all the consequences of the data protection rules it has adopted. Cases in which the European Commission adopts an attitude tinged with political realism, a desire to preserve the economic interests of the Member States and diplomacy are approached by European courts solely from a legal standpoint. It is true that it made little sense to set a high level of data protection in the internal order, if the privacy of Europeans could then be compromised as soon as they crossed the borders of the Union: hence the strict rules governing exports. But then a stark reality emerges: not all countries in the world intend to follow the European model of data protection, or even to ensure sufficient compliance when handling data of Europeans. The rest of the story then appears to be at least as political as it is legal. Difficult negotiations are on the horizon, with the United States and many others.

In the meantime, the time will soon come for data protection authorities to order the first stops of transatlantic transfers, in the Facebook case and elsewhere. If they back down, they risk their credibility. If they take action, the general public will discover, in amazement, a dossier that seems to have no echo for the moment. The thunderstorm is rumbling, and lightning could strike soon.