America’s Tech Giants: It’s Back to the Drawing Board on European Data
9.10.2020
A Top Court Strikes Down the Privacy Shield
Following the recent landmark ruling of the top EU court, which struck down the mechanism that had been used by companies such as Google, Microsoft, and Facebook to collect EU personal data, Big Tech must find alternative ways to keep doing business in Europe.
The Transfer of EU Personal Data to the U.S.
European Union data protection legislation prohibits the transfer of personal data outside Europe unless the transferee country has been deemed by the European Commission, the EU’s executive body, to provide an adequate level of protection for the transferred personal data, or one of the alternative mechanisms set out in the legislation has been put in place. Since the United States has not received an adequacy decision from the European Commission (the only countries that have so far received it are Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay), U.S. organizations seeking to collect European personal data must choose one of the alternative mechanisms. The main alternative mechanisms are the inclusion in the data transfer agreements of Standard Contractual Clauses (SCCs) established by the European Commission, Binding Corporate Rules (BCRs) adopted by the organization and approved by the competent data protection authority in the EU, and certification mechanisms that the European Commission deem adequate to enable data transfers under EU law.
The latter were first developed – limited to transfers to the U.S. – through the so-called Safe Harbor Privacy Principles, which regulated the way that U.S. companies could export and handle the personal data of European data subjects and were based on seven core principles: notice, choice, onward transfer, security, data integrity, access, and enforcement. Such principles were deemed adequate by the European Commission to protect personal data transfers to the U.S.
However, less than five years ago, the Court of Justice of the European Union (CJEU), the highest EU court in matters relating to the interpretation of EU law, invalidated the European Commission’s “Safe Harbor” Decision (Case C-362/14, Maximillian Schrems v. Data Protection Commissioner—“Schrems I”). The Safe Harbor was deemed unfit to assure that the personal data received from Europe were sufficiently protected; therefore, a new framework needed to be negotiated in order to strengthen the safeguards to the European individuals whose data are transferred to the U.S.
This framework was the Privacy Shield, under which about 5,000 U.S. organizations, including major companies such as Facebook, Google, and Microsoft, self-certified. The core principles of the Privacy Shield were substantially the same as those of the Safe Harbor regime. However, they added more specific obligations for companies that decided to self-certify (in particular with regard to Privacy Policy, onward transfers to controllers or sub-processors, data integrity and access, data subject’s enforcement ability, and regulatory oversight).
Nevertheless, in a landmark decision issued on July 16th (Case C-311/18, Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems – “Schrems II”), the CJEU ruled that the Privacy Shield is inadequate to assure a standard of protection “substantially equivalent” to that offered in Europe. In a decision that feels like déjà vu of October 6th, 2015, the day of the Safe Harbor invalidation, the Luxembourg Court held that the Privacy Shield does not include appropriate limitations to assure the protection of European personal data from access and use by U.S. public authorities on the basis of U.S. law. In fact, per the CJEU, U.S. surveillance programs are not limited to that which is strictly necessary and proportional, as is required under Article 52 of the Charter of Fundamental Rights of the European Union (the “Charter”), and the newly introduced Ombudsperson mechanism (i.e., an official within the U.S. Department of State who can take inquiries from European data subjects who are concerned about what happens to their personal data once in the United States) does not provide safeguards equivalent to those required by European law (in particular, an actionable judicial redress, as provided for under Art. 47 of the Charter), as the CJEU questions its independence and notes a lack of authority to make binding decisions on U.S. intelligence services. In other words, in a proud assertion of identity (or European data imperialism, as some call it)[1] the Court ruled that any European individual must be granted the same protections that she or he would enjoy in Europe, regardless of who collects her or his personal data and where.
What Now for U.S. Organizations?
On August 10th, the U.S. Department of Commerce and the European Commission issued a joint press statement informing that they had begun talks to “evaluate the potential” for a new EU-U.S. Privacy Shield.[2] While some call it papier-mâché, claiming that the only reliable measure to render EU-U.S. data transfers secure would be changes in U.S. privacy and surveillance law,[3] it is still too early to predict whether and when Privacy Shield 2.0 will be fashioned.
In the meantime, since the July ruling, tech giants such as Google and Amazon, which had self-certified under the Privacy Shield, are availing themselves of the SCCs.[4] As briefly stated above, the SCCs are a set of European Commission pre-approved terms that private parties can incorporate into their own agreements and, as with the Privacy Shield, constitute a commitment by private parties to follow certain standards in the handling of personal data. However, while the CJEU has upheld the SCCs’ validity, the Court has also found that whether they can constitute a lawful basis for the transfer of personal data to a jurisdiction without an adequacy decision depends on whether the recipient is in a jurisdiction that affords a “level of protection essentially equivalent” to that guaranteed in Europe. Significantly, this necessitates an assessment of any potential “access by the public authorities of that third country” by the data exporter. Such an evaluation is quite complex and delicate and implies further responsibility for platforms with the difficult dual status of hosting provider and data controller. Attributing this responsibility to the data exporter – a private party – is consistent with the current trend, fostered by the GDPR and CJEU, of making providers accountable for content disseminated online. (Significant private power accrues with significant – and public-like – duties.) With specific regard to the U.S., since the EU had previously ruled that the country does not offer an adequate level of protection, due mainly to the broad scope of U.S. surveillance programs, transfers based on the SCCs will be difficult, if not impossible, to justify, and U.S. organizations might have to turn to different mechanisms. One of these mechanisms is the BCRs: data protection policies drafted by the organization and approved by the competent EU data protection authority that must include all general data protection principles and enforceable rights to ensure appropriate safeguards for data transfers and be legally binding and enforceable. However, since U.S. law would have primacy over the tool, the Court’s SCCs assessment also applies in the context of BCRs, and U.S. surveillance programs will make it hard for it too to be deemed as ensuring a level of protection essentially equivalent to that in Europe.
The Luxembourg Court also asserted that whether or not one can transfer data on the basis of the SCCs or BCRs will depend on the supplementary measures one could put in place. While the CJEU highlighted that such measures would have to be provided on a case-by-case basis (taking into account all the circumstances of the transfer and following the assessment of the law of the third country) and it is the responsibility of the data exporter to decide on such supplementary measures, the European Data Protection Board (EDPB) – an independent body whose purpose is to ensure consistent application of the GDPR and promote cooperation among EU’s data protection authorities – has stated that it will provide more guidance.[5]
As the dimension of power is turning from “transcendent” to “immanent,” the Court’s decision entails that private negotiations do not offer sufficient protections to the right to privacy, hence, public-law safeguards need to be established as well. Data protection, mentioned in the Treaty of Nice as a fundamental right to freedom, cannot be segregated to the private sphere because it represents an integral part of the public discourse and future of democracy.
The Extraterritorial Reach of the EU Data Protection Regime
The above considerations all stem from one principle: the applicability of European data protection law outside Europe. The CJEU has confirmed that EU standards of data protection must travel with the data when they go overseas. This is one of the most significant changes brought about by the GDPR compared to the previous framework.[6]
While critiques have been raised on the extraterritoriality of EU data protection law[7] – specifically on the unilateral expansion of EU’s jurisdiction to non-EU businesses – one must consider that, not long ago, processing of personal data seemed easy to understand: data controller, data processor, data subject, and all the means used for data processing operations were usually located in the same country, and so were subject to a single legal regime. However, jurisdiction based solely on the territoriality principle is becoming less evident in the digital age. The borderless domain of the internet requires a borderless application of the law.
Moreover, the unilateral expansion of jurisdiction out of its borders is not a rare phenomenon and has been carried out by numerous countries. However, when doing so, jurisdictions, including the EU and its institutions, are bound to public international law.[8] The most authoritative outline of the sources of international law is Article 38 of the Statute of the International Court of Justice.[9] Under this article, the legitimacy of the extraterritorial claim may be assessed in light of “international conventions […] establishing rules expressly recognized by the contesting states; international custom, as evidence of a general practice accepted as law; (and) the general principles of law recognized by civilized nations […].” While no international convention or treaty is directly related to data protection, custom and the general principles of law recognized by the international community allow a better understanding of the public law that jurisdictions are bound to as far as data protection is concerned. The so-called “effects doctrine,” which has been recognized by the U.S. Supreme Court[10] and bases jurisdiction upon the fact that conduct that took place outside the state has effects within the state, appears to be the international custom followed by the GDPR in its expansion of the EU’s data protection jurisdiction. In fact, the focus is on the location of the potential harmful effects rather than the processing. It is worth mentioning that the GDPR applies regardless of the nationality or residence of the data subject (Recital 2). The decisive factor is instead the physical presence of the data subject within the territory of the European Union. As a result, while the territorial scope of EU data protection laws is indeed expanded outside the EU, such laws protect not only EU citizens and residents, but any individual who is even temporarily visiting an EU Member State (and do not protect EU citizens and residents outside the EU), thus maintaining a territorial scope as far as the data subjects are concerned. Lastly, an assessment based on “general principles of law recognized by civilized nations” implies mapping the domestic laws of different countries and, more specifically, their respective jurisdictional scope. (Such an assessment is indicative of the degree of legitimacy, i.e. authority, of the GDPR.) Regarding data privacy, extraterritorial claims can be found, inter alia, in the Australian 1988 Privacy Act, the Singaporean Personal Data Protection Act of 2012, and the U.S. Children’s Online Privacy Protection Act of 1998. U.S. reference can also be made, outside the data protection field, to the Foreign Corrupt Practices Act, whose scope has been extended by the courts to issuers of securities on the U.S. markets, and even acts of bribery committed through the use of a U.S.-based email provider. Several countries, including the U.S., seem to have acknowledged the need to apply their rules outside their borders in certain cases. Therefore, the extraterritorial scope of EU data protection law cannot be considered an exception.
Davide Szép is a Data Protection Officer and Regulatory Compliance Officer in New York City. He writes on privacy and data protection in the U.S. and Europe
[1] See Oskar Josef Gstrein, Right to be Forgotten: EU-ropean Data Imperialism, National Privilege, or Universal Human Right?, 1 Rev. of Eur. Admin. Law 125 (2020), available at
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3530995.
[2] See Joint Press Statement from U.S. Secretary of Commerce Wilbur Ross and European Commissioner for Justice Didier Reynders, Aug. 10, 2020, https://www.commerce.gov/news/press-releases/2020/08/joint-press-statement-us-secretary-commerce-wilbur-ross-and-european.
[3] Section 702 of the Foreign Intelligence Surveillance Act allows for the mass collection of non-Americans’ personal data from big tech firms
[4] See Google Cloud’s Commitment to EU International Data Transfers and the CJEU Ruling, Google Cloud, July 17, 2020, https://cloud.google.com/blog/products/identity-security/google-clouds-commitment-to-eu-international-data-transfers-and-the-cjeu-ruling and EU-US Privacy Shield, Amazon Web Services, https://aws.amazon.com/compliance/eu-us-privacy-shield-faq/?nc1=h_ls.
[5] See European Data Protection Board, Frequently Asked Questions on the judgment of the Court of Justice of the European Union in Case C-311/18 – Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems, July 23, 2020, https://edpb.europa.eu/sites/edpb/files/files/file1/20200724_edpb_faqoncjeuc31118_en.pdf, n. 10.
[6] Such change is stated in Art. 3(2), GDPR, which can be considered “one of the more important ‘achievements’ of the reform.” See P. DE HERT, M. CZERNIAWSKI, Expanding the EU Data Protection Scope Beyond Territory: Article 3 of the General Data Protection Regulation in its Wider Context, 238.
[7] See, inter alia, S. BU-PASHA (2017), Cross-Border Issues under EU Data Protection Law with Regards to Personal Data Protection, Information & Communications Technology Law, 26:3, 213-228 and S. LEE, A Study on the Extraterritorial Application of the General Data Protection Regulation with a Focus on Computing (October 2018),. available at SSRN, https://ssrn.com/abstract=3442428.
[8] See CJEU Case C-366/10 , Air Transp. Ass’n of Am. and Others v. Sec’y of State for Energy and Climate Change, 2011, §101.
[9] D. J. B. SVANTESSON, The Extraterritoriality of EU Data Privacy Law – Its theoretical Justification and Its practical Effect on U.S. Businesses, (2014) 50 Stanford Journal of International Law 53, 76.
[10] See Strassheim v. Daily, 221 U.S. 280, 285 (1911).