09 June 2016

Max Schrems' privacy campaign developments: latest update

Where does Max Schrems’ privacy campaign lead if Standard Contractual Clauses come under scrutiny and what happens to Privacy Shield now?

Privacy rights activist and Austrian student, Max Schrems, secured a game-changing declaration from the Court of Justice of the EU (CJEU) in October 2015, but he and his campaign group are clearly not satisfied with that. The declaration confirmed that the ‘safe harbour’ scheme could no longer be regarded as adequately protecting the data protection rights of individuals, indeed some might suggest it never really had been.

The safe harbour scheme provided the basis on which US organisations could self-certify their ability to protect the privacy of individuals about whom they held personal data. Compliance with this scheme allowed EU-based organisations to transfer information to those self-certified US service providers without being in breach of data protection legislation. One of the key principles of data protection legislation is a restriction on transferring personal information outside the EU unless the country to which it is being transferred is able to offer “an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”.

So, after October 2015, if self-certification under safe harbour no longer provides that adequate level of protection, what can businesses rely on if data is going to pass from UK or EU-based businesses to US organisations or be hosted on US servers? The alternatives are generally based on a combination of:

  • consent from data subjects (not easy to get right);

  • use of something called ‘Binding Corporate Rules’ if the data transfer is between companies within the same group (only really available to multi-national organisations); or

  • entering into contracts which incorporate the EU-approved standard contractual clauses on data protection.

In the latest development, it was revealed on 25 May 2016 that these model or standard contractual clauses are now the subject of further action by the campaign group led by Schrems, Europe-v-facebook.org. Their campaign evolved from the Edward Snowden revelations about the extent of mass surveillance by US intelligence agencies. The basis on which US surveillance can override individual rights to privacy and the lack of an individual’s right to redress in such situations is the issue here. Whilst the US intelligence agencies continue to be able to access any personal information held by organisations in the US, Schrems argues, any of the current methods of adequately protecting individuals’ rights are fundamentally undermined.

The Irish Data Protection Commissioner confirmed on 25 May 2016 that it would be seeking:

“declaratory relief in the Irish High Court and a referral to the CJEU to determine the legal status of data transfers under Standard Contractual Clauses”.

This next step isn’t necessarily surprising, particularly given the German Data Protection Authorities (DPAs) response to the safe harbour declaration. Within 10 days of that CJEU declaration in October 2015, the German DPAs refused to approve any further applications to use Binding Corporate Rules or data exporting agreements using the standard contractual clauses. One of those German DPAs confirmed on 6 June 2016 that it has already fined 3 businesses for continuing to rely on safe harbour after the October 2015 declaration, albeit that those fines were relatively modest in light of the businesses moving to alternative mechanisms. Any business which chose to rely on standard contractual clauses once the safe harbour approach became invalid in October 2015 have been in a continuing state of uncertainty about whether their data-transfers to the US are in breach of data protection legislation.

Unfortunately this development also brings back into question the already wobbly proposal for ‘Privacy Shield’, the hastily-assembled replacement for safe harbour, which is currently in limbo awaiting an adequacy confirmation. The European Data Protection Supervisor published on 30 May 2016 his opinion on Privacy Shield which raised concerns consistent with those published by the Article 29 Working Party in April 2016. The likelihood of the Article 31 Committee being in a position to confirm adoption of Privacy Shield by the end of June 2016 as planned is seeming more remote with each new development, particularly if challenge by the Schrems group is what lies in wait.