On Tuesday, 9 and Wednesday 10 of July 2019, a very important case for the protection of personal data was heard before the Grand Chamber of the European Court of Justice in Luxembourg.

The case is known as “Schrems II”, having received the name of plaintiff Max Schrems. Max Schrems is the founder of one of Europe’s largest digital rights organizations, NOYB-European Center for Digital Rights, based in Vienna, Austria. This is not the first time a case is heard by the European Court of Justice with Mr Schrems. In the case of Schrems I (C-362/14), the Court of Justice found that the US Safe Harbor Transfers of Personal Data did not provide an adequate level of security. Consequently, data transfers under this regime was illegal.

In response to this decision, the European Commission, in cooperation with the US government, has created a new framework for data transfer between the EU and the US. This box was called “Privacy Shield”.

Mr Schrems again turned against the Privacy Shield, arguing that this also does not provide a sufficient level of security for personal data transferred between the EU and the US.

Mr. Schrems makes statements to the media after the end of the case’s hearing

What are the main points of the case?

– Does the case concern all data transfers between the EU and the US?  No, it only concerns data transfers subject to “mass monitoring”. In most cases, there are simple ways to avoid mass surveillance and many productive sectors (banking, aviation, commerce) are not subject to such legislative framework. Mr Schrems’ complaint is related exclusively to Facebook, which, according to the documents published by Edward Snowden in 2013, contributes to the mass surveillance carried out by the US NSA, based on the PRISM program.

– Are all data transfers in the US problematic? No. Both US and EU law make it clear that there is a significant difference between the necessary transfers and unnecessary transfers, which are done for business purposes only (outsourcing).

– What does this mean? Can we continue sending emails to the US or buying air tickets? Of course! Article 49 of the General Data Protection Regulation (GDPR) provides for “exemptions” which allow all data transfers, for example, if they are necessary for the performance of a contract or if the user has explicitly consented to the transfer.

For example, an email must be sent to the US if the recipient is there but it is not necessary to send emails via the US if both the sender and the recipient are located in the EU simply because the server is in the US.

– So what kind of transfers should be stopped? Basically, the outsourcing should be ceased if such processing takes place in the EU or in other countries that provide a high level of protection for personal data.

Background of the case

The case focuses on a complaint by Max Schrems, a lawyer specialised in personal data protection against Facebook in 2013. Six years ago, Edward Snowden revealed that Facebook allows US intelligence services to access Europeans’ personal data under surveillance programs such as PRISM. The complaint seeks to stop EU-US Facebook data transfers.

So far, the Irish Data Protection Commissioner has not taken any concrete steps to stop these transfers.

First refusal and decision of the European Court of Justice on Safe Harbor

The case was first dismissed by the Irish Data Protection Commissioner (DPC) in 2013, then subjected to judicial review in Ireland and referred to the Court of Justice of the European Union. The CJEU ruled in 2015 that the so-called Safe Harbor agreement allowing the transfer of EU-US data was void and that the Irish Commissioner had to investigate the case, which he had initially refused.

Information on the use of “standard contractual clauses”

Surprisingly, the Irish Commissioner informed Mr Schrems in late 2015 that Facebook has in fact never been based on the Safe Harbor agreement which was canceled but was already based in 2013 on “standard contractual clauses” (another data transfer mechanism from EU to the US). This development made the first CJEU’s decision irrelevant to the case.

Second research and education

Mr Schrems adapted his complaint to the transfers made under “standard contractual clauses” and called for the termination of data transfers to Facebook USA, based on the argument that the company gives access to data to the US NSA. The Irish Commissioner’s investigation lasted only two months: from December 2015 to spring 2016.

Instead of deciding on the complaint, the Commissioner filed a lawsuit against Facebook and Mr Schrems (both now charged) at the Irish Supreme Court in 2016, in order to put further questions to the CJEU. After more than six weeks of hearings mainly held in 2017, the Irish Supreme Court found that the US government is dealing with the “mass processing” of European citizens’ personal data and has submitted eleven questions to the CJEU for the second time in 2018. The CJEU is now called upon to answer these questions.

Next steps

The CJEU reported the case in case C-311/18 and a second hearing was held on 9 and 10 July 2019 – about six years after the filing of the original complaint. The decision is expected  to be issued before the end of the year. Following the CJEU’s decision, the Irish Commissioner will eventually have to decide on Mr Schrems’s complaint. The decision can again be contested by Facebook or Mr. Schrems.

Homo Digitalis is particularly happy, as Ms. Mariliza Baka, a member of our organization and trainee lawyer at noyb, is currently in the European Court of Justice in Luxembourg and is attending the case.

We will provide you with news on this important case.

The noyb team at the Court of Justice of the European Union. First from the right is Ms. Mariliza Baka