For data-centric businesses such as Facebook, the new Schrems privacy case in Europe (dubbed “Schrems II” for its similarity to an earlier legal challenge mounted by Austrian lawyer Max Schrems) could have far-reaching implications for how they conduct business. At stake is the ability of global corporations to carry out cross-border data transfers. If the European Court of Justice decides to declare the two most popular cross-border data transfer mechanisms invalid, corporations might be exposed to extensive legal and regulatory risk under the European General Data Protection Regulation (GDPR). In a worst-case scenario, global trade and global data flows might ground to a halt.
Inside the Schrems legal challenge
At the center of it all is Austrian lawyer Max Schrems, who has been a thorn in the side of Silicon Valley tech giants dating back to 2013. That’s when news of widespread U.S. surveillance activities became widely publicized as a result of the revelations of NSA contractor Edward Snowden. In response to concerns about U.S intelligence agencies snooping on the data of EU citizens, Max Schrems asked the Irish Data Protection Commission (DPC) to stop Facebook Ireland from carrying out cross-border data transfers. From its origin with the Irish DPC, the case eventually landed up at the European Court of Justice, which was called upon to strike down the Safe Harbor provisions that governed EU-U.S. data transfers at the time. In a shocking court ruling in 2015, the top court of the European Commission found the Safe Harbor framework to be in violation of the right to privacy of European citizens.
Without the Safe Harbor provisions, cross-border data transfers became problematic, to say the least. So the United States and EU hastily scrambled and put together the Privacy Shield in February 2016 in an effort to guarantee the privacy of cross-border data transfers. But even this updated, revamped and very cleverly worded Privacy Shield might not be able to guarantee the privacy of EU citizens, due to the widespread and ubiquitous nature of the mass surveillance programs of the U.S. government.
Which brings us to where we are today – Schrems once again reached out to the Irish Data Protection Commission to strike down the new Privacy Shield. In addition, he asked the data protection authorities to look at the Standard Contractual Clauses that make cross-border data transfers possible for companies like Facebook. And, just like in the first Schrems case, the Irish data protection authorities punted on a final resolution of the case and passed it upstream to the High Court in Ireland, which, in turn, passed it along to the Luxembourg-based European Court of Justice. This helps to explain, in large measure, why so many people are referring to this case as “Schrems II” or “Schrems 2.0” – it’s almost a carbon copy of what happened just a few years earlier.
Cross-border data transfers, global trade and the digital economy
From the perspective of companies around the world, what makes the “Schrems II” case so risky is the fact that the European Court of Justice seems ready and willing to strike down the Privacy Shield and Standard Contractual Clauses – just as they struck down the first Safe Harbor provisions for cross-border data transfers. Without either of these two mechanisms for cross-border data transfers, companies would no longer be able to transfer data worldwide. Any time data passes outside of the European Union, companies would theoretically be in violation of the GDPR. As a result, they might be at substantial risk of fines, penalties and a lot of negative attention.
It’s perhaps no surprise, then, that lawyers from Facebook are making a big fuss about the Schrems II case. They are warning that striking down these two mechanisms for cross-border data transfers would cripple global trade, bring the digital economy to a screeching halt, and force companies like Facebook to give up any hope of transferring data between the U.S. and Europe. As one Facebook lawyer pointed out, the impact on global trade would be “immense,” potentially impacting thousands of corporations around the globe.
Even Max Schrems admits that things have started to spiral out of control: while he certainly hoped to cripple Facebook’s ability to do business, he had no intention of crippling the entire digital economy. As Schrems himself has noted, there is really no issue with Standard Contractual Clauses, which have been designed and approved by the European Commission. The major concern of Schrems is the EU-U.S. Privacy Shield, which is basically a thinly-veiled replica of Safe Harbor, with lots of wiggle room for companies like Facebook to “self-certify” that they are not in violation of data protection laws and that they are doing everything possible to protect the data of EU citizens.
The path forward for cross-border data transfers
But these days, who really believes any company that is self-certifying or self-regulating? Especially in the case of Facebook – does anyone really believe that Facebook is taking special steps to protect EU-U.S. data transfers? The reality is that “data is the new oil,” and companies rely on data as their lifeblood and source of profitability. Take away their data, and it’s the same as depriving a car of oil, or a power plant of fuel. In short, it becomes impossible to do business.
By the end of 2019, the European Court of Justice should be ready to issue a non-binding opinion on both Privacy Shield and Standard Contractual Clauses. However, a final decision will probably not be ready until early 2020. That leaves about six months for data-centric companies like Facebook to prepare for what comes next. In a worst-case scenario, of course, Facebook would no longer be able to carry out cross-border data transfers – and neither would any other corporation. Thus, a long trail of events that started back in 2013 looks like it will finally come to a much-anticipated conclusion seven years later. In 2020, we will learn if the digital economy can hold up without a suitable framework for cross-border data transfers, and whether corporate lawyers can devise another clever framework along the lines of Privacy Shield that will hold up under strict legal review.