CJEU – AG Opinion, First Statement
Data Protection Authorities must stop data transfers if Fundamental Rights are violated.
Serious doubts over Privacy Shield. Advocate General applies ECHR instead of CFR.
Schrems: “The opinion follows almost all of our arguments”
Max Schrems’ (chair of noyb.eu and party to the case) first reaction to the opinion of the Advocate General: “I am generally happy about the opinion of the Advocate General. The opinion is in line with our legal arguments. This is a total blow to the Irish DPC and Facebook as well as a very important step for users’ privacy. What is a problem is that the Advocate General is proposing a lower level or privacy protections for “national security” under the ECHR, not the EU’s Charter of Fundamental Rights.”
Serious Doubts over Privacy Shield. An issue that was partly touched by the eleven questions of the Irish High Court, was the role of the new EU-US data transfer agreement called “Privacy Shield”. Mr Schrems voiced serious concerns over the validity of the Privacy Shield, that are now echoed by the Advocate General. Schrems: “After the ‘Safe Harbor’ judgment the European Commission deliberately passed an invalid decision again – knowing that it will take two or three years until the Court will have a chance to invalidate it a second time. It will be very interesting to see if the Court will take this issue on board in the final decision or wait for another case to reach the court.”
Schrems: “I am also extremely happy that the AG has taken a clear view on the Privacy Shield Ombudsperson. A mere ‘postbox’ at the foreign ministry of the US cannot possibly replace a court, as required under the first judgement by the Court.” Given that the Ombudsperson is the central pillar of the “Privacy Shield” system, it is hard to see why the AG did not say the obvious: Which is that the Privacy Shield does not sufficiently protect EU data and therefore must be invalid.
AG: DPC should do its job. For more than six years, Schrems and noyb have been trying to get the Irish Data Protection Commissioner (DPC) to take targeted steps against Facebook over the NSA spy scandal, but the DPC has found endless reasons not to enforce the law. Schrems: “The advocate general is now telling the Irish Data Protection Authority again to just do its job.”
It is very possible that the DPC would also have to pick up the legal bill for this whole case, which could be up to € 10 Mio. Schrems: “After all the Irish taxpayer may have to pay up to € 10 Mio in legal costs, for the DPC delaying this case in the interest of Facebook.”
Authorities have duty to act. Another very crucial element is that the Advocate General clarifies that Data Protection Authorities have a duty under the law to take action. Schrems: “At the moment, many data protection authorities simply look the other way when they receive reports of infringements or simply do not deal with complaints. This is a huge step for the enforcement of the GDPR.”
SCCs can stay. The Advocate General did not join the DPC’s view that the SCCs should be invalidated globally. All other parties to the procedure (including Mr Schrems) have not voiced any concern over the SCCs. The Advocate General explained to the DPC that the SCCs have a built-in co-called “pressure valve” (Article 4 SCCs) that allows the DPC to suspend data flows whenever there is a problem with US law. Schrems: “The opinion makes clear that DPC has the solution to this case in her own hands: She can order Facebook to stop transfers tomorrow. Instead, she turned to the CJEU to invalidate the whole system. It’s like screaming for the European fire brigade, because you don’t know how to blow out a candle yourself.”
AG applies non-EU privacy test. In Europe there are two bodies of fundamental rights: First, the European Convention on Human Rights (ECHR) that is in force since 1953 and covers 47 countries, including all EU member states, but also Russia and Turkey. Second, the Charter of Fundamental Rights (CFR) from 2000, which only applies within the EU and generally guarantees a higher level of protection. The EU has not joined the ECHR. The AG now applies the much lower standard under the ECHR, despite the fact that the CJEU has applied the Charter of Fundamental Rights in the first judgement on this case.
Schrems: “Surprisingly, the opinion is following the extremely surveillance friendly case law under the ECHR which the EU has not even joined, instead of the clear case law of the Court of Justice. This is against any logic and previous case law of the Court. The AG has previously maintained a more ‘relaxed’ approach on surveillance cases than the court. I am doubtful that the judges will join that view.”
No end to US-EU data clash. The case itself cannot overcome the deeper clash of EU and US law. Schrems: “In the long term I hope that the US legislator will come to realize that no foreign customer will trust US industry, if there are no solid privacy protection in the US. You can’t say ‘trust us with all your data, but actually you have no rights’.” The US has similar concerns over Chinese 5G hardware from Huawei or apps like TikTok.
Practical Impact: More privacy for EU consumers, massive issues for certain US business. If the Court follows today’s opinion to have a “targeted approach”, there would be no impact on most EU data transfers. EU data protection authorities may however stop transfers to US companies that fall under FISA 702 (“electronic communication service providers”). This includes companies like Facebook, Google, Microsoft, Amazon Web Services or Yahoo.
Schrems: “Everyone will still be able to have all necessary data flows with the US, like sending emails or booking a hotel in the US. Some EU businesses may not be able to use certain US providers for outsourcing anymore, because US surveillance laws requires these companies to disclose data to the NSA. This is also an economic problem for the US, because foreign revenue will go elsewhere. It is really upon the United States to ensure baseline privacy protections for foreigners. Otherwise no one will trust US companies with their data.”
noyb.eu The case is supported by the European non‑profit organization noyb.eu, of which Mr Schrems is also the honorary chair. noyb.eu is financed by more than 3.000 supporting members and works on strategic litigation to enforce the fundamental right to data protection into practice.
Legal Team Mr Schrems has brought this case on a pro-bono basis and is supported by a team of lawyers from Ireland, the US and Luxembourg. Mr Schrems is represented by Eoin McCullhan, instructed by Ahern Rudden Quigley Solicitors. Prof. Herwig Hofmann supported the case on European Law matters. Ashley Gorski of the American Civil Liberties Union (ACLU.org) has assisted as an expert witness on US surveillance law.
+43 660 2678622; firstname.lastname@example.org
Ireland: Gerard Rudden, ARQ Solicitors (representing Mr Schrems)
+353 1 661 6102; email@example.com
On US law: Ashley Gorski, ACLU; firstname.lastname@example.org