Photo Credits: Atul Vinayak (Unsplash)
Ali Mesbahian is an IPilogue Writer and a 2L JD Candidate at Osgoode Hall Law School.
It is now an unfortunate truism that we are all subjects of perpetual surveillance. The legal infrastructure that sustains and enables this Orwellian dystopia is undoubtedly overwhelming and discouraging for those seeking change. But victories are also possible; the two Schrems cases, discussed below, are an example. Yet, these cases also point to the need for a more or less uniform legal order for data governance.
In 2015, Austrian law student and privacy activist, Maximillian Schrems, sued Facebook Ireland for what he alleged to be an unlawful transfer of data from Facebook Ireland to Facebook’s headquarters in the United States. Schrems’ claimed that the U.S. mass-surveillance program renders it unable to provide an “adequate level of protection” of personal data (PD). The EU Data Protection Directive (95/46/EC) imposes this requirement on countries outside of the EU. While Canada passed the Personal Information Protection and Electronic Documents Act (PIPEDA) in order to meet this requirement, the U.S. negotiated the Safe Harbour Agreement with the EU; a self-certification scheme that allows U.S. organizations receiving information from the EU to attest that they adhere to EU data and human rights laws.
Schrems challenged the Safe Harbour Agreement, which passed the muster of the European Commission (EC) in 2000. The EC is the executive branch of the EU that, among other things, “determines if a non-EU country has an adequate level of data protection. However, following Edward Snowden’s revelations, there could be no doubt as to the “generalized basis” by which the US government collects and stores citizens’ data, which the Court of Justice of the European Union (CJEU), Europe’s highest court, found to “[compromise] the essence of the fundamental right to respect for private life.” This decision, which came to be known as Schrems I, ultimately invalidated the Safe Harbour Agreement.
While the initial decision was a victory for Schrems, it later turned out that Facebook was not relying on the Safe Harbour Agreement, but on the Standard Contractual Clauses (SCCs). These clauses, also passed by the EC, “enabled data transfers where contractual arrangements could provide the ‘essentially equivalent’ protection to that under the EU Legal Order.” Compelled to revise his challenge in 2015, Schrems alleged that contractual arrangements in the U.S. legal regime cannot adequately protect PD because, among other things, U.S. law can order social media companies to provide such data to the U.S. National Security Agency (NSA) and the Federal Bureau of Investigation pursuant to s. 702 of the Foreign Intelligence Surveillance Act. In the meantime, following the invalidation of the Safe Harbour Agreement, the U.S. and the EU negotiated another self-certification scheme for U.S. companies called the Privacy Shield Agreement, which the EC declared adequate in 2016.
In the second Schrems decision, released in July 2020, the CJEU once again invalidated a EC adequacy decision, this time invalidating the Privacy Shield Agreement because it does not contemplate sufficient avenues for individuals to bring an action against the government for unlawful surveillance. The CJEU ultimately agreed with Schrems that the U.S. legal system, as a whole, does not provide “essentially equivalent” protection of data as EU law. Thus, while the CJEU in Schrems II held that SCCs may provide “effective mechanisms” for the protection of transferred PD pursuant to EU law, including the General Data Protection Act (GDPR) passed in 2018, it also emphasized that SCCs do not bind public authorities of data-receiving countries. In other words, the U.S. government is not a party to SCC contracts between data importers and individuals, leaving its vast surveillance apparatus unrestrained.
Implications of Schrems
Schrems II confirms the CJEU’s stance against mass-surveillance. But while a victory for privacy, the decision also creates a web of uncertainty; for now, “data controllers and exporters now face the very real dilemma of having to contract for the impossible—to form contracts under SCCs or article 46 of the GDPR, which protect the rights of the data subject despite the scope of the U.S. surveillance programs.” This impossibility has raised concerns in the health industry, of which “many kinds […] of research depend completely on the international exchange of PD.”
It is too soon to evaluate the implications of the Schrems II decision, given that the EC just released new Standard Contractual Clauses on June 4, 2021. These clauses incorporate many GDPR provisions into standardized contracts for the international transfer of data. With the invalidation of both the Safe Harbour Agreement and the Privacy Shield Agreement, we are left with the discrepancy between rigorous data protection laws in one jurisdiction (i.e., the EU), and a lax legal order with respect to surveillance in the other: an incoordination that significantly withholds the benefits associated with international data flow.