Knowledge Centre

Court of Justice of European Union invalidates EU-US Privacy Shield


We are living in an increasingly globalised digital society, where personal data is the biggest asset of a person, legal or natural. Data is being touted as the new oil and there is horde of corporate activity flourishing this sphere. This has evoked strong policy responses and efforts are being made from all stakeholders to protect personal data against the risk of being compromised. Accordingly, many countries have enacted robust data protection laws, and some are in the process of deliberations and discussions. Recent developments in this area have catalysed the brewing of intricate legal issues and courts across jurisdictions are grappling with complex litigations.

One of the leading set of data protection laws is General Data Protection Regulation (GDPR) which has been enacted by the European Union (EU) and also forms the basis of the proposed data protection law of India which is currently pending approval of the Parliament. The effectiveness and success of GDPR lies in the stringent mechanisms for safeguarding the data, both within the EU and also overseas.

Facebook, a corporation whose legal woes do not seem to end has faced severe backlash for its lax handling of personal data of users. Notwithstanding that data is at the core of its genesis, it seems to have become its nemesis in recent times. It was in the eye of the storm once more in 2020 when transference of personal data by Facebook, Ireland to Facebook Inc. in the USA, on the strength of the Standard Contractual Clauses (SCC), was challenged by Mr. Schrems.

The recent blow came through a judgment passed by Court of Justice of the European Union, (CJEU), in the case of Data Protection Commissioner V. (1) Facebook Ireland Ltd., (2) Maxmillian Schrems (C311/18), popularly known as Schrems II, whereby, the EU-US Privacy Shield Framework has been declared invalid. However, the SCC which have been issued by the EU and deal with the transfer of personal data to the data processors situated overseas have been upheld.

The dispute is centrally based on a premise that the data protection regime of the USA is not as stringent and watertight as that of the EU and the data of EU citizens being transferred to the USA, was vulnerable to risk. This is because the USA does not have a policy of limiting the access to, and use of, the personal data by the concerned state officials by placing restrictions on the use of such data beyond intended purpose. On the contrary, the USA allows the unbridled collection of data, which is evidently inconsistent with the legal framework of the EU.

The seeds of this dispute were sown in the year 2014 when Mr. Schrems, who happens to be an Austrian activist, approached the Data Protection Commissioner (Ireland) against Facebook alleging that Facebook is transferring data to the USA and granting US authorities an unrestricted access to such personal data in a manner which is at variance with the data protection standards of the EU. Pursuant to the adjudication of the dispute, the CJEU, in the case which is commonly known as SchremsI, declared the Safe Harbor Framework as invalid. Safe Harbor Framework was the agreement between the USA and EU which governed the way American companies could deal with the personal data of EU citizens. The judgment in Schrems-I was also passed on the grounds of inadequate safeguards provided by the USA when it came to handling of personal data transferred from the EU.

After the invalidation of the Safe Harbor Framework, Facebook took a refuge in SCC to continue the transfer of data from the EU to the USA. In 2015, Mr. Schrems filed another complaint with the Data Protection Commissioner (Ireland). This time, he challenged the adequacy of SCC when it came to maintaining the sanctity of the data transferred from the EU to the USA. The case, once again, went up to the CJEU and, it was in July 2020, that CJEU upheld the validity of the SCC but declared the EU-US Privacy Shield as invalid.

 Interestingly, SCCs have been upheld by the CJEU on the pivot that they have been issued by the EU and generally tend to protect the data even after it goes outside the EU by providing privacy requirements which are similar to those in the EU. Apart from this, SCCs provides a possibility for analysing the privacy laws of the country where the data is being received and ensures that ff a state authority comes to a conclusion that the laws of the receiving State are not adequate for the protection of data or go beyond the limit required for the intended purpose, the flow of data to that State may be prohibited.

This judicial development is slated to send ripples across the IT Industry various jurisdictions. Although, SCCs have been upheld and the doors are not entirely closed, the IT companies must revamp their strategies when dealing with data flows from the EU. With Schrems-II, EU has, once again demonstrated that it holds the data of its citizens on the highest pedestal and the same cannot be dealt in a casual manner. Pursuant thereto, the corporations may have to formulate new policies to limit access to the data from EU to only that which is necessary for the intended transaction. This may also have considerable impact on Indian companies based in the USA or EU, as it is likely that they will be required to align their policies with the judgment. At the same time, the subsidiaries of American and EU companies operating in different countries, including India, also follow American and EU policies. As such, they too will be affected by this judgment. It is quite predictable that some commercial practices across the world will undergo some behavioural change when it comes to data flow from the EU.

While the resolve of the EU is appreciable and portrays the non-cavalier judicial attitude towards integrity and sanctity of personal data, the judgments in Schrems-I and Schrems-II have tacitly approved the questionable policies adopted by Facebook in the SCCs. However, one cannot overlook the fact that this judgment is likely to cause some operational and logistical problems for corporations if the flow of data is impeded or prohibited due to non-compliant policies. Looking forward, it is only with prompt policy response that the IT corporations and others dealing in data can tide over this pressing issues in the coming times.