The Court of Justice of the European Union (CJEU) issued its anticipated judgement in the Schrems case, invalidating the EU-US Privacy Shield which had been the mode of transferring data from the European Union (EU) to the United States (US). This judgement affirms the need to protect persons’ personal data and the right to privacy from state and private actors in transactions involving cross border transfer of data.
The case involved an Austrian privacy advocate, Maximillian Schrems, deciding against transferring his personal data from Facebook Ireland to Facebook Inc. in the US due to concerns pertaining to the protection of his personal data. In 2015, the Schrems I judgement witnessed the dissolution of the Safe Harbour Arrangement, which was the primitive version of the Shield. The initial complaint was filed in 2013 after the Snowden revelations regarding the US mass surveillance regime. The revelations were a significant breakthrough in the field of privacy rights across the world, leading citizens in the EU and US to question the data retention mechanism of mega data processors like Facebook and Google. Following this, the EU devised a comprehensive data protection structure in the form of the General Data Protection Regulation (GDPR) in 2016.
GDPR requires third countries who act as potential recipients of data to be “data adequate” to receive data from the EU. Standard contractual clauses and binding corporate rules may also be used for such data transfers to preserve the rights of data subjects. In this context, the level of protection should be “essentially equivalent” to that in the EU. The inadequacy of protection owing to the interference of US public authorities with the fundamental rights of data subjects through the PRISM and UPSTREAM surveillance programmes played an important role in the invalidation of the EU-US Privacy Shield. These programmes are aligned with Section 702 of the Foreign Intelligence and Surveillance Act FISA) and Executive Order 12333 (EO 12333).
The problem with the US surveillance regime is that although it is claimed to be targeted to eradicating terrorism and potential threats to the country, it has been used for discriminatory profiling. Presidential Policy Directive (PPD-28) is another instrument for the President to exercise his exclusive powers to conduct surveillance programmes through the NSA and CIA arbitrarily. Although publicly defended by Barack Obama in 2014, research has shown that there exists considerable ambiguity in the functioning of the directive. The directive allows for the collection of bulk data of non-US persons. US citizens are, however, protected from bulk surveillance, thus making the disparity even more evident. The right of the US authorities to surveil the personal data of EU citizens is arguably a breach of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (Charter).
Moreover, non-US citizens have no recourse as they cannot rely on the Fourth Amendment, which is considered to be the most important cause of action available to challenge unlawful surveillance in the US. The Judicial Redress Act was enacted in 2015 with an eye for broadening the ambit of judicial recourse granted to foreign citizens in the US Privacy Act. However, it has failed to address the situation effectively. The lack of clarity and confined scope of the Judicial Redress Act prevents non-citizens from enforcing actionable claims against the US government for the breach of privacy rights.
The developments in the field of data protection have been immense, and this only goes to prove that people have started realising the importance of their rights over personal data. However, questions revolve around the potential impact this judgement might have on the international trading partners of the US. Since the Privacy Shield has been invalidated, it would be interesting to see whether companies resort to binding corporate rules, which is considered to be a more expensive and time-consuming mechanism. Bilateral trade between the EU and the US will be affected by this judgement. Deliberations on an enhanced version of the EU-US Privacy Shield seem to be the only possible way to resolve the issue.