Latest developments in the long-running and crucial Schrems vs. Facebook GDPR privacy battle

Posted on Sep 17, 2020 by Glyn Moody

Back in July, this blog reported on a major victory for the privacy campaigner Max Schrems at the Court of Justice of the European Union, (CJEU). Following that win, the big question now is: what effects will it have on the handling of personal data by the Internet giants? A quick fix is unlikely, but the US and EU have already started discussions on “an enhanced EU-U.S. Privacy Shield framework to comply with the 16 July judgement of the Court of Justice of the European Union in the Schrems II case”. Another important move is the creation of a European Data Protection Board taskforce to consider how to apply the CJEU ruling (original press release in German), largely in response to Schrems’ recently-filed pan-European GDPR complaints.

Although the CJEU ruling is general in its applicability, Schrems’ main target has been Facebook, and in the last few days there have been some important developments in terms of the impact of the CJEU ruling on Facebook and transatlantic data transfers. Last week, the Wall Street Journal and Politico revealed that Ireland’s Data Protection Commission (DPC) has warned Facebook that it would have to stop sending the personal data of EU citizens to the US. However, as the indefatigable Schrems points out, there are some troubling aspects to the DPC’s move, which centers around Standard Contractual Clauses:

On 31 August 2020, the DPC informed us in a letter (PDF) that it will open a second case (independent from the complaints procedure that lead to the judgment of the CJEU) to investigate Facbeook’s reliance on the Standard Contractual Clauses (SCCs). At the same time, the DPC decided to pause the ongoing complaints procedure initiated by Mr Schrems seven years ago, despite being under an undertaking to the Irish High Court from 2015 to decide on the case swiftly. The DPC highlighted that this second investigation is strictly limited to Facebook’s use of SCC under Article 46(1) GDPR.

So, instead of responding to the complaint made by Schrems seven years ago – as ordered by the Irish High Court – the DPC will start an entirely new investigation into the SCCs that are an alternative to the now-defunct Privacy Shield. That seems to ignore everything that has happened in the last seven years, in order to pursue a wild goose chase based on the SCCs. That’s an odd move, since Facebook has now shifted its ground, and says that it no longer relies on SCCs to transfers personal data from the EU to the US. Schrems explains:

Facebook has indicated in a letter from 19 August 2020 (PDF, page 3) that (after the end of Safe Harbor, Privacy Shield and the SCCs) it is now relying on a fourth legal basis for data transfers: the alleged “necessity” to outsource processing to the US under the contract with its users (see Article 49(1)(b) GDPR). This means that any “preliminary order” or “second investigation” by the DPC on the SCCs alone will in fact not stop Facebook from arguing that its EU-US data transfers continue to be legal

Even if the DPC eventually decides that Facebook should not use SCCs, it will be irrelevant, because Facebook will simply point out that it no longer depends on them, and instead is relying on Article 49 of the GDPR. Since this has nothing to do with SCCs, the new DPC investigation is a waste of time and effort. Despite that fact, Facebook is trying to delay the new DPC case as much as possible. This week, the Irish High Court granted Facebook leave to file a Judicial Review against the DPC and “stayed” the new SCC investigation by the DPC into EU-US data flows. That is, everything is now on hold, albeit only temporarily. Schrems, for his part, is continuing to pursue his initial complaint about Facebook. He has announced that his organization NOYB is planning to seek an interlocutory injunction to ensure that the DPC takes action on all the alleged legal bases relied upon for data transfers by Facebook, rather than get sidetracked in this new investigation.

Aside from the interesting light it sheds on the DPC, which has failed to investigate Facebook properly for seven years, there is another crucial aspect here. Now that the original Safe Harbor scheme, and the subsequent Privacy Shield, have both been ruled as invalid, and the CJEU has placed important restrictions on how SCCs can be used, the focus is firmly on another legal basis for data transfers under the GDPR: the alleged “necessity” to outsource processing to the US under the contract with users.

It seems likely that many Internet companies will try to use this as the legal basis for sending data from the EU to the US. It may well be that we will see yet another Schrems court case decided at the CJEU that rules exactly what “necessity” means in this situation. If the top EU court decides that “necessity” must be strict and tightly-defined – that is, not just a general get-out for companies – the only remaining option will be data localization: keeping the personal data of EU citizens in the EU.

Featured image by Aoineko.