Schrems 2.0, or the threat to data privacy contractual clauses (and not only)

23/08/2018

What is at stake in the Schrems 1.0 and 2.0 cases? The Schrems 2.0 case which – just this April – gained impetus, concerns, first and foremost, an assessment of the compatibility with EU law of data privacy standard contractual clauses adopted by the European Commission in several decisions. In practice, these clauses are the most widely used data transfer instrument, allowing businesses to transfer personal data relatively freely from the European Economic Area to third countries, at the same time ensuring the necessary protection for the main stakeholders – EU citizens. The case itself is a continuation of the high-profile case initiated by Maximilian Schrems, which in autumn 2015 led to the “sinking” of the Safe Harbor programme, which allowed data to be transferred to US companies (Schrems 1.0). It was the result of the 2013 revelations of Edward Snowden, who exposed the practices of American special services related to accessing the data of Europeans processed by American technology giants such as Google or Facebook. Questions about Commission decisions and more Among the prejudicial questions referred to the Court of Justice of the European Union by the Irish High Court in the context of the Schrems 2.0 case, question 11 – the last of a long list – concerns the compatibility with the EU Charter of Fundamental Rights of three Commission decisions currently in force that introduce standard contractual clauses: two of which refer to transfers between data controllers and one to transfers of data to a processor in a third country. On the basis of the clauses annexed to the last of these decisions (Commission Decision 2010/87/EU) personal data are currently transferred from Facebook Ireland (the data controller for social network users in the EU) to the US company Facebook, Inc. (data processor from a third country, i.e. the USA). Other questions concern related issues of equal importance to the EU data transfer regulation. For example, question 1 focuses on the application of EU law in this complex factual and legal situation: on the one hand, it is clear that the transfer operations between Facebook Ireland and Facebook, Inc. are of a commercial nature (thus falling under the provisions of EU Treaties and Directive 95/46 and now under the GDPR); on the other hand, the data transferred in this way to the US may be used by third country public authorities for national security purposes, such as combatting terrorism, and this does not fall within the scope of EU law, including Directive 95/46 and the GDPR.