The Schrems saga, going eight years strong, is only getting more consequential for data transfers. Here’s a recap of the latest ruling out of Ireland.
Setting the Stage, Raising the Stakes
The widening disparity in data protections between the EU and the US is spelling trouble for Facebook, and potentially for US businesses of all sizes. Late last week, the Irish High Court dismissed Facebook’s attempt to block Irish authorities from investigating their data EU-US transfers. The ruling does not halt the transfers overnight, but it is a consequential development in an ongoing story eight years in the making.
To make sense of the latest ruling, I have done my best to distill eight years and seven court cases into a brief recap. I wrap up with an eye to the future of data transfers, for Facebook and US businesses at large.
Meeting the Main Characters
The namesake of several landmark EU rulings, an Austrian lawyer who first submitted a complaint over Facebook’s data practices back in 2013, then as a law student.
Irish Data Protection Commissioner (DPC)
Ireland’s authority charged with implementing and enforcing data privacy regulations in the country, including the practices of Facebook Ireland Ltd., which serves Facebook users outside of the US and Canada.
European Union Court of Justice (CJEU)
Judicial body charged with interpreting and applying EU laws in member states, including EU-level acts like the Safe Harbor Agreement.
Irish High Court
A body distinct from the Irish Supreme Court, the Irish court which hears civil and criminal cases, including those from Schrems and Facebook.
A social media platform with an Ireland-based subsidiary, Facebook Ireland Ltd., of the US-based Facebook Inc., providing Facebook and Instagram to European countries. Facebook Ireland Ltd. is the Facebook entity directly involved in the formal legal proceedings discussed here.
Tracing the Backstory
To understand this month’s news, it’s important to get context on previous legal developments in the Schrems saga, starting back in 2013. To keep this summary relatively short and clear, I did not dive into the full procedures and details. For more context, the High Court’s full judgment offers a more in-depth description.
Schrems submitted a complaint in 2013, claiming that his data being sent to Facebook Inc in the US for processing violated the EU-US Safe Harbor Agreement, as his data in the US would be subject to greater surveillance. The Irish DPC dismissed Schrems’s complaint, so Schrems appealed to the Irish High Court, who referred to the CJEU for a ruling on EU-US Safe Harbor Agreement. The CJEU ruled the EU-US Safe Harbor Agreement as invalid, marking the “Schrems I” case of 2015. Still unresolved, however, was Schrems’s initial complaint.
In 2016, the EU and US created a replacement for the Safe Harbor Agreement, called the EU-US Privacy Shield.
A few months after the Schrems I decision, Schrems reframed his initial complaint to reflect the new landscape, one with the EU-US Safe Harbor Agreement invalidated. In 2016, Facebook presented the Irish DPC with the legal bases for its data transfers, including agreements called standard contractual clauses, or SCCs. While SCCs are widely viewed as commonplace among a variety of businesses conducting EU-US transfers, the Irish DPC contended that SCCs might violate EU law; the DPC turned to the High Court before the CJEU could make such a ruling. In 2018, the High Court ordered the CJEU’s input, a decision that Facebook unsuccessfully appealed before the Irish Supreme Court. That same year, the EU’s GDPR came into effect. In response to the High Court’s order and in light of the newly enacted GDPR, the CJEU upheld the validity of SCCs but invalidated the EU-US Privacy Shield, in the “Schrems II” decision of 2020. Still unresolved, however, was Schrems’s initial complaint.
Following the Schrems II decision, the Irish DPC started its own inquiry in August 2020, into whether Facebook violated EU law in transferring EU residents’ data to the US. Facebook raised several concerns regarding the grounds for this newly launched investigation. Schrems also took issue with the new investigation, but for a different reason: it could get in the way of resolving his own still-unresolved complaint. Facebook and Schrems filed separate reviews to the Irish High Court of the Irish DPC’s decision to begin its investigation. In early 2021, the DPC and Schrems reached a settlement in which Schrems’s initial complaint would be investigated, whether or not the DPC’s investigation into Facebook proceeds.
Congratulations! You are now up to speed on this legal maze through early 2021, generally speaking.
Understanding the New Development
The High Court ruled that the Irish DPC has the right to open an investigation—separate from the investigation into Schrems’s 2013 complaint—into Facebook’s EU-US data transfers. The ruling does not in itself halt the data flows, but it does set in motion the process that could produce such an outcome. Hearings and a decision from the DPC would take approximately six weeks. The DPC decision would then require approval from the European Data Protection Board, which takes up to four additional weeks. A ten-week process is not instantaneous, but this month’s ruling puts a very consequential possibility on the horizon, with a very finite timeline.
Gaining Key Lessons in Data Protection
Even though this story is far from over, it’s already providing valuable lessons in data protection moving forward. While Facebook has been a lightning-rod for privacy issues for years, the ruling has a far broader lesson for all US businesses. The lack of data protection in the US increasingly hinders companies’ ability to innovate, compete, and thrive on the global stage. The DPC’s investigation specifically applies to Facebook, but it could yield legal findings with much wider scope. Other tech companies, including giants like Google, also conduct EU operations outside of Ireland and could come under investigations or restrictions on their own data flows. Beyond big-name Silicon Valley platforms, smaller businesses with fewer resources could be at an even more acute disadvantage if they find their data flows suspended. As Ethyca’s CEO Cillian observes,
“The EU continues to set the standard for privacy worldwide, while the US is playing a costly game of catching up.”
Federal privacy regulation in the US will not be a cure-all, but it would be a substantial step toward rebuilding the integrity of EU-US data flows. As Facebook’s EU-US data flows remain intact for now, there is still no replacement for the EU-US Privacy Shield, a framework that over 5,000 businesses—many of them SMEs—relied upon. Left to their own devices to navigate complex legal processes for data transfers, teams are spending much of their time and energy working on compliance rather than developing new innovations.