Published On: Wed, Aug 26th, 2020

Max Schrems on a EU justice statute that could cut Facebook in two

Last month’s ruling by a Court of Justice of a European Union (CJEU), ripping adult a EU-US Privacy Shield and sewing doubt over choice mechanisms, has put a cat among a pigeons of ubiquitous information transfers.

For Facebook a impact could tumble like a cleaving sword as a business is front and core following a supposed Schrems II judgement.

Eponymous remoteness supporter Max Schrems’ underlying censure targeted a tech giant’s use of a information send apparatus famous as Standard Contractual Clauses (SCCs). Thousands of businesses make use of SCCs to lift out EU to US transfers of personal data, infrequently in serve to a now gone Privacy Shield framework. An progressing statute by a CJEU — following another Schrems censure that also drew on a 2013 Snowden disclosures of US supervision mass notice programs — struck down a before transatlantic ‘Safe Harbor’ arrangement.

SCCs were an existent choice for businesses to block a opening afterwards until Privacy Shield came into effect. But a CJEU statute of no US endowment with EU remoteness standards casts doubt on their continued use for these transfers. Facebook was regulating SCCs in a Safe Harbor era. Now, in a arise of a CJEU decision, it’s pronounced it’s relocating a Privacy Shield transfers to SCCs. So a tech hulk has no manifest ‘plan B’ if it’s systematic to postpone these information flows too.

In Schrems’ views a customarily ensue Facebook will be means to approve with a CJEU statute is if it splits a infrastructure into two. And while other forms of companies — such as cloud storage providers — competence already apart information by regions overdue to factors like latency or even cost, Facebook’s business simply doesn’t work like that. It’s designed to draws information to a center.

“Facebook is substantially a many [susceptible] to all of this,” says Schrems, deliberating a ramifications of a CJEU statute in an speak with TechCrunch. “For Facebook it’s really, unequivocally difficult as a association to approve with any of this.”

“There are tools that are required information transfers, and [Facebook] can continue to do that. So essentially a summary that we sent to an American friend, things like that. But that’s customarily a tiny percentage,” he continues. “So we consider technically a ensue they’d have to do is essentially apart Facebook in two. And afterwards kind of reconnect a required information transfers. So you’ve essentially federated. A bit like Diaspora was always designed to be; a federated amicable network where we essentially have conflicting tools and what’s required is communicated and what’s not required is not communicated.”

“They’re not going to do that yet sky and ruin relocating onto them,” he adds. “I theory — generally for Facebook — that a problem is we kind of have a box where a consequences are so impassioned a pushback is apparently as impassioned as possible… They know that yet essentially restructuring a whole complement they will never be means to approve with any of this — so they don’t.”

Schrems points to what happened historically with SWIFT financial information exchanges as a allied unfolding — where a repair was to pierce backups from a US to Switzerland “so customarily a information that is ubiquitous and US is indeed stored in a US and all a other send information is kept in Belgium and Switzerland”. “So we apart your backups and your situations and so on,” he says, adding: “It’s a lot of engineering.”

At this indicate many of a large tech companies have information centers in Europe. While newer amicable video pity app TikTok recently announced skeleton to settle one Ireland for EU users’ data. But Schrems reckons there’s no easy ensue for Facebook to unpick all a EU information flows.

We asked Facebook for sum on a authorised basement for stability to use SCCs yet a association did not rivet with questions on a topic. Nor did it respond when we asked for clarity on any ‘plan B’ if it’s systematic to stop regulating SCCs.

Beyond a large engineering headache for a company, Schrems doesn’t see outrageous authorised stress in a federated chronicle of Facebook’s use that binds EU users’ information in Europe. But he argues such a apart would send an critical summary about a sequence of law.

“The law doesn’t compute if a information is processed in Europe or in a US on carrying to be agreeable with it… So we don’t unequivocally consider we can substantially benefit many from it. To me it’s some-more of a ubiquitous doubt of companies carrying to honour a law or customarily removing divided with it, over and over again, yet unequivocally complying. we don’t consider [it would be a gain] for approach correspondence — it’s substantially some-more of a large summary that we don’t get divided with it that would be critical to send,” he says.

Can SCCs still be used for US transfers?

In a strife between EU remoteness rights and US notice law, Europe’s top justice has finished it transparent it isn’t budging. At a same time, lawyers all over a segment are bustling grappling with a apparent counterbalance of a CJEU anticipating US notice practices deadly to Privacy Shield nonetheless not putting an memorable blocker on SCCs for information transfers over a pond. This other long-standing send resource — infrequently also referred to as ‘model clauses’ — could have been struck down too yet wasn’t. So a justice left a doorway ajar.

Law firms have seized on that to figure strategies for businesses to ensue regulating SCCs for US information transfers in a ensue that minimizes their risk — around behaving minute risk assessments and/or requesting ‘special measures’, where possible. Given a abounding join of paid recommendation opportunities opening adult it’s not tough to find European lawyers who trust SCCs can be finished to work for some information controllers who wish to continue (or start) bulk estimate EU users’ information in a US.

This recommendation boils down to doing all of a compared bureaucracy around behaving risk assessments over a sold information send and whether/how it falls underneath US notice law; for some it competence also meant questioning technical and operational solutions, such as either information could be encrypted in movement and a keys hold by a EU entity that’s not theme to US law; and maybe observant either policies can be practical and contractual denunciation beefed adult so that a US receiving entity that gets a law coercion ask for information is thankful to take stairs to make certain there’s a genuine authorised constraint underpinning it.

In a open contention on a theme hosted by a International Association of Privacy Professionals final month, Hogan Lovells partner, Eduardo Ustaran — one of a some-more bullish voices touting a ongoing value of SCCs for US transfers — finished a box for building routine protections into contracts to need a turn of lift behind and inquire of US supervision organisation requests for data.

“When a justice talked about additional safeguards and creation adult for a miss of insurance in a regime of a recipients… they’re articulate about precisely that: Having that authorised routine in place — a contractual requirement — to doubt that request. And we will substantially find that if that is in place customarily a very, very, unequivocally tiny minority of cases will lead to something that is a loyal brawl where a breach of information unequivocally needs to be given,” he argued.

“Even in that case, one needs to doubt either that is indeed within a parameters of what European law provides. Or outward those parameters. Because, again, what a justice didn’t contend was that all entrance to information is unlawful; it’s a one that’s not necessary, it’s disproportionate. So that’s what we need to get at. And that’s what we’re saying. we consider there is unequivocally room for stratagem in that contractual ask for a parties to that ask to establish to what turn of inspection they’re going to commence when one of them receives a request.”

In a same discussion, Fieldfisher privacy, confidence and information partner, Renzo Marchini, suggested some information controllers competence be means to establish they do not have any risk of European standards not being met for their sold information transfer.

“For some vanilla transfers there competence simply be no risks,” he posited. “They competence be outward of FISA [the Foreign Intelligence Surveillance Act] and so on. And we customarily get to additional safeguards, additional measures if we interpretation that we need to do something some-more — and a justice has authorised we to do something more.”

“They haven’t pronounced what that’s got to be,” he added. “I wish a EDPB [European Data Protection Board] will give some certainty here and tell us what those things are.”

The miss of authorised calibrate related to US notice law is a stickier problem, though. One Marchini supposed can’t be firm with any volume of contractual separate and gloss — and which, for businesses theme to FISA, will lift by as what he couched as “residual risk”.

“That simply goes to a risk comment that’s carried out beforehand,” he pronounced when pulpy on that point. “So if you’re during risk and we can’t repair it technically, operationally, afterwards you’re left with a residual risk that we haven’t over essential equivalence. There’s no ensue of avoiding that, we think. You’re not going to repair that opening in US law that a justice found either… There’s a miss of authorised calibrate underneath FISA 702; we can’t repair it, yet we competence be means to interpretation you’re not during risk underneath FISA 702.”

In Facebook’s case, there’s no trustworthy brawl a association falls underneath US notice laws — that means a shake room in a face of Schrems II is minimal. And so unexpected a association throwing all a eggs into a SCCs’ basket in a hopes that Europe’s regulators will omit a CJEU’s instruction to step in looks high risk.

“One of a land of a Court of Justice was there is simply no authorised calibrate whatsoever as a foreigner,” records Schrems, adding: “I’ve had calls with people from courtesy and they pronounced we know that we indeed don’t have a authorised basement yet we customarily wish they’re going to be reasonable and not make it. Which is essentially observant you’re operative illegally and we wish a law doesn’t request to you.”

“We’re now seeking conflicting companies and many of them contend we don’t unequivocally know a authorised basement — we’re watchful for guidance,” he adds. “The existence is a immeasurable infancy of them is simply now operative illegally. Google and Microsoft and even Facebook put out ‘oh we’re still regulating SCCs given we examination a allotment differently’.”

In another example, a IAB Europe suggests in an QA on a CJEU statute that disturbed advertisers “seek superintendence from your lead supervisory authority” — and afterwards immediately suggests DPAs “may give tolerance towards information transfers that took place underneath a Privacy Shield due to a remarkable inlet of this change in a law”. Although, on SCCs, a ad courtesy physique is some-more circumspect, essay that correspondence is now dynamic on a case-by-case basement and “will count on a companies promulgation and receiving a personal data, a regulator in a aim country, and a forms of personal data”.

“To be honest I’m not super eager about information transfers given we have so many other remoteness problems there substantially are bigger issues. But a reason given I’m unequivocally removing some-more and some-more vehement about this box is it customarily shows a immeasurable stupidity on any of these decisions,” adds Schrems. “If a Supreme Court of a EU says for a second time we can’t do that and they’re customarily observant ‘oh we theory a law doesn’t request to us or is not going to be enforced anyways’.

“With a information transfers we kind of know given it’s difficult and we can’t change it overnight. Even in a Facebook censure we filed in 2015 — behind afterwards we pronounced we know they should during slightest have an sequence where, within a certain time period, they should have to stop a information transfers than contend you’ve got to stop it overnight given that’s not going to happen. But they could, theoretically, sequence them to stop a information transfers within a year, for example. Which would give them adequate time to indeed approve with it.”

What happens next?

Individual EU regulators have generally been gripping their cards tighten to their chest given a CJEU ruling. And it stays to be seen what movement Facebook’s lead supervisor, a Irish Data Protection Commission (DPC), will take as a subsequent stairs vis-a-vis Schrems’ seven-year-old complaint. All eyes are on Dublin.

More than dual years given a focus of Europe’s General Data Protection Regulation (GDPR), a regulator is no foreigner to complaints that it needs to collect adult a gait and get on with a pursuit of enforcing vital cross-border complaints conflicting tech giants like Facebook. Though a conflicting evidence to such critique is that building strong cases that will mount adult to authorised plea takes time.

In a meanwhile, superintendence on a CJEU statute put out by a EDPB emphasizes that ubiquitous information transfers around SCC contingency be assessed on a box by box basis; and, if a information controller intends to keep regulating SCCs, it contingency surprise a applicable EU supervisory management — mouth-watering inspection of these flows.

Combine that with a CJEU revelation EU information insurance agencies they have a avocation to meddle and stop information transfers to places where they consider people’s information is during risk and it’s tough to see how regulators can keep sitting on their hands in apparent cases involving FISA-subject entities.

One thing looks clear: The epoch of ‘tickbox’ information transfers to any ubiquitous office that lacks an EU information endowment agreement is toast.

Taking that further, any third nation that lacks a extensive information insurance horizon same to GDPR substantially isn’t going to be means to means ‘seamless’ entrance to a European marketplace for long, if during all — that means, yes, a US; yet also China, India, and so on (a post-Brexit UK also looks dicey on a endowment front given a gusto for notice overreach; yet some of that has already been dialled behind around a courts).

And even yet there are now noises on both sides of a Atlantic about cooking adult a ‘Privacy Shield 2‘, exclusive cordial remodel of US notice law — or a unfit flip-side of Europe ripping adult a licence of elemental rights — any such respawned instrument would shortly follow a predecessors into authorised history.

As we pronounced final month, all this sums to a lot some-more work for lawyers. And right on evidence law firms are articulate adult contractual risk rebate strategies to sell endangered information controllers a ensue forward.

Cash-strapped regulators are also going to find some-more work piled on their plates now they have undeniable instruction not to demeanour a other ensue during lawbreaking information send ‘business as usual’.

Pressure is being practical to regulators by EU lawmakers too who wish to see some-more dilemma operative to safeguard agreeable focus of vital rulings conflicting a bloc’s patchwork of information authorities. Businesses need clarity, is a common refrain. And the purpose of a EDPB — whose stream duties embody arising superintendence and compelling pan-EU team-work and coherence of regulatory focus — looks set to turn increasingly pivotal as some-more of these cross-border cases and pinch-points light up.

The EDPB will need to take on some-more of a leadership, decision-making purpose vs a prevalent articulate shop, per Schrems. “They will have to turn a correct authorised entity that does correct authorised decisions given they will be tested in court,” he argues. “So distant they got divided with some-more domestic statements and so on. In both directions. There’s some things that they put out that are customarily going ensue too far, that a GDPR does not yield for. And there are other things where they’re miles divided from a basis of what a GDPR says. [Their output] will have to turn some-more like a correct authorised research — that says this is what we have to do now.”

Unsurprisingly, for a remoteness romantic who’s been petitioning regulators to urge his elemental rights for so many years — and now with dual adequacy-crushing CJEU rulings that bear his name — Schrems expresses copiousness of disappointment during a DPAs’ opening to date.

After so many time and authorised ardour it’s extraordinary to consider his strange censure conflicting Facebook’s use of SCCs is still unresolved. And that’s customarily one of many he’s filed, carrying spun adult noyb: A not-for-profit European digital rights organisation dedicated to vital lawsuit to urge privacy.

“The other problem is that that a authorities locally afterwards also have to make [EDPB guidance] given there’s still a lot of talk,” he says. “We have decisions that, we can’t name them publicly — yet we have ‘in between’ preference from a Irish DPC where they literally contend yeah that’s what a EDPB says yet we have a conflicting perspective and we’re customarily going to confirm a conflicting way. And they’re not technically firm by these discipline yet if structurally they’re not inspected in Member States then, yeah, nothing’s going to happen.”

noyb also has tentative cases that have been sitting with DPAs for as many as 1.5 years yet a pivotal management providing feedback — given “they simply don’t speak to any other”.

“I meant customarily in daily practice. We have cases that are tentative — like a forced agree things — where a Germans pronounced they now called them any month in Ireland and there’s simply no answer,” he adds. “And so it’s not operative on such a childish, simple level.

“So a problem that we’re carrying is this whole team-work complement is customarily so essentially not working. It could work if everybody tries to lift in a same direction. But right now they are rather all pulling in conflicting directions.”

What does Schrems trust will occur with his Facebook SCCs censure now a CJEU has finally weighed in?

“I have no thought to be honest. We’re now formulation to do some-more and some-more branch adult a feverishness a bit,” he says, nodding to a 101 complaints customarily filed by noyb conflicting a use of SCCs for Facebook Connect and Google Analytics information transfers. “Fundamentally it’s a doubt of either a information insurance authorities take themselves severely or if they continue to be like ‘FAQs’ that are customarily like ‘blah, blah, we don’t unequivocally tell we anything’. And that of a DPAs are going to start to take some coercion measures.”

“People protest about a US a lot and US companies not being agreeable with EU law… But a existence is we’re simply not enforcing these laws. And it’s a elemental European problem that we don’t do that,” he adds. “I’m customarily joking in Austria; one Google chastisement would buy us adult to 4 high speed rail tunnels by a Alps!”

There has been one Google chastisement given a GDPR began being practical in May 2018 — levied by France’s CNIL in early 2019. But Schrems argues a €50M excellent was woefully low, indicating out Austria slapped a incomparable chastisement on a postal use (€80M) for perplexing to calculate people’s domestic interests formed on their plcae and age in sequence to run a approach mailing service. And it’s transparent Google’s behavioral ad-targeting personal-data-sink goes a lot deeper than a spreadsheet to sell approach mailing.

“If we never unequivocally make a law, if we never unequivocally put out a penalty, if a limit chastisement even from a CNIL was €50M — that was zero — afterwards there’s no reason to consternation given [tech giants] don’t comply,” adds Schrems.

The Irish DPC has also sought to package product launch delays as annual-report-worthy coercion wins. But Schrems argues such things “fundamentally underestimates their power”. He also records that noyb has instigated authorised movement conflicting a DPC “for being inactive”, as he puts it.

“They’re oftentimes some-more happy to write a press recover than to indeed take a law and take a options that they have on a law and go for it,” Schrems adds, deliberating a problem of EU DPAs generally not feeling peaceful or means to enforce. “That’s a reason given we’ve attempted to lift them with these complaints, a 101 complaints. Basically they can’t contend that they haven’t a box on their list anymore.”

He likens a impact on Europeans’ elemental rights of so many regulatory inaction as same to carrying a right to opinion yet yet entrance to a polling hire many of a time.

“That’s a bit of how we do privacy,” he suggests. “And that’s a partial of what we’re perplexing to do during noyb; customarily puncture into that and customarily see, we know, there is a law, we breached it, now we compensate for it. Because unless we indeed lift for that structurally, and bit by bit, we’re customarily going to be in this unconstrained discuss about remoteness for a subsequent 30, 40 years.

“I’m always revelation myself it’s a bit normal given when we had a initial time that we talked about workers’ rights — it still is a 100+ years ongoing discuss about indeed removing paid what your collective, negotiate agreement says. It’s not like any of these problems are finished tomorrow or finished perpetually yet here a opening between existence and law is customarily so outrageous — and even outrageous companies customarily essentially do not approve — and that’s a bit exceptional. Because in other areas they during slightest fake to comply. Or somehow approve if they’re a incomparable association with some reputation.”

Of march even large financial penalties can volume to a parking sheet for tech giants. Witness Facebook’s smiles-all-round $5BN FTC settlement. Or Google’s $5BN antitrust excellent for a still widespread Android OS. But Schrems’ indicate is we have to indeed have functioning institutions arising penalties to mount any possibility of rebellious such large rights asymmetries. And, well, a law that’s not enforced is like a pavement no one walks; shortly adequate there’s weeds flourishing over it and flattering fast we couldn’t even travel it if we tried.

“We’re not going to military a universe by carrying a DPA behind any brush and ogling any click that everybody does. But if they, in general, have an coercion vigour that companies have a feeling that ok if we don’t comply, bit by bit, I’m going to get held for something… It’s a bit like with traffic,” says Schrems. “You know I’m not a fan of carrying a speeding camera around any dilemma yet if once in a while we get a speeding sheet we kind of comprehend that going 160 on an autobahn is not a good thought and it generally keeps people to expostulate during 140 if 130 is legal. It keeps it somehow during a format that is somehow excusable — and that’s totally blank in a remoteness world.”

For now, a coercion opening is being challenged by not-for-profits like noyb. It’s also increasingly noticed as an event by category movement character lawsuit funders — anticipating to distinction off of population-scale indemnification even if regulators won’t.

Schrems says noyb has managed to attract a crowdfunded annual bill of around €600k-€700k during this indicate — “all donated income for doing a pursuit that regulators are indeed paid to do” — nonetheless he’s recently been using ads on amicable media to try to get it to full aim funding. “Technically noyb shouldn’t exist,” he jokes.

Clearly, though, Schrems has tapped into an ardour among Europeans for someone to champion their rights.

After years of regulatory inaction that has authorised data-mining giants to feat people’s remoteness yet any suggestive consequences — sewing adult a courtesy mercantile in a routine — there’s a cavity for remoteness heroes to tackle a sorts of abuses Schrems and his group are disturbed about. Problems regulators have unsuccessful historically to act on, and that Europeans are still watchful for movement on. (A two-year Commission examination of GDPR in Jun concurred a miss of regularly powerful enforcement.)

“Right now we’re looking into a lot of a information brokers on a announcement stuff,” says Schrems, when asked about his biggest remoteness concern. “What’s kind of engaging in some countries — not all — a credit ranking agencies and what they do and given they consider they can have information on any European and their financial conditions yet ever carrying agree or anything. So there’s tonnes of things that we’re looking on right now. I’m luckily not concerned in all of it during a same time anymore.”

About the Author