Schrems vs Facebook: David beats Goliath
Facebook has more than 2.45 billion users worldwide and a staggering amount of personal data. However, no one is unaware that all these data have absolutely nothing "personal" any more as soon as they are in the possession of this American giant. There is simply no such thing as privacy protection on Facebook. And it is against this that Max Schrems, Austrian lawyer, has been fighting for 8 long years. He pleads for real protection of privacy and equivalent personal data in Europe and the United States.
Throwback to 2011
Back in 2011, Max Schrems realizes that Facebook is adopting a far from correct interpretation of the law. He then asks to receive a copy of all the data that the social network has about him. Result? A file of 1222 pages containing data yet deleted from his account.
The complaint forwarded to the Irish data protection authority is considered insufficient for the authority to react. It will take two more years so that, following revelations about the surveillance practiced by the NSA (National Security Agency), Facebook is not once again singled out for its questionable management of data.
Questioning Safe Harbor
Safe Harbor is an agreement signed in 2000 between the European Commission and the United States Department of Commerce which aims to regulate the transfer of data to the United States by guaranteeing "an adequate level of protection". New actions are then brought to various data protection authorities. Complaints are being made against Apple and Facebook, in Ireland, but also against Skype, in Luxembourg, and Yahoo in Germany. The complaint against Facebook goes back to the Court of Justice of the European Union and it purely and simply invalidates the Safe Harbor.
This is the "Chernobyl moment of the privacy debate", to use Max Schrems' words. Indeed, following the decision of the CJEU, there was no longer a framework agreement. This meant, de facto, the birth of a certain legal uncertainty for American companies. As a result, the European Parliament stepped up the renegotiation of Safe Harbor, underway since 2014 to give birth to the well-known General Regulation on the Protection of Personal Data (GDPR), which entered into force on May 25, 2018.
And then what?
One of the principles of the GDPR is not to transfer personal data to a third country which does not offer the same level of protection. However, the GDPR provides that in certain cases the European Commission can take decisions to override this principle. This was particularly the case during the implementation of Safe Harbor. The establishment of standard clauses is also a means of transferring data to a third country.
Many efforts were made after the adoption of this European Regulation, but the formulations, which are too vague, still leave a lot of room for interpretation. The problem of surveillance practices in the United States has not been resolved either. The successor to Safe Harbor, the Privacy Shield, which entered into force on August 1, 2016, does not provide a miracle solution against indiscriminate collection of data; nor to the use which is made of it for the benefit of American espionage. Once again, the terms chosen are of variable geometry and the imperatives of "national security" are all too often invoked to justify data collection and mass surveillance.
In December 2019, the opinion of the Advocate General of the CJEU Saugmandsgaard Øe, was therefore eagerly awaited in the continuation of the Schrems VS case. Facebook. In the present case, the question of the transfer of data as well as the protection with regard to them arises in the context of the relationship between Facebook Ireland and Facebook US. It appears from the opinion of the Advocate General that the transfer of data outside the European Union based on standard contractual clauses is not unlawful in itself, provided, however, that the data exporter is able to guarantee respect for the fundamental interests of European citizens. However, the Court ruled in an earlier ruling that this was not the case for the United States, the latter not offering protection measures similar to those of Europe.
This Thursday, July 16, 2020, the CJEU ruled and canceled the Privacy Shield. The standard contractual clauses, for their part, remain in principle valid. It is nonetheless up to the data exporter to verify that the regulations of the country of destination of these data offer the same guarantees. In the judgment of the Court, it considers that, since the standard contractual clauses could not really be applied and, ipso facto, the transferred data sufficiently protected, it is then incumbent on the supervisory authorities to suspend or prohibit such transfer. The Court therefore declared on the one hand that Facebook and similar companies could not hide behind such clauses and, on the other hand, that the supervisory authorities should have an active role and take concrete measures in order to do so. comply with the GDPR. The Court also made it clear that US bondage laws conflict with fundamental rights of application within the European Union, which de facto prevents the respect of the same guarantees by the United States.
It is therefore up to European companies using American suppliers to realize the impact that such a choice can have. As an example, a company that uses SaaS software with a CRM hosted or managed in the United States can no longer be satisfied with displaying a standard contractual clause to justify its compliance with the GDPR. It is essential that these clauses can be respected in practice, which is all too rarely the case given the number of American companies that escape surveillance laws. All these companies that fall under US surveillance laws cannot validly use the contractual option of the standard clauses provided for by the GDPR when US law requires them to violate them. It is undoubtedly preferable for European companies to collaborate with companies which respect the same rules as they do and which have the same values: those which advocate respect for privacy!