And here is already Schrems-II. The background of both “Schrems” cases are the Snowden revelations showing that U.S. government agencies are involved in an indiscriminate mass surveillance of European subjects whose data are transferred to the U.S. Therefore Maximilian Schrems holds that the U.S. does not ensure adequate protection and it was on this basis that the “Safe Harbour” was invalidated. The target is Facebook, but not its own shady data usage practices, just the possibility of the data being requested and obtained by U.S. authorities. It has to be mentioned that the U.S. government tried to get access– in individual cases, based on concrete suspicion of crimes – to data stored in the EU from Microsoft and Google. At the moment, Microsoft succeeded – based on its statement that the data are stored in the EU – to avoid it while Google – as it stated that data may not be stored in the U.S. but it is not known where they are – failed.
Now, the question is whether Facebook has a legal basis to transfer data to outside the EU, namely to its U.S. headquarters. This could be the “Privacy Shield” but it was known that this will be attacked by Schrems. Therefore Facebook chose the Standard Contractual Clauses between the Irish subsidiary and the U.S. headquarters but this was communicated to Schrems only during the process. Schrems submitted a complaint to the Irish Data Protection Commissioner (DPC, the data protection authority of reland) and then brought the DPC to court asking to annul the decision of the DPC which found the data transfer lawful. The European Court of Justice can directly decide only in cases where one of the parties is an EU body, in cases before the national courts the deliberating court can ask for a preliminary ruling interpreting EU law. This is what the Irish court did. The audition before the ECJ took place the 9th July.
In the opinion of Schrems, the U.S. does not ensure adequate protection –and thus the assessment on which the Privacy Shield is based, is faulty. Therefore the Court may invalidate now the Privacy Shield. This was in fact requested by the reference for preliminary ruling. This is based on the law and the actual practice (disclosed by Snowden) in the U.S. which he wants the Court to take into account even if there is an adequacy decision of the Commission (this was the original version) or a contract containing standard clauses also approved by the Commission – i.e. the clauses cannot be observed and thus do not provide a legal basis for the transfer.
Schrems thus declared that he does not want to invalidate the SCCs or the Privacy Shield because the Standard Contractual Clauses enable the Irish Data Protection Commissioner to stop Facebook from transferring the data on the above basis.
His opponents’ view is that the standard contractual clauses provide the necessary safeguards to protect the rights of the data subjects. In their view U.S. law and practices cannot be taken into account in evaluating the legal basis for transfers.
One side question in the case is whether national security interests of the U.S. have to be taken into account – the EU legal framework provides for important exceptions to the rights of data subjects for reasons of national security.
Another court case already decided takes some burden off Facebook –although not strictly in an international context but using a concept newly introduced by the GDPR (although referring to the old directive due to the date when the actual actions in the dispute took place). Some websites contain buttons (social plugins) which enable visitors of the site to “like” the pages of the website owner on Facebook and thus join a community on Facebook – with their Facebook profiles.
The operator of a website that embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider the personal data of the visitor can be considered to be a controller, limited to the collection and disclosure by transmission of the data at issue. This means also that both the operator of the website and the social network has to have a legal basis (for example legitimate interest or consent) for the processing, including the transfer of the data of the website visitor to the social network, and the compulsory information – only concerning the collection and transfer of the data – has to be provided by the website operator before it transfers the data (i.e. when showing the plugin) and the consent must also be obtained by that operator, but only with regard to the abovementioned operation.
Now, the question is whether Facebook has a legal basis to transfer data to outside the EU, namely to its U.S. headquarters. This could be the “Privacy Shield” but it was known that this will be attacked by Schrems. Therefore Facebook chose the Standard Contractual Clauses between the Irish subsidiary and the U.S. headquarters but this was communicated to Schrems only during the process. Schrems submitted a complaint to the Irish Data Protection Commissioner (DPC, the data protection authority of reland) and then brought the DPC to court asking to annul the decision of the DPC which found the data transfer lawful. The European Court of Justice can directly decide only in cases where one of the parties is an EU body, in cases before the national courts the deliberating court can ask for a preliminary ruling interpreting EU law. This is what the Irish court did. The audition before the ECJ took place the 9th July.
In the opinion of Schrems, the U.S. does not ensure adequate protection –and thus the assessment on which the Privacy Shield is based, is faulty. Therefore the Court may invalidate now the Privacy Shield. This was in fact requested by the reference for preliminary ruling. This is based on the law and the actual practice (disclosed by Snowden) in the U.S. which he wants the Court to take into account even if there is an adequacy decision of the Commission (this was the original version) or a contract containing standard clauses also approved by the Commission – i.e. the clauses cannot be observed and thus do not provide a legal basis for the transfer.
Schrems thus declared that he does not want to invalidate the SCCs or the Privacy Shield because the Standard Contractual Clauses enable the Irish Data Protection Commissioner to stop Facebook from transferring the data on the above basis.
His opponents’ view is that the standard contractual clauses provide the necessary safeguards to protect the rights of the data subjects. In their view U.S. law and practices cannot be taken into account in evaluating the legal basis for transfers.
One side question in the case is whether national security interests of the U.S. have to be taken into account – the EU legal framework provides for important exceptions to the rights of data subjects for reasons of national security.
Another court case already decided takes some burden off Facebook –although not strictly in an international context but using a concept newly introduced by the GDPR (although referring to the old directive due to the date when the actual actions in the dispute took place). Some websites contain buttons (social plugins) which enable visitors of the site to “like” the pages of the website owner on Facebook and thus join a community on Facebook – with their Facebook profiles.
The operator of a website that embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider the personal data of the visitor can be considered to be a controller, limited to the collection and disclosure by transmission of the data at issue. This means also that both the operator of the website and the social network has to have a legal basis (for example legitimate interest or consent) for the processing, including the transfer of the data of the website visitor to the social network, and the compulsory information – only concerning the collection and transfer of the data – has to be provided by the website operator before it transfers the data (i.e. when showing the plugin) and the consent must also be obtained by that operator, but only with regard to the abovementioned operation.
Comments
Post a Comment