Max Schrems challenges Facebook and wins. Again.

European court ruling strikes down the transatlantic data transfer mechanism in a case initiated by the young Austrian data privacy advocate.

On July 16, the European Court of Justice (CJEU) ruled that the “Privacy Shield” for transferring data between the EU and the U.S. provided inadequate privacy protections in the U.S., thus rendering the framework invalid under European law. 

The ruling highlights an imbalance in the standards for U.S.-EU data privacy. In 2018 the European Union passed the General Data Protection Regulation (GDPR), now Europe’s primary legal framework for protecting personal data privacy. The GDPR created specific requirements for the overseas transfer of data, limiting it to countries with adequate data privacy laws. 

The U.S. was not one of them, thus the need for an additional framework: The Privacy Shield, designed jointly by the European Commission, Swiss Administration and the U.S. Department of Commerce in 2016, created such a framework by enabling individual companies to certify higher privacy standards and thus become eligible data recipients.

This month’s CJEU decision resulted from a complaint against Facebook filed by Austrian data privacy activist and lawyer Max Schrems, who argued that EU citizens’ data was not private in the U.S., as American national security regulations did not protect it from government surveillance. 

Facebook is an online behemoth, boasting 2.5 billion active monthly users. That’s 32% of the world population. As a global network, Facebook makes transatlantic data transfers routinely, and had done so using the Privacy Shield framework. 

On the day of the decision, Schrems hailed it a  “100% win – for privacy,”  he said in a Tweet. “The U.S. will have to engage in serious surveillance reform to get back to a "privileged" status for U.S. companies” 

This is not the first legal victory for Schrems, who previously won a case against Facebook in 2015, alleging that the social media giant had allowed the U.S. government to access his data. The CJEU ruled that Safe Harbor, the data transfer mechanism used at the time, was not compliant with EU data protection law and thus invalid, which gave birth to its replacement, the Privacy Shield. 

The differences between the old Safe Harbor and the new Privacy Shield frameworks, however, were not as far-reaching as Schrems had perhaps desired. While the new framework did close some key loopholes, such as making companies liable for onward data transfers and requiring organizations to provide recourse mechanisms and accept binding arbitration, it still allowed companies to self-certify compliance to privacy principles. 

Max Schrems’ interest in data privacy was sparked during a semester abroad in Silicon Valley in 2011, when a Facebook lawyer gave a guest lecture to his class. Schrems subsequently requested that Facebook divulge what data they had on him, receiving a 1,200 page document in reply. In August of that year, he filed his first of many complaints against Facebook with the Irish Data Protection Commissioner.

Over 5000 U.S. companies had been relying on the Privacy Shield. After the CJEU decision, the European Data Protection Board announced that “Transfers on the basis of this legal framework are illegal.” With no grace period to transition away from the Privacy Shield framework, it is now up to companies to find alternative mechanisms and determine themselves, whether they can guarantee protection of users’ data from U.S. government surveillance.