By Manuel Lobato. Patents Lawyer.
Background of the case
The young Austrian Maximiliano Schrems – law student and resident in Ireland – made a complaint in 2011 to the Irish Commissioner for Data Protection against the social network Facebook, for transfer of their data from the servers of Facebook in Ireland to the servers of Facebook Inc. located in the United States for further processing.
In his claim, Schrems – based on the facts and evidence provided by Edward Snowden through which, the former agent revealed how the United States operated in global surveillance-, alleged that said country did not offer adequate protection to the personal data that received from users in the countries that are members of the EU, and did not even contain a process for the selection and treatment of these data, but rather took them in large quantities and thus processed them, using them for purposes other than those that truly informed the users of the social network –in their eagerness to fight terrorism-.
This motivated Schrems to request a ban on his data being transferred to the servers of Facebook Inc. The Irish body rejected Schrems’ proposal, based on Decision 2000/520 / EC, of July 26, 2000S, considering that The United States complied with an adequate level of protection. However, Schrems appealed this decision to the highest court in Ireland – the High Court -, which finally held that the United States made excessive interference with the personal data that was transferred to its territory.
The decision of the CJEU. Schrems´ I judgment.
The High Court asked the European Court to issue a preliminary ruling regarding the issue of whether said decision -2000/520/EC- is valid and whether it makes it impossible – or not – for the national authorities of the countries of the European Union to carry out a correct control regarding the personal data that is transferred from an European country – in this case, Ireland – to a third state. Finally, the European Court ruled that, although the EC decision 2000/520 prescribes that the United States has an adequate level of protection, the truth is that also the national organizations responsible for ensuring the protection of the data of its inhabitants, they are empowered to carry out this control, although the invalidity of a Decision – in this case, the one adopted by the European Commission – can only be declared by the CJEU.
Finally, the European Court, in order to rule as it did –declaring the invalidation of the EC decision-, taking into account, not what was established by the Commission’s Decision, but, in factual terms, whether the privacy of the data owners was protected when transferred to the United States. In other words, when making such an assessment, the third country is not required to have a regulatory framework and a level of protection identical to that of the EU; more than anything, that this third country provides an adequate protection framework for the data of the holders.
For all these reasons, it declared Decision 520/2000 invalid based on the following arguments:
1) That there was an interference with the right to privacy;
2) Declared that said interference meant a violation of the essential content of the right to privacy.
Due to the judgment issued by the CJEU that invalidated decision 520/2000 of the European Commission regarding what is known as “safe harbor”, regarding the transfer of data to the United States, it was adopted within this framework, the so-called decision 1250/2016, better known as “Privacy Shield”.
The purpose of this decision is summarized as follows:
– Acknowledges that the EU-EE Privacy Shield comprised of the privacy principles applicable to certified United States organizations (companies) and related commitments made by the Department of Commerce and other United States authorities, it provides an adequate level of protection for personal data transferred from the EU to these organizations.
– This means that personal data can be freely transferred to organizations in the United States included in the “Privacy Shield List”, which is prepared and published by the United States Department of Commerce.
– The application of the Privacy Shield guarantees the right to respect for privacy and the right to the protection of personal data of all persons in the EU whose personal data is transferred through the Privacy Shield.
– It also guarantees legal certainty for companies that rely on your application to transfer personal data from the EU to US organizations certified by the Privacy Shield.
Precisely this decision is the one that was declared invalid in the judgment of the Schrems II Case, issued by the CJEU on 07/16/2020, which will be subsequently commented.