Skip to content

Schrems II: Electric Boogaloo

Have you ever thought to yourself “Gee whiz I sure wish I knew more about legal challenges to international data privacy laws”?  Of course you have!  It’s a super fun and interesting subject which every consultant would love to know more about.  

I wrote a paper on the Schrems I case several years ago, and last year found myself correcting lawyers on a panel when they attempted to talk about technical solutions to the problems created by the Schrems II case.  Even though it’s more of a legal issue than a technical issue, I find it really interesting.  Here’s a recap of what has happened so far- maybe you’ll find it interesting too!

Safe Harbour

Safe Harbour was a system created in 2000 by the US Department of Commerce in response to the European Commission’s directive on Data Protection, to facilitate the ease of transfer of data from outside of Europe (primarily to the US). The European Commission’s directive disallows the transfer of personal data outside of the European Union (EU) to countries that don’t adhere to EU’s standards for privacy protection. Safe Harbour was designed as a framework to allow for countries outside of the EU (such as the US) to be able to bring their privacy protection policies in line with the expectations of the EU, and to certify themselves as such. The key weakness of this policy however was that companies were able to self-certify compliance, meaning that the system was perhaps not as strong as it should have been.

Schrems I 

Back in 2015, an Austrian law student/privacy campaigner named Max Schrems challenged Facebook Ireland over their data privacy policies in light of the (at the time) recent Edward Snowden/National Security Agency (NSA) revelations. In this he claimed that his privacy had been invaded if Facebook had allowed the NSA to access data that was being stored about him, and as such that they were behaving in a manner that is not allowed by the Safe Harbour agreement. Schrems’ case was investigated by the Irish Data Protection Commissioner, who then rejected the case on the basis that Facebook is certified to be in agreeance with Safe Harbour. However, the High Court of Ireland contacted the European Union’s Court of Justice in Luxembourg to seek clarification on if national authorities were prevented from investigating complaints with regards to the levels of data privacy provided by the US, and if the contested transfer of data can be forcibly suspended. The EU Court of Justice responded that national authorities can and should be making rulings on a case by case basis, meaning that the Irish Data Protection Commissioner was to reopen the challenge initially started by Max Schrems.

The result of this ruling was that Safe Harbour did not automatically make a compliant company un-attackable with regards to its data privacy policy. In light of this, if a company’s habits were brought into question, it would be investigated on an individual basis. Simply self-certifying compliance to Safe Harbour was no longer sufficient.  

After the Schrems I ruling, some UK-based companies moved away from using US-based cloud computing and data storage providers.  Many schools stopped using Dropbox due to privacy fears.  Some companies began to “silo” data based on geographic borders. 

Due to the judgement of the Schrems I judgement, the EU Court of Justice found that Safe Harbour was invalid.  Essentially, an international law could not overrule the local law of the countries involved; whilst Safe Harbour said that government snooping was not allowed, it couldn’t really stop the NSA.  Other issues were also raised with Safe Harbour, such as that it did not provide legal remedies for individuals (people like Max Schrems) to control data about themselves.  

As a stop-gap solution, many companies which relied upon international data sharing began to make use of contractual clauses to enforce the compliance to EU data protection standards upon international clients.  These eventually became known as “Standard Contractual Clauses” (SCCs), and the European Commission (EC) has made available various ones which people can easily incorporate into their contracts.  These SCCs have existed for several years before-hand, but had not seen such wide scale usage prior to this decision.  

Privacy Shield

With Safe Harbour struck down, the EU-US governments began to collaborate on the creation of a new framework.  In 2016, an agreement was reached and Privacy Shield was born.  It attempted to address some of the issues faced by Safe Harbour, though critics still highlighted existing ones.  Although Privacy Shield attempted to make it easier for individuals to control the data that international organisations may hold on them, it was still hard for individual consumers to be able to request that their data be deleted.  A new ombudsperson mechanism was proposed, but was too poorly described to be of much use.  Privacy Shield also did not address the mass collection of data upon subjects, which privacy advocates had hoped might be addressed.  

In January 2017, President Trump signed an executive order entitled “Enhancing Public Safety”, which stated that US privacy precautions would not be extended beyond US citizens or residents. This was interpreted to mean that US companies should explicitly exclude non-US citizens from their data protection practices when transferring data within/to the US.  This executive order was however declared unconstitutional in November 2017.  

In response to this, the European Commission clarified that the US Privacy Act has never offered data protection rights to Europeans.  This was the reason for agreements such as Privacy Shield in the first place; to provide data protection equivalent to the EU data protection laws when data was transferred into the US.  

The CLOUD Act

Following the creation of Privacy Shield, the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) was signed into US law in 2018.  This extended the powers of data access already afforded by US government bodies such as the NSA.  The CLOUD Act allows for federal law enforcement to compel any US-based technology company to provide access to all data, regardless of the geographic location of the data storage.  People whose data is accessed under this law have no right to be informed should this access take place.  It has been suggested that this law is at odds with GDPR and Germany warned against the use of AWS for storing sensitive data by local law enforcement.  Aside from this it appears to have undergone little challenge, and is still in place.

Schrems II

Since Safe Harbour was ruled to be invalid back in 2015, Schrems reached out to Facebook and asked them to identify the legal basis they had for the transfer of personal data from the EU to the US.  Facebook referred him to a data transfer processing agreement between Facebook Ireland and Facebook Inc, which had been in place since 2015.  This agreement relied on an older judgement known as Decision 2010/87.  

In February 2010, the European Commission made a decision on the use of SCCs for the transfer of personal data to processors in third countries.  Firstly, it found that data transfers of personal data to third countries may only take place if the data will be adequately protected in said third country. Paradoxically, it also found that EU Member States may authorise under certain conditions the transfer of personal data to third countries which do not ensure adequate levels of protection.  This may be done through the use of SCCs relating to data protection.  

In response to this, Schrems claimed that this agreement was not in line with current SCCs, and that the clauses in use did not justify the transfer of the data in the first place.  He also made the point that the agreement did not provide for legal remedies whereby an EU citizen could invoke their rights to privacy once the data was in the US.  He asked the supervisory authority to suspend the transfer of data using Decision 2010/87.  

After the outcome of the Schrems I case, the Irish High Court referred a set of questions to the EU Court of Justice (EU CoJ).  This included the validity of using Standard Contractual Clauses, which entered into common use after the Schrems I case.  As could perhaps be predicted, Privacy Shield was invalidated in 2020.  Much like Safe Harbour, it could not supersede local laws of countries to enforce data protection.  The EU CoJ found that Privacy Shield “does not grant data subjects actionable rights before the courts against the US authorities”.  Interestingly, SCCs were ruled to still be valid.

Where do we stand now?

Currently, the use of SCCs is all that we have.  They’ve potentially been on rocky ground since the Privacy Shield ruling, as highlighted by Max Schrems.  As of June 2021, the European Commission is still publishing SCCs.  This most recent batch specifically aimed to address the flaws found in SCCs by the EU CoJ during its recent ruling.  The European Data Protection Board released complementary advice on how businesses can better assess the risks associated with international data transfers.  

To me, SCCs are insufficient.  It’s all very well to include it in your business contracts that data will be adequately stored, but that does not supersede domestic laws.  I would be very interested to see if companies verify the security of data that is being transferred to third countries.  Do companies trust that the contract is being followed, or are there reasonable ways to manually verify this?

From chatting to lawyers about the issues, a lack of international standardisation was also highlighted.  A wide variety of languages are spoken around the world.  SCCs would theoretically need to be available in every language to ensure consistency.  A lack of summary of international laws was also highlighted.  

Let’s say you belong to country X, and you want to transfer data to country Y.  There’s no single resource you can look at to learn about all of the laws in country Y, written in your language.  This makes it much more complex to understand the data protection requirements which must be addressed within the SCCs.  It may also be the case that laws are more implicit than explicit; we can all think of countries with governments that are known to overstep on access to citizens’ data.  But, is this an explicitly noted law which an international company may be able to directly read?  Or is it a “everyone knows that!” piece of cultural knowledge.

Whilst I believe SCCs are insufficient due to not superseding domestic laws, I believe that the problem is made much worse by the above issues.  It is no small task for a company to figure out how to securely transfer data, and these issues make the problem much worse.  By not providing simpler solutions and frameworks (or even more hands-on support), companies may unintentionally be insufficiently protecting their customers’ data.  

What do we do about this?  Frankly, I have no idea.  I think that we are at an impasse due to some countries having domestic laws allowing data access which would supersede any international laws which could be agreed upon.  

As a stop gap, companies could be more hands-on in protecting their data.  If you want to store data into a third country such as the US, perhaps it would be wise to encrypt your data prior to completing this transfer.  But, you would want to make sure that the key is held outside of the US, by a non-US company.  As the Cloud Act allows the US government to compel a US company to provide it with access to any data it holds (even if that data is physically stored outside of the US), this mechanism could be used to access encryption keys held by the company.  But then, you still may have to worry about the encryption cracking capabilities of the country you wish to store your encrypted data in.  

In general, it’s a bit of a mess.  There’s no perfect solution to the problem.  

Does this actually affect consulting work at all?  

Basically, no.  These legal issues are a problem for large international companies which habitually transfer data internationally.  I ended up chatting to some lawyers on the panel I took part in, and put the question to them: “What if I was doing a penetration test from the US and gained access to sensitive information when testing for an EU-based client?”.  The general consensus was that this would not be within the scope of these legal issues.  The standard contractual clauses should ensure that any data accessed is deleted anyway.  Plus, frankly, the NSA probably doesn’t really give a shit about random pen tests, so wouldn’t bother going after whatever you had accessed.  If anyone else wants to weigh in on the matter though be my guest!

Published inInformation Security

Be First to Comment

Leave a Reply

Your email address will not be published.