The judgment of a case delivered on 16 July 2020 by the Court of Justice of the European Court (CJEU) also informally known as the European Court of Justice (ECJ), the supreme court of the European Union has drawn global attention.
William Maema, a Senior Attorney and Partner at global law firm DLA Piper Africa takes us through the background proceedings of the infamous ruling and what it means to data privacy and protection in a period of increasing data breach across the world.
Background to the case
The proceedings before the Court were filed by one Mr Max Schrems, an Austrian national and the parties included Governments of the United States, Germany, Ireland, Belgium, Czech Republic, The Netherlands,, France,Austria, Poland, Portugal and UK, as well as the European Parliament, European Commission, the European Data Protection Commissioner, among others.
Mr Schrems, a user of the Facebook social network since 2008, filed a complaint requesting, in essence, that Facebook Ireland Limited be prohibited from transferring his personal data to its US parent company, Facebook Inc on grounds that the law and practice in force in the US did not ensure adequate protection of the personal data held in its territory against the surveillance activities of its security agencies.
He claimed that US law requires Facebook to make the personal data transferred to it by its subsidiaries to certain governmental agencies such as the National Security Agency (NSA) and the Federal Bureau of Investigations (FBI) confidential.
He therefore sought orders to prohibit the transfer of his personal information by Facebook Ireland to the US.
The evidence before the Court showed that under US law, operators of the internet backbone are required to allow NSA to copy and filter internet traffic flows in order to acquire communication from, to or about non-US nationals.
The law also allows NSA to intercept data in transit to the US by accessing underwater cables on the floor of the Atlantic and to collect and retain such data before its arrival in the US.
The US Government admitted that it did not grant data subjects actionable rights before the courts against US authorities. US law did not, therefore, confer rights which were enforceable against security agencies through US courts.
Finally, the evidence showed that unlike in Europe where there is a well-established judicial mechanism for redressing breaches of personal data, US law did not afford EU citizens a level protection that was equivalent to that guarantees by European law.
Although the initial proceedings in this case were lodged in 2015 before the enactment of the General Data Protection Regulation (GDPR), the judgment is based on the protections granted to EU data subjects under the GDPR since it was the applicable law by the time the judgment was rendered.
The GDPR recognises that rapid technological developments and globalisation have brought about new challenges concerning the protection of personal data.
Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale.
Natural persons increasingly make personal information available publicly and globally in the ordinary course of their daily social and economic lives without paying much attention to the commercial value of such information.
While in principle the law should facilitate the free flow of personal information, the countries in which such information is shared must have adequate safeguards to ensure its protection against unlawful access and use.
The European apex court ruled in favour of Mr Schrems and observed that: –
- Where personal data of persons in the EU is transferred to a country outside the EU such country must afford the data equal protection to that which is available in the EU under the GDPR and the EU Charter. The country must have appropriate safeguards, enforceable rights and effective legal remedies which are essentially equivalent to those guaranteed within the European Union;
- Where it is proved that contractual clauses are not or cannot be complied with in the destination country, transfer of personal data to such country should be prohibited by the national data protection regulator since, by their inherently contractual nature, such clauses are not capable of being binding on the governmental authorities of that country;
- Where the data controller or processor is unable to take adequate additional measures to guarantee the protection of the personal data, the national data protection regulator is required to suspend or prohibit the transfer of personal data to the country concerned e.g. where the law of such country imposes an obligation on the recipient of the personal information which are contrary to the safeguards available locally;
- Where personal data has already been transferred to a country that does not provide equivalent protection, the national data regulator should order such information and all copies of it to be returned and destroyed in their entirety; and
- Data subjects must have the possibility of bringing legal action before an independent and impartial court in the destination country for purposes of having access to their data or rectification or erasure of it. Therefore, where, like in the US, the legislation does not provide for the possibility for an individual to pursue legal remedies for breach of his personal information, transfer of data to such country should generally be refused.
In my point of view, the Court’s decision is correct on all the points that it dealt with. It will have far-reaching implications especially upon US multinationals whose subsidiaries across the world handle personal data belonging to data subjects outside the US.
Since most data protection laws, including the Kenyan Data Protection Act, are tailored along the GDPR model, we expect Data Protection regulators to adopt a similar interpretation to safeguard the personal information of their countries.
This will make it more difficult for personal information to be transferred outside the country, especially to the US, due to the gaps in the protections mechanisms that were identified by the CJEU in the Schrems II case.
The case is also important because it dealt with transfer of data between related entities, i.e. a company and its subsidiary through an automated system which is very common.
Multinationals will have to re-think their model of data storage. For Facebook and other social networks which have their cloud servers in the US, there may be an avalanche of claims by data subjects arising from the precedent set by the Schrems II case.
The case also lays bare the ineffectiveness of standard contractual clauses which purport to give the data subject a false sense of protection while in actual fact their data is available for inspection by third parties including governmental, agencies.
Facebook Ireland Ltd had argued that there was no breach since its parent company was bound by contractual clauses to safeguard the personal information of the data subjects, but the Court found that snooping governmental authorities were not bound by such clauses.
The Court’s decision will have a significant negative impact on e-commerce which, by definition, is borderless. Data is the new oil, without which, modern businesses cannot operate efficiently and profitably.
Free movement of personal information across different markets and geographies is essential. When this is hampered especially in relation to a significant market like the US, international trade is likely to suffer.
The decision deals a heavy blow to providers of cloud data storage services which are also borderless. Since the US is unlikely to relax its security laws because of the Schrems II decision many US cloud service providers may have to re-locate their servers to Europe which, thanks to the GDPR, has the most developed data legislation in the world. This is an expensive and disruptive undertaking.
The decision will also jolt countries across the world to enact data protection laws which are compliant with the principles of the GDPR.
This judgment may therefore end up being the much-awaited catalyst for a global wave of enacting and harmonising data protection laws along the GDPR model.
What the case means to Kenya and the world
Kenya enacted its first data protection law in 2019. The Data Protection Act (“DPA”) has not been fully operationalised owing primarily to an absence of the institutional framework necessary to implement the provisions of the Act. In the circumstances, Kenya at present has no relevant jurisprudence on the Act and its provisions.
However, since the DPA is modelled along the GDPR principles, the CJEU’s interpretation of the GDPR in the Schrems II case will have a substantial influence on the interpretation of the DPA by the Data Protection Commission and Kenyan courts.
Although the fines and penalties stipulated in the DPA are not as high, they are likely to cause sufficient financial and reputation damage to organisations which fail to observe the provisions of the DPA.
The EU is the undisputable gold standard in data protection and we expect all courts in the world conform to its precedents.
The most important consideration for any organisation in the world handling large-scale personal data is to ensure that such data is processed in strict compliance with the GDPR.
Since the GDPR was enacted a couple of years ago, many businesses across the world including Google, Marriot Hotel, British Airways, among others, have suffered huge fines and penalties due to data breach.