The July 2020 judgement of the Court of Justice of the European Union (CJEU) in the so-called Schrems II case has resulted in a great deal of uncertainty for organizations engaging in the transnational transfer of personal data and in particular when those transfers are to entities in the United States. This post will investigate the enforcement issues on which the Schrems II reasoning is based, and discuss the potential effects that the decision has for General Data Protection Regulation (GDPR) enforcement.
Schrems II is the most recent installation of an ongoing litigation that resulted from a complaint that Maximilian Schrems levied against Facebook with the Irish Data Protection Commissioner (DPC) in 2013. Schrems’ complaint objected to Facebook transferring personal data to the United States (US) as contrary to the protections provided by the GDPR. It was based in part on the US National Security Agency (NSA) documents leaked by Edward Snowden in the summer of 2013. These documents revealed a mass surveillance program run by the NSA under Sec. 702 of the Foreign Intelligence Surveillance Act (FISA). This surveillance included direct collection from major US telecommunication providers, internet service providers, and Internet content providers under a program code named PRISM. Schrems’ complaint was rejected by the DPC and Schrems sought judicial review. It eventually led to an assessment of data protection adequacy decisions specifically regarding transfers to the US. The CJEU twice in Schrems I and Schrems II struck down adequacy decisions with the United States.
Continue reading “Schrems II and the Data Protection Enforcement Gap”