The nature of data privacy in the globalized world has been long debated. It is often said that data is ‘the new oil of the digital economy’, but to what extent can we control our own personal information? Should it be entirely up to individuals to decide how they want to handle their data, or should companies be able to freely transfer user data to different countries for business purposes? What is the line between one’s individual right to protect one’s privacy and companies’ need to operate on the international level without legal difficulties? These are all the questions debated by judges, business experts, and private individuals alike. We live in the world, which offers numerous free apps and tools to improve our lives' quality, but one has to remember that they are not free-of-charge, but they charge us in a different currency: our personal information. As people become aware of how their data can be used against them, for scams, frauds, and different cybercrime, global concerns regarding personal digital data security are on the rise. According to Statista, 90% of global online users had at least one significant concern about data privacy. 47% was afraid that their private data would be leaked in a data breach and used by cybercriminals, 40% was concerned about their sensitive personal information being sold to third parties and used in decision-making processes without their consent, and 31% was worried about the uncertainty of data’s future use. Interestingly, 12% of surveyed users voiced their concerns regarding personal data’s potential use in influencing their voting choices in the national elections. It shows that data privacy is not a theoretical issue discussed in courtrooms, but a legitimate concern to address in our own daily lives. Can we protect our sensitive personal information in the borderless, hyper-connected world? Let us take a closer look at the case of Maximillian Schrems, which went to court against Facebook in order to protest against international data transfers of his personal information.
Data Protection Commissioner v Facebook Ireland and Maximillian Schrems
Mr. Maximilian Schrems, a privacy rights activist, had used Facebook since 2008 for personal purposes, using a false name to protect his identity. In 2011, he began to use the social media platform to promote his work as a privacy activist, updating his following on his legal proceedings and lectures, as well as collecting funds for his activism. During the same period, he filed several complaints against Facebook Ireland, claiming that it violated data protection provisions under Austrian, Irish and EU law. He demanded the court, among other things, to prohibit the use of his data for certain purposes and grant him full disclosure concerning the way his personal information is used. It is important to mention that Mr. Shrems published two books about his legal proceedings and gave numerous lectures, some of which were remunerated, which is exactly why The Regional Civil Court dismissed his claim. The court decided that since he used Facebook for professional purposes, he could not base his claims on provisions regulating consumer contracts. After the ruling, he appealed to the Higher Regional Court in Vienna, and the case was eventually assigned to the Supreme Court of Austria, and finally to the Court of Justice of the European Union. The Court of Justice of the European Union had to consider the meaning of “consumer” under Regulation 44/2001 and finally decided that Mr. Schrems could not lose his status as a ‘consumer’ because of his professional activities (publishing books, lecturing, etc.). Schrems also argued against the transfer of his personal data from Facebook Ireland Ltd to Facebook Inc’s servers located in the US, claiming it was a breach of the GDPR, as his data was not sufficiently protected and therefore Irish authorities were legally obliged to prevent such transfers to comply with EU data protection regulations. The case continued and in 2015, the Court of Justice decided that the previous regulation on data transfers and protection (‘the Safe Harbour Decision’) is invalid, but did not question the compatibility of US law with European data protection requirements. The court’s ruling did not solve the issue, and the case was examined again in 2020. What did the court decide in 2020?
US laws on data protection are not strict enough to meet EU law requirements
On the 16th of July 2020, The Court of Justice invalidated Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield, claiming that “limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities” make it impossible for US laws on data protection to fully meet EU law requirements. The court decided that the American “surveillance programmes [...] are not limited to what is strictly necessary”, and individuals, whose private information are transferred to a third country must be given a “level of protection essentially equivalent to that guaranteed within the EU by the GDPR”. In practice, it means that companies, which transfer data from the EU to the US have to establish a new legal agreement for legal compliance. Nevertheless, the court also ruled that certain contractual clauses for data transfer to third countries are not problematic as long as “compliance with the level of protection required by EU law” is ensured and transfer of personal data is suspended or prohibited if legal clauses regarding sufficient data protection are breached or it is impossible to honor them. Consequently, the court supported the validity of Decision 2010/87, confirming that the use of standard contractual clauses does not violate GDPR.
All in all, the court’s ruling challenged the current global system of data protection and data transfers, calling for new legal agreements, which would ensure compliance with EU requirements for data protection and data privacy in the globalized world. Perhaps it is a small step for the judicial system, but one giant leap for privacy activists in the fight for data transparency and protection of our new capital - data.