My Authors
Read all threads
For those interested in a TL;DR on #SchremsII here is a quick thread highlighting and explaining the the key holdings, for more see @EPICprivacy page here epic.org/privacy/intl/d… and @NOYBeu page here noyb.eu/en/CJEU-Media-…
The case is about whether EU law permits a company like Facebook (Ireland) to transfer the personal data of EU citizens to affiliated entities in the United States. The GDPR requires that transfers fall within the authorities outlined in the regulation. curia.europa.eu/jcms/jcms/Jo2_… Paragraph 8 from the judgment, recital 101 from GDPR
This case arose from an investigation by the @DPCIreland into a complaint filed by @maxschrems against Facebook alleging that transfers of his personal data to the US violated his rights under the EU Data Protection Directive and the Charter of Fundamental Rights.
During the DPC investigation, Facebook said most transfers were authorized under standard contractual clauses approved by the European Commission as providing "appropriate safeguards" under the Directive (now GDPR). These are contracts between FB-Ireland and FB-US. Paragraph 13 of the Judgment, Article 45 paragraph 3 of GDPR
The DPC concluded that standard contracts did not provide adequate protection for personal data transferred to the US because FISA and other surveillance laws authorize access to EU citizens personal data without judicial review in violation of rights under the Charter. Paragraph 54 of the Judgment
So the DPC brought a case in the Irish High Court seeking a "referral" to the highest court in Europe (CJEU) concerning the validity of the European Commission's standard contractual clause decisions. While that case was pending, the EU and U.S. negotiated the "Privacy Shield."
The EU-U.S. Privacy Shield agreement replaced the old "Safe Harbor" agreement that the CJEU struck down in 2015 in the Schrems I case. The agreement included an analysis of U.S. surveillance law and several related "annexes" of statements from U.S. officials. Paragraph 43 of the Judgment
The European Commission issued an "adequacy decision" based on the Privacy Shield in 2016, which provided an alternative basis for data transfers to the U.S. under the Directive (and later GDPR). Facebook argued that the Irish High Court had to defer to this decision. Paragraph 66 of the Judgment
The Irish High Court, after considering evidence introduced by the DPC, Facebook, and Schrems and hearing from amici curiae including @EPICprivacy and the United States referred 11 questions to the CJEU. The court grouped those questions into 5 sets (and added another).
First, does EU Law (GDPR) apply to transfers of personal data by a business w/r/t potential data processing by a law enforcement or government intelligence agency (FBI/NSA)? Even though GDPR does not apply to transfers by EU member states for such purposes. The answer? YES Paragraphs 86-89 of the Judgment
Second (?s 2, 3, and 6), what factors need to be considered when evaluating the level of protection for personal data transferred under the SCCs? The answer? Data subjects must be afforded level of protection "essentially equivalent" to what is guaranteed by GDPR + the Charter. Paragraphs 104 and 105 of the Judgment
This means that transfers under the SCCs must be evaluated based on both the contractual clauses themselves and also based on the relevant legal rules in the third party country to which the data is being transferred (e.g. the United States)
Third (?#8), is a data protection authority required under GDPR to suspend data transfers under the SCCs if they find that adequate protection cannot be provided as to specific transfers? The answer? YES Paragraphs 111-114 of the Judgment
Fourth (?s #7, 11), are the European Commission's decisions approving the standard contractual clauses valid? The answer? YES. Because the SCCs themselves require that processors provide an adequate level of protection or else stop the transfers. Paragraphs 131 and 132 of the JudgmentParagraph 140 of the JudgmentParagraphs 141 and 142 of the Judgment
Fifth (?s# 4, 5, 9, and 10), to what extent are the EC findings on Privacy Shield and adequacy re: US law binding on data protection authorities? Does US law actually provide adequate protection for personal data of EU citizens transferred there? The answers? YES and NO.
This is groundbreaking and worth breaking down in more detail. The Charter of Fundamental Rights provides that any limitations on the freedoms it recognizes must "be provided for by law and respect the essence of those rights." Scope of the limitation must be clearly defined. Paragraphs 174 and 175 of the Judgment
These limitations must be proportional and apply only so far as is strictly necessary. The law that interferes with Charter rights "must lay down in clear and precise rules" the scope and application and must impose "minimum safeguards" to protect against abuse. Paragraph 176 of the Judgment
What does this mean for the US? Well neither Section 702 of FISA, nor EO 12333, nor PPD-28 provide the necessary minimum safeguards. Those authorities are not limited to what is strictly necessary. They are overbroad. They also don't provide any effective remedies. Paragraph 184 of the JudgmentParagraph 192 of the Judgment
This was the central focus of @EPICprivacy amicus submissions in this case. U.S. law fundamentally discriminates against non-U.S. persons, authorizing suspicionless surveillance w/o judicial review or chance for redress. US law does not provide adequate protections for EU data.
The result? SCCs are valid, but controllers and DPAs in EU must review transfers / laws in third countries to ensure adequate protection or else block transfers. Privacy Shield decision invalidated; US transfers subject to GDPR. Fin. Paragraphs 199-201 of the Judgment
Missing some Tweet in this thread? You can try to force a refresh.

Keep Current with Alan Butler

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!