91ŃÇÉ«

The Current State of Cross-Border Data-Transfers

Photo Credits: (Unsplash)

Ali MesbahianAli Mesbahian is an IPilogue Writer and a 2L JD Candidate at Osgoode Hall Law School.

Ěý

It is now an unfortunate truism that we are all subjects of perpetual surveillance. The legal infrastructure that sustains and enables this Orwellian dystopia is undoubtedly overwhelming and discouraging for those seeking change. But victories are also possible; the two Schrems cases, discussed below, are an example. Yet, these cases also point to the need for a more or less uniform legal order for data governance.

Schrems I

In 2015, Austrian law student and privacy activist, Maximillian Schrems, sued Facebook Ireland for what he alleged to be an . Schrems’ claimed that the U.S. mass-surveillance program renders it unable to provide an of personal data (PD). The EU Data Protection Directive (95/46/EC) imposes this requirement on countries outside of the EU. While Canada passed the in order to meet this requirement, the U.S. negotiated the with the EU; a self-certification scheme that allows U.S. organizations receiving information from the EU to attest that they adhere to EU data and human rights laws.

Schrems challenged the Safe Harbour Agreement, which passed the muster of the European Commission (EC) in . The EC is the executive branch of the EU that, among other things, . However, following Edward Snowden’s , there could be no doubt as to the “generalized basis” by which the US government collects and stores citizens’ data, which the Court of Justice of the European Union (CJEU), Europe’s highest court, found to “.” This decision, which came to be known as Schrems I, ultimately invalidated the Safe Harbour Agreement.

Schrems II

While the initial decision was a victory for Schrems, it later turned out that Facebook was not relying on the Safe Harbour Agreement, but on the ). These clauses, also passed by the EC, .” Compelled to revise his challenge in 2015, Schrems alleged that contractual arrangements in the U.S. legal regime cannot adequately protect PD because, among other things, U.S. law to the U.S. National Security Agency (NSA) and the Federal Bureau of Investigation pursuant to . In the meantime, following the invalidation of the Safe Harbour Agreement, the U.S. and the EU negotiated another self-certification scheme for U.S. companies called the Privacy Shield Agreement, which the EC in 2016.

In the , released in July 2020, the CJEU once again invalidated a EC adequacy decision, this time invalidating the Privacy Shield Agreement because it does not contemplate sufficient avenues for individuals to bring an action against the government for unlawful surveillance. The CJEU ultimately agreed with Schrems that the U.S. legal system, , does not provide “essentially equivalent” protection of data as EU law. Thus, while the CJEU in Schrems II held that SCCs may provide “effective mechanisms” for the protection of transferred PD pursuant to EU law, including the passed in 2018, it also emphasized that SCCs do not bind public authorities of data-receiving countries. In other words, the U.S. government is not a party to SCC contracts between data importers and individuals, leaving its vast surveillance apparatus unrestrained.

Implications of Schrems

Schrems II confirms the CJEU’s stance against mass-surveillance. But while a victory for privacy, the decision also creates a web of uncertainty; for now, s.” This impossibility has raised concerns in the health industry, of which

It is too soon to evaluate the implications of the Schrems II decision, given that the EC just released on June 4, 2021. provisions into standardized contracts for the international transfer of data. With the invalidation of both the Safe Harbour Agreement and the Privacy Shield Agreement, we are left with the discrepancy between rigorous data protection laws in one jurisdiction (i.e., the EU), and a lax legal order with respect to surveillance in the other: an incoordination that significantly withholds the benefits associated with international data flow.