Schrems Trampled on the Shield

Have you heard about Schrems I and Schrems II? If you have, I tell you in advance that in this post we’ll talk about it. If you haven’t, you can discard the possible, sudden idea that this refers to movies.

Last month I received a Matomo’s post that, after reading it, I didn’t understand very well. It was political stuff, and I have to admit that I haven’t had a great relationship with it throughout my career. Then, I decided to look for new information that would allow me to expand my comprehension of what was happening. This writing might help you in a similar way.

The event highlighted in that post, or at least its apex, occurred on July 16 this year. That day, the Court of Justice of the European Union (CJEU) determined that the EU-US Privacy Shield agreement, a safeguard used by many companies to transfer personal data from the European Union to the United States for commercial purposes, was invalid. This happened in part because of one man’s enthusiasm. Let’s get this straight.

Many of us know that in their daily activity, some US companies (and from other places) collect a variety of data on people around the world, including EU countries. What has proved problematic is the collection of more data than is strictly necessary or the unauthorized use of such data. —Immediately comes to (my) mind the incident with Cambridge Analytica (watch a documentary about it here).

It was in 2013 when our main character (although I said this is not a movie) appeared with a legal case associated with inappropriate use of data. We’re talking about Max Schrems, an Austrian privacy rights campaigner, who challenged the transfer of personal data (his and other EU citizens') from Facebook to servers in the US. He did it before the Irish Data Protection Commission (DPC), questioning the validity of the Safe Harbor Agreement between the US Department of Commerce and the European Union for the regulation of data transfer.

Then, following the rejection of his complaint by the DPC, Schrems submitted the case to the High Court. From there, it was referred to the CJEU. Finally, in 2015, they considered that the Safe Harbor principles were invalid and inadequate to protect EU citizens' information. That ruling was called Schrems I. It led those who had proposed the Safe Harbor Agreement to quickly seek an alternative framework for the protection of data in transfer between the EU and the US.

That’s how the EU-US Privacy Shield came about. It was built to fulfill what the Safe Harbor Agreement did not. Specifically, this new agreement was intended to ensure consistency with EU laws for the use of information that was to come from the EU citizens to the US. However, this 'shield,' according to Tewari, "was heavily criticised by activists and data protection experts alike for not providing any concrete protection against indiscriminate access to personal data for national security purposes."

It was then that Schrems appeared again and gave rise to a new legal case (the sequel?), Schrems II. Here, he was challenging the operation of data transfer agreements (Standard Contractual Clauses, SCC) with non-EU countries as well as the bilateral agreement with the US (Privacy Shield). Like the previous case, this took a considerable amount of time to reach the members of the CJEU. Afterward, some other time had to pass before a determination was made. In the end, there was no problem with SCC (to the relief of many businesses), but as we mentioned above, the invalidity of this EU-US Privacy Shield was made public.

Once again, the US’s domestic law wasn’t guaranteeing protection of fundamental rights (mainly personal data privacy) equivalent to that guaranteed by the EU law. The Privacy Shield was not configured to comply with the EU’s General Data Protection Regulation (GDPR), especially with regard to using strictly what is necessary. That agreement that had been used by Facebook to support their data transfers to the US "could not guarantee an adequate level of protection for EU personal data in the event of access by US intelligence agencies." In fact, requests by these agencies could take priority over EU personal privacy rights, according to United States security laws.

Just like Tewari tells us, "[with] this ruling, the [CJEU] has reiterated its strong commitment to upholding EU citizens' fundamental right to have their data processed fairly, with consent and for specified purposes." Max himself revealed his happiness to noyb about the judgment. (noyb, broadly speaking, is a group initiated by Schrems that seeks to enforce the privacy rights of individual users in Europe.) He also explicitly marked "that the US will have to seriously change their surveillance laws" to allow US companies "to continue to play a major role [in] the EU market."

Indeed, Facebook was not the only company affected by the judgment. "Literally overnight 5,378 US participants were directly impacted," shared the Global Legal Post a few days ago. However, the impact goes further, and "the decision affects many EU businesses which relied on it to legalise EU-US data transfers, especially to US service providers." In line with the statements by Falzone on ESRB, many of those companies that have invested time and money to certifying compliance with the Privacy Shield "did nothing wrong" but "exactly what they were asked to do." But what if their mistake was in subscribing to something they did not know well? In any case, now, those that depend entirely on that agreement, purely and simply are violating GDPR.

Similar to what happened after Schrems I, already after Schrems II, the involved parties in both regions will be looking for a new way forward, based on some reformulations. Nonetheless, contrary to the first case, it appears that there will be no formal grace period for implementing the required changes on this occasion. Besides, other countries, for the collection of data from the EU, will also have to make some adjustments due to their inadequate data protection. Either way, those involved will look for an early solution. Currently, the exception is supposed to be that only crucially 'necessary' transfers will be kept. What does that mean? I don’t know. What I’m clear about is what Tene said: "data will continue to flow across borders."

Nevertheless, Max Schrems has achieved it again. He first trampled on the 'Harbor' in Schrems I. Now he’s done it on the 'Shield' in Schrems II. This is not fiction, as I warned before; we’re talking about a real fact. Better, a commendable fact. It encourages more accurate assessments of each party’s surveillance laws when establishing security arrangements. Furthermore, an emphasis is placed on the responsibility that government agencies have to take action. They must always ensure the enforcement of data protection laws and security standards, such as GDPR.

By the way, GDPR is one of those standards we have recently synthesized here at Fluid Attacks in our product Rules. Finally, if you want to get more information on Schrems’s cases, follow this link. And if you also want some practical advice related to this situation, you can read the Matomo’s post mentioned at the beginning.