Schrems Trampled on the ShieldThe EU-US Privacy Shield agreement is now invalid
Have you heard about Schrems I and Schrems II? If you have, I tell you in advance that in this post we’ll talk about it. If you haven’t, you can discard the possible, sudden idea that this refers to movies.
Last month I received a Matomo’s post that, after reading it, I didn’t understand very well. It was political stuff, and I have to admit that I haven’t had a great relationship with it throughout my career. Then, I decided to look for new information that would allow me to expand my comprehension of what was happening. This writing might help you in a similar way.
The event highlighted in that post, or at least its apex, occurred on
July 16 this year. That day, the Court of Justice of the European
CJEU) determined that the EU-US Privacy Shield agreement, a
safeguard used by many companies to transfer personal data from the
European Union to the United States for commercial purposes, was
invalid. This happened in part because of one man’s enthusiasm. Let’s
get this straight.
Many of us know that in their daily activity, some US companies (and from other places) collect a variety of data on people around the world, including EU countries. What has proved problematic is the collection of more data than is strictly necessary or the unauthorized use of such data. —Immediately comes to (my) mind the incident with Cambridge Analytica (watch a documentary about it here).
Figure 1. Schrems’s photo taken from Handelsblatt.
It was in 2013 when our main character (although I said this is not
a movie) appeared with a legal case associated with inappropriate use of
data. We’re talking about Max Schrems, an Austrian privacy rights
campaigner, who challenged the transfer of personal
(his and other EU citizens') from Facebook to servers in the US. He did
it before the Irish Data Protection Commission (
DPC), questioning the
validity of the Safe Harbor Agreement between the US Department of
Commerce and the European Union for the regulation of data transfer.
Then, following the rejection of his complaint by the
submitted the case to the High Court. From there, it was referred to the
CJEU. Finally, in 2015, they considered that the Safe Harbor
principles were invalid and inadequate to protect EU citizens'
information. That ruling was called Schrems I. It led those who had
proposed the Safe Harbor Agreement to quickly seek an alternative
framework for the protection of data in transfer between the EU and the
That’s how the EU-US Privacy Shield came about. It was built to fulfill what the Safe Harbor Agreement did not. Specifically, this new agreement was intended to ensure consistency with EU laws for the use of information that was to come from the EU citizens to the US. However, this 'shield,' according to Tewari, "was heavily criticised by activists and data protection experts alike for not providing any concrete protection against indiscriminate access to personal data for national security purposes."
It was then that Schrems appeared again and gave rise to a new legal
case (the sequel?), Schrems II. Here, he was challenging the operation
of data transfer agreements (Standard Contractual Clauses,
with non-EU countries as well as the bilateral agreement with the US
(Privacy Shield). Like the previous case, this took a considerable
amount of time to reach the members of the
CJEU. Afterward, some other
time had to pass before a determination was made. In the end, there was
no problem with
SCC (to the relief of many businesses), but as we
mentioned above, the invalidity of this EU-US Privacy
was made public.
Once again, the US’s domestic law wasn’t guaranteeing protection of
fundamental rights (mainly personal data privacy) equivalent to that
guaranteed by the EU law. The Privacy Shield was not configured to
comply with the EU’s General Data Protection Regulation
GDPR), especially with regard to using
strictly what is necessary. That agreement that had been used by
Facebook to support their data transfers to the US "could not
an adequate level of protection for EU personal data in the event of
access by US intelligence agencies." In fact, requests by these agencies
could take priority over EU personal privacy rights, according to United
States security laws.
Just like Tewari tells us, "[with] this ruling, the [
reiterated its strong commitment to upholding EU citizens' fundamental
right to have their data processed fairly, with consent and for
specified purposes." Max himself revealed his happiness to
noyb about the judgment.
(noyb, broadly speaking, is a group initiated by
Schrems that seeks to enforce the privacy rights of individual users in
Europe.) He also explicitly marked "that the US will have to seriously
change their surveillance laws" to allow US companies "to continue to
play a major role [in] the EU market."
Indeed, Facebook was not the only company affected by the judgment.
"Literally overnight 5,378 US participants were directly impacted,"
shared the Global Legal
a few days ago. However, the impact goes further, and "the decision
affects many EU businesses which relied on it to legalise EU-US data
transfers, especially to US service providers." In line with the
statements by Falzone on
many of those companies that have invested time and money to certifying
compliance with the Privacy Shield "did nothing wrong" but "exactly what
they were asked to do." But what if their mistake was in subscribing to
something they did not know well? In any case, now, those that depend
entirely on that agreement, purely and simply are violating
Similar to what happened after Schrems I, already after Schrems II, the involved parties in both regions will be looking for a new way forward, based on some reformulations. Nonetheless, contrary to the first case, it appears that there will be no formal grace period for implementing the required changes on this occasion. Besides, other countries, for the collection of data from the EU, will also have to make some adjustments due to their inadequate data protection. Either way, those involved will look for an early solution. Currently, the exception is supposed to be that only crucially 'necessary' transfers will be kept. What does that mean? I don’t know. What I’m clear about is what Tene said: "data will continue to flow across borders."
Nevertheless, Max Schrems has achieved it again. He first trampled on
the 'Harbor' in Schrems I. Now he’s done it on the 'Shield' in
Schrems II. This is not fiction, as I warned before; we’re talking
about a real fact. Better, a commendable fact. It encourages more
accurate assessments of each party’s surveillance laws when establishing
security arrangements. Furthermore, an emphasis is placed on the
responsibility that government agencies have to take action. They must
always ensure the enforcement of data protection laws and security
standards, such as
By the way,
GDPR is one of those standards we have recently
synthesized here at
Fluid Attacks in our
Finally, if you want to get more information on Schrems’s cases, follow
this link. And if you also want some
practical advice related to this situation, you can read the Matomo’s
mentioned at the beginning.
Ready to try Continuous Hacking?
Discover the benefits of our comprehensive Continuous Hacking solution, which hundreds of organizations are already enjoying.