This year the Association of the Internet Industry is celebrating it’s 25th anniversary. In the past 25 years, eco has shaped numerous internet policy debates in Germany, Europe and even at international level: A Review of the 25 Biggest Internet Policy Debates.
For some years now, Maximilian Schrems from Austria – the former law student and now well-known data protection activist – has been trying to teach the Internet company Facebook a lesson when it comes to issues of data protection. In 2013 Schrems filed a first complaint against Facebook with the Irish data protection authority. Not long before that, the whistleblower Edward Snowden had delivered the public with initial information on the surveillance practices of the US intelligence services. In light of the massive level of global surveillance, Schrems argued in his complaint that the transfer of his European data to the USA violated his fundamental rights under EU law.
The data protection authority, however, dismissed the complaint. Schrems sued, his case went to the Irish High Court and then to the ECJ, and this ultimately brought down the controversial “Safe Harbor” agreement in 2015 – an agreement which was intended to make data transfers between companies in the EU and the US possible. The “Safe Harbor” was shortly afterwards replaced by the EU-US Privacy Shield, which laid down the framework conditions for the handling of data of EU citizens in the USA. But the end of the dispute was nowhere in sight.
“Schrems II”: After the Austrian had adjusted his complaint by means of legal detours, the case found its way to the ECJ again in the summer of 2019. This time the ECJ was to clarify whether the transfer of personal data of EU citizens to the USA was lawful on the basis of standard contractual clauses and the Privacy Shield.
With the new decision of the EU Court on 16 July 2020, the Privacy Shield was in the event also overturned. The reasons: The protection offered by the Privacy Shield was deemed to be insufficient for the transfer of personal data from the EU to the USA. The US authorities had access to the data, and this was judged to be incompatible with the requirements of European data protection law. The European judges ruled that US legislation is therefore not limited to the extent necessary and that the legal protection for data subjects is also insufficient.
In the wake of the Safe Harbor, the second international agreement for the transfer of personal data to third countries has therefore also been struck down, and companies are currently once again confronted with great legal uncertainty. This decision also presents dire consequences for the Internet industry and all international business models on both sides of the Atlantic. As such, the EU Commission must now promptly present practicable and sustainable solutions for the transfer of data to third countries and, in so doing, restore legal certainty for companies.