Schrems II: there's no way to transfer data to US and comply with EU law

Karlin Lillington: ECJ ruling has essentially invalidated business model of digital giants

In the week since the Court of Justice of the European Union (ECJ) handed down its far-reaching decision in the Schrems 2 case, many – especially in the US – just keep missing the earth-shattering, business-recalibrating nature of the decision.

Those failing to look deeply enough may think the decision is about one, now-invalidated, data-transfer agreement (Privacy Shield) and the use of possible alternatives (standard contractual clauses, or SCCs).

In fact, the ruling effectively invalidates surveillance capitalism as the baseline structure of so many powerful corporations, and even small start-ups. And it exposes the interrelationship between state-driven surveillance and surveillance capitalism.

Twice now, in the Schrems judgment of 2015 and again last week, the ECJ has found that data transfer agreements between the United States and the EU fail to guarantee that European citizens' data sent to the US is protected to the level required by the EU.


The first 2015 victim was Safe Harbour, a nudge-and-wink agreement few considered to be more than a sagging transatlantic data fig leaf.

Last Thursday, the court declared invalid Safe Harbour’s equally ineffectual offspring, the Privacy Shield agreement, as it too fails to guarantee fundamental data protection and privacy rights of EU citizens. Fundamental, because based on foundational rights guaranteed to EU citizens – as much a bedrock for EU law and citizen rights as the US constitution is across the Atlantic.

Nonetheless, many focused on the court sanction of SCCs, template agreements used to create data transfer contracts, as an alternative transfer mechanism. But they are valid only if the country to which data is being sent can offer EU-level data protection guarantees.

No adequate way

On that basis, there’s no adequate way to send data to the US (and by extension, the UK). As the decision clearly states, countries with national security or other laws that allow state agencies access to such data without EU-level protections in place are unable to comply with EU law.

There’s no “however”, there’s no “business and surveillance as usual may continue because this is dreadfully inconvenient to both”. There’s no magical thinking that makes these states able to comply, when there’s too little oversight or transparency. To be compliant, these states have to change their surveillance laws.

How likely are they to do that, especially for EU citizens, but not their own? Well, exactly.

"The problem with SCCs lay in using them to legitimate exporting data to third countries where contractual guarantees to treat personal data according to EU standards cannot guarantee adequate protection of rights when that government interferes with the data subjects' rights, such as mass surveillance lacking effective oversight and redress," says Katherine O'Keefe, director of training and research at data consultants Castlebridge. "Updating the contracts can't resolve this problem in absence of changes to third countries' laws and practices to provide protections."

As a consequence, the decision also guts the data-gathering surveillance capitalism model that has become the predominant model of nearly every type of digital interaction we engage in on a daily basis.

As we use our mobile devices, visit websites, post to Facebook, buy online, use text-based services, turn on our TVs, drive our cars, listen to music, ride public transport, use an app, we are tracked, tracked, tracked.

Valuable trove

It’s an incredibly valuable trove of data, taken in hidden ways that are hard for us (or lawmakers) to notice. Read your app or device user agreements much? Thought not.

Our data, which is grabbed in these obscured ways, traded for "free" services we get as hooked on as nicotine, has given companies such as Facebook and Google their vast valuations and extraordinary power.

Much of that data is transferred to and processed by the big US (primarily Silicon Valley) internet and social media platforms.

As Edward Snowden revealed in 2013, those data troves have provided searchable data for secretive US surveillance agency programmes. Unlike the agencies, in the US, businesses can legally compile (and sell) vast, detailed and revealing stockpiles of data that surveillance agencies can then tap into, as Snowden showed.

But the ECJ has just said “no”, not any more, not for EU data anyway, in a way that exposes the indirect but essential relationship between surveillance by business and surveillance by the state. The surveillance capitalism business model quietly enables highly granular mass surveillance that the state appreciates and, under US law, can tap into.

What next?

What happens next? Perhaps the wholesale shift of many of those companies from a US base to the EU, which means, probably to Ireland – it won't be the UK with its even more lax state surveillance laws. Any such moves would bring even more responsibility here for global data oversight, which suggests the pressing need to rethink at EU level, how data protection authorities could and should operate.

Still, even if most of the world's data were to be kept within Europe, the surveillance business model itself is now severely challenged. Not just because of EU laws such as the General Data Protection Regulation (GDPR), which poses many as-yet unlitigated challenges, but because surveillance capitalism goes hand in hand with the global, data-transfer-based online ad industry.

And that’s a topic to which I will return as we pick apart the global ramifications of the Schrems 2 decision.