This article is written by Jyotiranjan Mallick who is pursuing a Diploma in Cyber Law, FinTech Regulations and Technology Contracts from LawSikho.
Table of Contents
Introduction
The Data Protection Commission (“DPC”) the Irish body that investigates and enforces GDPR related enforcement in the region in its annual report stated that it would be investigating the data leak by Facebook Inc. This has come after Facebook reported data leak of millions of consumers in an alleged hacker forum. The report represented by the DPC suggests that the data leak was owing to a serious vulnerability in the FB operating system which was present since 2017, which is much before the GDPR came into force. The Irish body will carry out the investigation which would primarily examine the GDPR related compliance by FB under the “Security Principle ”.
This principle places an obligation on the big data processors like FB, Twitter etc. to ensure adequate safeguards for the protection of the personal data of consumers. The data leak of millions of FB consumers which also included Irish FB users were not informed to the users and even the DPC came to know about the leak through a press release of FB. The failure on behalf of the FB to cover these lacunae according to initial assessment of the DPC has violated some of the guidelines under the General Data Protection Regulation (“GDPR”) and its predecessor the 95 directive. The outcome of the investigation in the wake of landmark Schrems I & II case law will determine the fate of these US Corporations in the European Union(“EU”) circle. The laxity on behalf of the DPC to take strict action against such major social media sites will also be a keynote at the outcome of the investigation. The only time the Irish authorities took strict action was against the in December 2020 over a breach it disclosed back in 2019.
The Irish region has reported a significant increase in the data breach notification since the enforcement of the GDPR. A Study has shown the rate of daily notifications for breaches increased by 12.6 percent from 247 per day for the first eight months of GDPR, to 278 per day for 2019. With the Cambridge Analytica disaster the EU data protection authorities have vigorously enforced the GDPR. In this regard, the Irish investigation might cause serious repercussions for FB which could be fined up to 4% of its annual turnover which amounts to billions of dollars.
Clash between the US and EU approach towards the data privacy
The aftermath of the Cambridge Analytica scandal followed the Senate inquiry and investigation of Mark Zuckerberg which showed the helplessness of the US lawmakers in understanding the business model of FB. The entire senate inquiry in brief represented the US approach of protecting the personal data of social media users. To enumerate, the major US social media network sites like FB, Twitter and Google operate on a “freemium” based model in which the services are provided free of cost in return of sending target advertising to customers based on data analytics of billions of consumers that use them. This complex process involves myriads of steps of collecting, processing and mining the data according to a standardised step that helps in targeting the consumer effectively with particular ads.
This process may involve selling such collections of data to third parties which is not illegal in the U.S. This effectively means that personal data of the consumers may be compromised which was clearly shown in the Cambridge Analytica case where such data were mined to tune the political preference of US and UK citizens which according to privacy experts had a huge impact on 2016 US election and Brexit. The Federal Trade Commission(“FTC”) which is the principal agency for consumer protections against unfair trade practices has only brought a few stringent actions against such corporations in wake of data leaks.
The federal laws like Health Information and Portability Accountability Act (“HIPAA”) and Family Educational Rights and Privacy Act (“FERPA”) do not provide any standard guidelines on maintenance of privacy policies nor any penalty on failure to maintain the same. This lacunae in major cases are not supported by adequate State legislations barring a few like California, since the States have the Forte in enforcing adequate data privacy guidelines. On the other hand, the EU Data Protection Authorities have been actively vigorous in protecting the data of EU subjects specifically in the context of EU-US data transfer. The enforcement of the GDPR in 2018 was itself made in the wake of the Snowden revelation which showed to the world the unimaginable and arbitrary access that US authorities have over the personal data of its citizens including the user base of major social media sites.
The predecessor of the GDPR was Data Protection Directive 95/46/EC (“95 Directive”) which was ill-equipped in terms of cross-border data transfer and penalty. With the implementation of the GDPR the EU DPC’s have indicated that extraterritoriality of the GDPR will eliminate the unfair advantage that these U.S. tech companies have in terms of their handling of the personal data of the EU subjects.
The applicability of GDPR in realm of data privacy
The right to data protection is an inalienable right in the EU states which is aligned in the concept of human dignity. This was reinforced with the introduction of the GDPR in the 2018 which removed the lacunae with respect to 95 directive. The applicability of GDPR posed difficulties specifically for US corporations in its extraterritorial application, increased regulatory oversight and strong rights granted to the data controllers. One of the prime features of the GDPR was that it corrected the existing penalty mechanism and now under Article 83(5) of the GDPR a penalty in tune 4% of annual global turnover or €20 Million (whichever is greater) may be imposed. As previously discussed, if the Irish DPA finds the FB to be liable for non compliance with GDPR then fine can be imposed in tune of 1.2 Billion US$.
The GDPR under Article 4 extended the ambit of “personal data” by including all those pointers which directly or indirectly may result in the identification of an individual. The owner of data who is referred to as “data subject” is granted with lieu of powers to control as to how his/her data is being processed by the data controller. These include various rights of being forgotten, data portability, rectification of personal data, processing only with respect to areas of consent, and processing the data only under legal basis of processing.
One of the fear factors for FB, Twitter etc is the extraterritorial application of the GDPR which has equipped the Irish DPA to not only investigate the data breach by FB but in essence also of finding a causal link that personal data of the EU consumers has been handled loosely. The GDPR has been specific that anyone processing the data of residents of the EU, regardless of whether or not that has an office in the EU, is subject to the GDPR. This has been enumerated in Article 3 which extends the scope of GDPR to anyone who processes the personal data of EU subjects in relation to offering goods/services or in monitoring the behaviour of EU data subjects.
Cross border data transfer under GDPR in relation to the “US privacy framework”
The GDPR is strict in terms of allowing cross border data transfer of the EU subjects to the Non-EU countries, the same is permitted only if the recipient country provides adequate assurances of data protection. In absence of a country being a part of a list of countries under EU guidelines of adequacy decision, the data processor from such countries must resort to alternative means such as Standard contract clauses or binding corporate rules. The United States since do not have adequate safeguards to ensure the data protection of the EU subjects it is not present in the list.
However, owing to the fact that all the major social media sites like FB is based in the US and considering the fact that it is one of the biggest trading partners of the EU two frameworks were adopted to ensure hassle free cross border data transfer. The model of “safe harbour” and “privacy shield” was however eliminated in the light of Schrems jurisprudence.
Safe harbour principle
As previously enumerated before the enforcement of GDPR the 95 data protection directive guided the data protection regime in the EU. Akin to the GDPR the 95 directive prohibited the transfer of personal data of EU subjects to “third countries” outside the European Economic Area, unless they guarantee adequate levels of data protection. To supplement the data transfer of EU subjects and to ensure compliance with the 95 directive “safe harbour” agreement was reached between the US and the EU and the principles were developed between 1998 and 2000. The principle stipulated that to allow cross border flow of EU data to the US, the data controllers must ensure compliance to the standard practices and procedures for ensuring safety of such data.
This principle-maintained a certification programme in which US companies could opt into and be certified if they adhered to principles of 95 directive. Once the company dealing with the personal data of EU subjects is certified it can be affirmed to be having adequate level of protection to maintain the security and efficient handling of personal data of the EU subjects and they can be allowed to transfer such data from EU to US. This whole mechanism was eliminated after the decision of the Court of Justice of the European Union (“CJEU”) in Max Schrems v. Irish Data Protection Commissioner(“Schrems I”).
Privacy shield principle
After the elimination of the safe harbour agreement by the CJEU, the privacy shield principle was adopted. The programme was applied by the International Trade Administration (ITA) within the U.S. Department of Commerce under which any US corporation that deals with the personal data of EU subjects must be authorized under the programme of adequacy determination which would allow cross border flow of data from EU to the US.
Companies become “certified” as agreeing to comply with seven primary data security principles, categorized under notice; choice; accountability for onward transfer; security, data integrity and purpose limitation; access and recourse to enforcement and liability. The privacy shield being the updated version of safe harbour agreement consisted of various additional safeguards. Companies had to update their privacy policy in tune with the GDPR requirements. To become authorized under the privacy shield the company must abide by a privacy audit, designate a data protection officer and get certified by the US department of justice that it will abide by all the guidelines in the principle by signing a bond in tune of $250 – $3,250.272.
Analysis of “cross-border data flow framework” in light of “Schrems” jurisprudence
Max Schrems v. Data Protection Commissioner (“Schrems-I”)
This was one of the first landmark case laws that shaped the recourse for the implementation of the GDPR by eliminating the safe harbour agreement under which cross border data flow was allowed between the US & EU. This framework was limited by severe lacunae which threatened the data security of the EU subjects specifically in the context of the Snowden revelations. As a result, Austrian privacy advocate Max Schrems filed a complaint before the Irish DPC challenging the data transfer of his accounts under the framework.
The appeal from Irish DPC on rejection of his complaint to the Irish High court eventually resulted in the case being challenged before the CJEU IN 2015. The Irish High court considered the framework to be prejudicial to the interests of the Irish citizens in wake of the Snowden revelation found it to be giving unprecedented access to the US over EU data subjects. The Irish High court found the decision of the Irish DPC contrary to established principles and referred the matter to CJEU since it concerned the privacy rights of EU subjects in large. The Court noted that the right to respect for private life as guaranteed by Article 7 of the EU Charter and by values common to the traditions of the Member State it was important to refer the matter to CJEU.
Decision of the CJEU
The court analyzed the framework which allowed the cross-border flow of data only if the corporation is certified under the framework. The court however found that mere establishment of a framework doesn’t eliminate the wide range of powers that executive authorities of a state might have over the data of EU subjects. The framework only permits the US corporations to be certified however, there is no such certification that government authorities also have to abide by to access such data.
The court found that the framework itself was marred by various loopholes. There was no proper definition of “adequate protection” which a corporation has to abide by for protecting personal data of EU subjects. Considering that the privacy is regarded as an inalienable and fundamental rights under the EU charter the court held framework must specify a clear set of guidelines governing cross border flow of data. The court overruled the decision by the Irish DPC and in the wake of unfettered access by the US authorities to the personal data of EU subjects eliminated the applicability of the “safe harbour” concept.
Data Protection Commissioner v. Facebook & Max Schrems (Schrems-II)
After the elimination of the safe harbour framework the GDPR came into force and to allow cross-border flow of data the US corporations allowed the practice of adopting Standard Contractual Clauses (“SCC”) or the privacy shield framework to govern the same. Under the exemptions granted in Article 46 of the GDPR the SCC framework adopts a standardised process which must be adopted to ensure data safety of EU subjects while allowing cross-border flow of data. Max Schrems again filed a complaint before the Irish DPC which resulted in the matter to be appealed before the Irish High Court. Schrems argued that such a privacy shield framework does not provide adequate safeguard to protect the transfer of his personal data to the EU.
The primary question before the Irish High Court was whether the SCC (privacy shield) between Facebook Inc. and Facebook Ireland ensures adequate safeguards for data protection of EU subjects. The CJEU based on the existing mechanisms under GDPR found the privacy shield framework to be not proportionate to the actions of the US authorities. The CJEU similar to the Schrems I decision observed that the SCC framework does not ensure that the executive authorities of the US would abide by all standard rules and due process while accessing the data of EU subjects. Moreover, absence of an adequate legal regime to file the complaint for such unprecedented access over personal data according to the CJEU violates the right to privacy of EU citizens which is an unalienable right. Based on the reasoning the CJEU rejected the privacy shield framework for flow of data to Non-EU states.
Conclusion
The Facebook cross-border data transfer cases (Schrems I & II) signified the right of data subjects to control and determine the access to his/her data and showed the impact of U.S. mass surveillance on arrangements between the EU and the U.S. Unless the impact of Mass surveillance on the data of EU subjects is resolved it is unlikely that any cross-border flow of data may be allowed. This would form the primary basis on which the Irish DPC investigation would extend to the FB data leak of millions of consumers. The DPC has to assess to what extent the data of EU subjects has been transferred to the US post the Schrems II decision and how far they have been compromised. The conflict between the EU data protection authorities and the US corporations is primarily owing to the approach taken by the two jurisdictions in enforcing the privacy rights of the individuals. While the EU considers the personal data protection of EU subjects as an inalienable right the US on the other hand has a complete opposite approach.
The FTA has rarely taken any stringent actions against major social media sites for serious data breaches which is compounded by a lack of coordination between federal and state laws. The Irish investigation into FB data leak pursuant to the Schrems I & II would hence determine the future recourse as to what actions will be taken by these companies to resolve the conundrum of this conflict. This would also determine a mechanism under which cross border flow of EU data can be allowed to the US without being held as constitutionally invalid by the CJEU.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join:
