Schrems II: Will It Really Increase the Level of Privacy Protection against Mass Surveillance?
Keywords:Court of Justice, privacy, mass surveillance, Schrems I, Schrems II, EU Law
An important event that once again brought to the forefront issues related to mass surveillance was the judgment of the Court of Justice of the European Union (hereafter referred as CJEU) delivered on July 16, 2020 in the case of Data Protection Commissioner v. Facebook Ireland Ltd. and Maximilian Schrems (Schrems II). It can be considered as the first serious precedent in the field of surveillance, which is aimed at ensuring privacy in the field of national security. Therefore, it becomes an important issue to assess its impact on the legal framework of international transfers of personal data and on the level of privacy protection. The impact of the judgment on the level of privacy protection and mass surveillance is particularly important now that CОVID-19 contact tracing programs are being widely used. In this research we try to trace the formation of the approach to mass surveillance in the case-law of CJEU before and after the Schrems II. We also try to point out some of the difficulties that the process of cross-border data transfer will face after the Schrems II. The main question of the study is whether the approach of the CJEU developed in the Schrems II will actually increase the privacy protection against mass surveillance. We conclude that the Schrems II is an important decision with serious consequences that go beyond the direct impact on data transfer between the EU and the US. It can have controversial influence of the level of privacy protection. Together with the positive trend of formation of more harmonized global data protection standards it can create many unresolved problems in the field of international data transfer and in economic dimension.
Advocate General’s Opinions in case C-623/17 Privacy International, Joined Cases C-511/18 La Quadrature du Net and Others and C-512/18 French Data Network and Others, and Case C-520/18 Ordre des barreauxfrancophones et germanophone and Others, Press release No 4/20, 15 January 2020. Available at: https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-01/cp200004en.pdf (accessed on 18.11.2020).
European Commission. (2020a). Communication from the Commission to the European Parlament and the Council. Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition - two years of application of the General Data Protection Regulation. Retrieved 18 November 2020, from https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020DC0264&from=EN.
European Commission. (2020b). Communication from the Commission to the European Parliament and the Council, the European Economic and Social Committee and the Committee of the Regions. A European strategy for data. Retrieved 18 November 2020, from https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020DC0066&from=EN.
European Commission. (2020c). Coronavirus: EU global response to fight the pandemic. Retrieved 18 November 2020, from https://ec.europa.eu/commission/presscorner/detail/en/mex_20_631.
European Data Protection Board. (2020). Statement on the processing of personal data in the context of the COVID-19 outbreak. Retrieved 18 November 2020, from https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statement_2020_processingpersonaldataandcovid-19_en.pdf.
PRIVACY INTERNATIONAL. (2017). National Data Retention Laws since the CJEU’s Tele-2/Watson Judgment. A Concerning State of Play for the Right to Privacy in Europe/ Privacy International. Retrieved 18 November 2020, from https://privacyinternational.org/sites/default/files/2017-10/Data Retention_2017_0.pdf.
Scott, J. (2014). The new EU “extraterritoriality”. Common Market Law Review, 51(5), 1343 – 1380.
The White House; Office of the Press Secretary. (2014). Presidential Policy Directive - Signals Intelligence Activities. Retrieved 18 November 2020, from https://obamawhitehouse.archives.gov/the-press-office/2014/01/17/presidential-policy-directive-signals-intelligence-activities.
Untersinger, M. (2020). Europe requests data from telephone operators to assess the effect of containment measures. Retrieved 18 November 2020, from https://www.archyde.com/europe-requests-data-from-telephone-operators-to-assess-the-effect-of-containment-measures/.
Wiewiórowski, W. R. (2020). Monitoring spread of COVID-19. Retrieved 18 November 2020, from https://edps.europa.eu/sites/edp/files/publication/20-03-25_edps_comments_concerning_covid-19_monitoring_of_spread_en.pdf.
Annex I Safe Harbor Privacy Principles issued by the US Department of Commerce on 21 July 2000/, available at: https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML (accessed on 18.11.2020).
CJEU, Judgment of the Court (Grand Chamber) of 16 July 2020, Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems, Case C-311/18, ECLI:EU:C:2020:559.
CJEU, Judgment of the Court (Grand Chamber) of 8 April 2014, Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung and Others, joined cases C-293/12 and C-594/12, ECLI:EU:C:2014:238.
CJEU, Judgment of the Court (Grand Chamber) of 24 September 2019, Google Inc v Commision nationale de l’informatique et des libertés (CNIL), C-507/17, ECLI:EU:C:2019:772.
CJEU, Judgment of the Court (Fourth Chamber) of 28 July 2016, JZ v Prokuratura Rejonowa Łódź – Śródmieście, Case C-294/16 PPU, ECLI:EU:C:2016:610.
CJEU, Judgment of the Court (Grand Chamber) of 6 October 2020, La Quadrature du Net and Others v Premier ministre and Others, joined cases C-511/18, C-512/18 and C-520/18, ECLI:EU:C:2020:791.
CJEU, Judgment of the Court (Grand Chamber) of 06 October 2015, Maximillian Schrems v Data Protection Commissioner, Case C-362/14, ECLI:EU:C:2015:650.
CJEU, Judgment of the Court (Grand Chamber) of 21 December 2016,
Tele2 Sverige AB v Post- och telestyrelsen and Secretary of State for the Home Department v Tom Watson and Others, joined cases C-203/15 and C-698/15, ECLI:EU:C:2016:970
CJEU, Judgment of the Court (Grand Chamber) of 2 October 2018, proceedings brought by Ministerio Fiscal. Request for a preliminary ruling from the Audiencia Provincial de Tarragona, Case C-207/16, ECLI:EU:C:2018:788.
CJEU, Judgment of the Court (Grand Chamber) of 6 October 2020, The Investigatory Powers Tribunal (United Kingdom), in the proceedings Privacy International Case C 623/17, ECLI:EU:C:2020:790.
Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield (notified under document C(2016) 4176), C/2016/4176.
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data; OJ L 281, 23.11.1995, p. 31–50.
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) OJ L 201, 31.7.2002, p. 37–47.
ECtHR, Big Brother Watch and Others v. United Kingdom, app. no. 58170/13, 62322/14 and 24960/15, 13 September 2018.
ECtHR, Centrum v. Sweden, app. no. 35252/08, 19 June 2018.
ECtHR, Szabó and Vissy v. Hungary, app. no. 37138/14, 12 January 2016.
ECtHR, Weber and Salavia against Germany, app. no. 54934/00, 29 June 2006.
ECtHR, Zacharov v. Russia, app. no. 47143/06, 04 December 2015.
Entscheidung des Bundesverfassungsgerichts - 1 BvR 2835/17 - (zu den §§ 6, 7, 13 bis 15, 19 Absatz 1, § 24 Absatz 1 Satz 1, Absatz 2 Satz 1, Absatz 3 des Gesetzes über den Bundesnachrichtendienst) (BVerfGE20200519 k.a.Abk.), 19.05.2020. Available at: https://www.buzer.de/gesetz/13986/index.htm (accessed on 18.11.2020).
Statement of the Article 29 Working Party on the Opinion on the EU-U.S. Privacy Shield, Brussels, 13 April 2016. Available at: https://ec.europa.eu/justice/article-29/press-material/press-release/art29_press_material/2016/press_release_
shield_en.pdf (accessed on 18.11.2020).
V. Commission Européenne. Communication au parlement européen et au conseil relative au fonctionnement de la sphère de sécurité du point de vue des citoyens de l'union et des entreprises établies sur son territoire, COM(2013) 847 final, 27 novembre 2013.
/520/EC: Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbor privacy principles and related frequently asked questions issued by the US Department of Commerce (notified under document number C(2000) 2441) (Text with EEA relevance.), Official Journal L 215, 25/08/2000, p. 0007 – 0047.
/2/EC: Commission Decision of 20 December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act (notified under document number C(2001) 4539).
/490/EC: Commission Decision of 30 June 2003 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Argentina (Text with EEA relevance).
How to Cite
Copyright (c) 2020 Bratislava Law Review
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
The Author(s) transfers copyright to the Article to the Publisher of the Journal by the Licence Agreement.
The Author(s) retains rights specified in the Licence Agreement.
The readers may read, download, copy, distribute, print, search, or link to the full texts of all of the Article of the Journal and use them for any other lawful purpose under specified Creative Commons Licence (CC BY-NC-ND 4.0).
Grantová Agentura České Republiky
Grant numbers 20-27227S