Why Schrems? The EU’s trust in the processing of personal data seems to be shaken. With the famous case Maximillian Schrems v Facebook Ireland Limited pending before the Austrian Supreme Court (“Court“) for a while now, Maximillian Schrems requested the Court to refer four questions to the Court of Justice of the European Union (“CJEU“) concerning the lawful use of personal data of all Facebook users from the EU.
Maximillian Schrems is a law student from Austria and a personal data protection activist who has been extremely vocal about data protection before EU authorities.
In 2015, in the case of Maximilian Schrems v Data Protection Commissioner (“Schrems I“), the CJEU issued a decision repealing in full the European Commission’s Safe Harbor privacy principles, meant to prevent private organizations in the EU or the US from storing, accidentally disclosing, or losing their customers’ personal data. In the Schrems I case, the CJEU confirmed that authorities of the Member States responsible for personal data protection must ensure that the transfer of such data from the EU to a third country is in accordance with the Data Protection Directive (as amended by the General Data Protection Regulation (“GDPR”)), regardless of the aforementioned principles. This was the end of the first act.
Soon, a new arrangement, the EU-US Privacy Shield agreement from July 12, 2016, brought new rules (which changed data transfer procedures but essentially provided very few innovative solutions compared to the previous agreement), but not for long as Schrems II came quickly thereafter. After the US-EU deal was reached, Schrems requested a ban in Ireland on the standard contractual clauses that allow the transfer of data from Facebook to its California-based headquarters. The data transfers allowed US security services to access the data, contrary to GDPR and EU law in general. The Austrian student’s request was rejected by the Irish Data Protection Commissioner, so the next instance was the High Court in Ireland. The proceedings were stayed and referred to the CJEU.
After only four years, in 2020, the EU-US Privacy Shield agreement was repealed by the CJEU as a result of offensive US surveillance programs.
The third episode in this data privacy case covers the four issues we mentioned at the beginning. Spoiler alert, yet again, Schrems’ request was granted. His questions were referred to the CJEU in what could be referred to as Schrems III. The main question was whether a user’s (one-time) click on the ‘yes’ button related to the use of their personal data represented consent or a contract. Strictly legally speaking, the following questions of interpretation of Articles 5, 6, 7, and 9 of the GDPR were raised:
The CJEU is yet to respond to these inquiries. There is no doubt they will have more than just a few words to say; therefore, we are waiting for the curtains to fall after the Schrems III case.
Like the decision in the Schrems II case, the awaited CJEU’s answers to the Court’s questions will impact the practice of personal data protection in Serbia.
The Serbian Personal Data Protection Act (“Act”) is in line with the GDPR and allows the transfer of personal data to another state. In certain cases, the approval of the Commissioner for Information of Public Importance and Personal Data Protection (“Commissioner”) is needed whereas, in others, companies don’t have to ask for prior approval.
The need for the Commissioner’s approval depends on the existence of an adequate level of protection of personal data in the given country to which the data will be exported. Due to Schrems II, the export of data from Serbia to the US would be under scrutiny, not only in cases where it includes EU citizens but also as a result of Serbia’s alignment with the EU acquis, including GDPR.
To avoid needing the Commissioner’s approval, a company can turn to standard contractual clauses regulating the relationship between the controller and the data processor. Alternatively, it can redirect its operations to countries with an adequate level of personal data protection.
But is the relationship between a social network and its user consent or a contract? If it is deemed a contract, a respective provision of the Act may be interpreted in line with the CJEU’s stance, since the Act is aligned with the GDPR. If not, Serbian companies, which deemed a user’s consent not to be contractual, may have to change their model of operations.
The conclusions of the CJEU regarding the Schrems cases will surely affect the export of data to other countries. Companies that collect and process personal data must comply with the Act and must consider GDPR, and, ultimately, the level of data protection in the country to which they export data in order to avoid all legal and financial risks that may arise from such actions.
Authors: Nađa Kosić, Suzana Dončić
