An Austrian law student studying in the US had a guest lecture with Facebook’s privacy lawyer Ed Palmieri. Palmieri had a restricted knowledge of data protection law in Europe. The student, Max Schrems, would go on to revolutionise data law in Europe. It began by creating a paper for that class focusing on Facebook’s relationship with EU data law.[1] The research exposed breaches of data security and once back in Europe, his activist group was formed. Schrems work is crucial within the influencer advertising sphere, data is a powerful tool that can be used to determine target groups for marketing. Moreover, consumer protection is crucial on social media platforms to ensure that their right to privacy is met.

Facebook has placed its European headquarters in Dublin, Ireland. Ireland has a low corporation rate which attracts many tech companies, but unfortunately for them, its Data Protection Commission (DPC) has a high standard of data protection law. Within EU private international law rules, the Brussels Ibis Regulation allows a case to be taken against a company where its headquarters are located and moreover, apply the law of that country under the Rome Regulation. This ensures a direct responsibility on tech companies like Facebook to act in accordance with the Member States Data law which stems from EU law. From Edward Snowden’s leaks in 2013, it was revealed that there were issues of data flow, in other words, EU citizens information was being accessed by US intelligence agencies. Schrems began to raise this problem before the DPC through a formal complaint whereby they tried to hastily solve the problem. However, this complaint was lodged in 2013 and is still ongoing.

The DPC tried to solve it quickly by rejecting Schrem’s complaint using the Commission Decision of 26 July 2000 as precedence. This stated that the ‘Safe Harbour Scheme’(SHS) ensured that the US provided an adequate level of protection in the transfer of personal data.[2] Irish administrative law allows for government decisions to be appealed through the courts, whereby this complaint reached the High Court. After Snowden’s revelation and the media attraction the complaint was getting, the judges referred the case to the EU with a preliminary question, “May and/or must the national data protection supervisory authority conduct his or her own investigation of the adequacy of data protection in a third country or the Commissioner is absolutely bound by the Commission’s decision?”.[3] This question leads to the beginning of Schrems I.

The preliminary question that was referred required the scrutinization of the old Commission Decision. Through Snowden leaking the data information, it was clear that SHS was not fit for purpose and the Irish Courts needed to bring this before the CJEU to get a formal judgement on the validation of this Decision. The SHS had 7 main principles that worked in conjunction with the EU Data Directive 1995.[4]

1. Notice – The data subject should be informed that their data has been collected, how it will be used and how to contact the data holder for any queries
2. Choice – The data subject should be able to opt out as well as forward the relevant data to another third party.
3. Onward Transfer – The transfer of any data can only happen with a third party that meets the required data protection principles.
4. Security – A reasonable effort must be made to keep the data safe from loss/theft.
5. Data Integrity – The data must be relevant and reliable for its original purpose of collection.
6. Access – The data subject should be able to access, correct and delete any information held about them.
7. Enforcement – There must be effective means of enforcing these rules.

These principles were used to ensure that the US would provide almost the same level of security towards personal data transfer as that of an EU Member State. However, it was clear that EU levels of protection were not met by the US and thus, the SFS was ruled invalid on the 6th of October 2015. This would enable the creation of the EU-US Privacy Shield,[5] a framework for regulating personal data transfer between those countries with the purpose of commercial use.

The EU-US Privacy Shield was dissatisfactory for Schrems and would lead to Schrems II. It entered Irish Courts again after he amended his original complaint, who would refer 11 preliminary questions to the CJEU, the main being:[6]  

“In circumstances in which personal data is transferred by a private company from a European Union (EU) Member State to a private company in a third country for a commercial purpose pursuant to [the SCC Decision] and may be further processed in the third country by its authorities for purposes of national security but also for purposes of law enforcement and the conduct of the foreign affairs of the third country, does EU law (including the Charter) apply to the transfer of the data notwithstanding the provisions of Article 4(2) TEU in relation to national security and the provisions of the first indent of Article 3(2) of Directive [95/46] in relation to public security, defence and State security?”

The CJEU focused on two different elements of data transfer: The Shield and Standard Contractual Clauses (SCC). On 16th July 2020, it was ruled that the Shield was invalid. The reasoning followed Schrems I, it was evident that the US was still not able to afford the high-level protection of personal data that was in accordance with EU standards including GDPR standards. There were also still issues with US intelligence agencies which included improper remedies for data subjects before the courts as well as methods for citizens to access their data and erase it. The SCC Clauses had a different outcome. SCC is a secure method of ensuring that personal data that is transferred from the EU to third countries is secure and lawful.[7] If a company has to be GDPR compliant, it needs SCC with each data processor. The CJEU provided more requirements when using SCC. A case-by-case basis review is now mandatory by Data controllers and processors who must ensure that sufficient levels of safeguards and remedies are implemented as well as making sure no rights have been breached. Additionally, it was stated that SCC does not preclude situations like the US where the laws of a country are incompatible with EU law.

What is happening now? The EU ensured that there was no grace period for the Shield and companies still have to ensure that they are GDPR compliant. Directives concerning privacy like the ePrivacy Directive are being updated and more legislation is being made by the EU in the coming years. However, Schrem’s complaint from nearly 8 years ago that led to significant change has yet to be solved. The CJEU rulings have ensured that once the complaint is dealt with that it should stop the EU-US data transfer. The complaint itself is still all over the place to put it simply. A new case was opened which then paused Schrem’s original complaint, he was granted judicial review against the DPC for the mismanagement of his procedure.[8] Commenters have stated by the end of 2021, Ireland will have made a judgement that will suspend data transfer as Schrems was granted the highest speed criteria for the review to occur. However, the legal term for this time limit is “swiftly” and with Ireland having a poor administrative justice system, there is no fixed guarantee that it will be sorted within the next year. To quote Schrems, “The DPC has already pledged to the Court in 2015 that it will swiftly decide. It seems like we need a clear judgment to force the DPC to do its job.”[9] Schrems has now dropped his case against the DPC in exchange for the swiftly criteria to be met. 

The DPC has taken other actions against Facebook in the meantime. They sent the tech giant a preliminary order to suspend data transfer between the EU and the US as a result of Schrems II, but Facebook applied for a judicial review of this. Schrems privacy right group, ‘noyb’, has stated that it believed Facebook is using EU courts to delay the applicability of EU law whereas Facebook has explicitly said that it is using the Court’s to send a signal to lawmakers to solve the issue.[10]

What does this mean for influencers? Influencers earn a high percentage of their money through advertisements. The more their audience interacts with an advertisement, the more revenue the influencer receives. Thus, the influencer has a motivation to ensure that advertisements are click into. Targeted advertisements are needed to ensure that the ads being shown to an individual suit their traits, interests, and preferences. Therefore, advertisers need to collect data from the consumer by tracking their activity on the internet. Inevitably, personal data is being collected. The Schrems cases push for tighter regulation on personal data. For example, if the courts decide that personal data is not allowed to be used nor collected (a radical and unlikely decision), then targeted advertisements will not be possible. Influencers revenue will drop as targeted ads will become broader and less engaging to their audience. The Schrems case affects everyone in the influencer relationship: the consumers, the regulators, the platforms and most importantly, the influencer themselves.

---

[1] Kashmir Hill, “Max Schrems: The Austrian Thorn In Facebook’s Side” < https://www.forbes.com/sites/kashmirhill/2012/02/07/the-austrian-thorn-in-facebooks-side/?sh=3eb31127b0b7> last accessed 16 January 2021.

[2] Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (notified under document number C(2000) 2441) [2000] OJ L 215.

[3] Case C-362/14 Maximillian Schrems v Data Protection Commissioner [2015] ECLI:EU:C:2015:650.

[4]  Experian <https://www.experian.co.uk/business/glossary/safe-harbour-agreement/> last accessed on 16 January 2021.

[5] Privacy Shield Framework < https://www.privacyshield.gov/welcome> last accessed on 16 January 2021.

[6] Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems [2020] ECLI:EU:C:2020:559.

[7] European Commission, “Standard Contractual Clauses” < https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en> last accessed on 16 January 2021.

[8] Natasha Lomas, “ Facebook EU-US data transfer complaint: Schrems gets a judicial review of the Irish DPC’s procedure “ < https://techcrunch.com/2020/10/12/facebook-eu-us-data-transfer-complaint-schrems-gets-a-judicial-review-of-the-irish-dpcs-procedure/> last accessed on 16 January 2021.

[9] Noyb, “ Irish High Court allows Judicial Review to stop Facebook’s EU-US Data Transfers” < https://noyb.eu/en/irish-high-court-allows-judicial-review-stop-facebook-eu-us-transfers> last accessed 16 January 2021.

[10] Data Protection Commission, “EU-US Data Transfers – Judicial Review Proceedings” <https://www.dataprotection.ie/en/news-media/press-releases/eu-us-data-transfers-judicial-review-proceedings> last accessed on 16 January 2021.