Data Protection Law in Social Media

Facebook has 1.79 billion daily active users; Instagram has over 500 million active daily users sharing 250 million stories each day; YouTube has a global audience of over 2 billion monthly active users, and the list goes on (LinkedIn, Twitter, TikTok, Whatsapp, Pinterest). There is no denying that social media is an indisputable part of our life.

We use these free platforms to stay connected, entertained and informed. However, we have a hard time realizing that while they are free, we are paying a price for it because we are the product through every photo, message, post or video uploaded.

Have you ever wondered what happens with your personal data in social media? More specifically, where does it all go? Who is it shared with?
There has been and ongoing issue on this topic as most social media companies are in the U.S or scattered througout the world which makes it complicated to keep tabs on it as well as harmonizing the level of protection given by each country.

Concerned by this issue, EU lawmakers have been slowly proposing solutions to afford more protection and in May 25th 2018, the General Data Protection Regulation (GDPR) came into force.

However, long before that an EU citizen named Max Schrems wondered about his data being transferred and complained in 2013 to the Irish Data Protection Commissioner (DPC) about the data transfer practices of Facebook. The issue raised up to the High Court (Case C-362/14, “Schrems I”), which referred a number of questions to the Court of Justice of the EU (CJEU) in particular concerning the validity of the EU-US Safe Harbour arrangement (a self-regulatory system predecessor of the EU-U.S Privacy Shield) that Facebook had joined to legitimize such transfers.

The High Court then annulled the decision rejecting Mr Schrems’ complaint and referred the case back to the DPC. Moreover, the Court invalidated the Safe Harbour agreement in words of the Commission calcifying it as “one of the conduits through which access is given to US intelligence authorities to collecting personal data initially processed in the EU”.

Mr Schrems then alleged that Facebook’s use of the standard contractual clauses for data transfers could not provide a valid legal basis for transfers to the U.S (Case C-311/18, “Schrems II”). Plainly said that the US data protection law was not equivalent/enough compared to EU law and therefore data transfers could not take place with the US.

On 16 July 2020, the CJEU issued its judgement which focused on two key points:

A) Privacy shield invalidated
The Privacy Shield framework provides for the possibility of lawful transfer of personal data from the EU to the U.S while ensuring a strong set of data protection requirements and safeguards. On the basis of this framework EU businesses were able to legally transfer personal data to U.S-based companies that were listed in the Privacy Shield list.

The CJEU found that U.S surveillance programs were invasive and not limited to what it is strictly necessary and proportional as required by EU law meaning that the U.S had indiscriminately access to all transferred data. Therefore, the Court considered that the U.S acted disproportionate and interfered with the rights to protection of data and privacy of EU citizens.

B) Validity of the Standard Contractual Clauses (SCCs)
While the decision upholds the validity of standard contractual clauses, it requires companies and regulators to conduct case-by-case analyses to determine whether foreign protections concerning government access to data transferred meet EU standards and, where it doesn’t, that companies must provide additional safeguards or suspend transfers.

The findings of the Court in this recent judgment are not that unexpected. Data protection has been acquiring more importance in the past years and courts as well as lawmakers are strengthened powers to uphold individuals’ rights. Hopefully, this opens a new chapter in the (recent) history of the data protection framework.