The Court of Justice of the European Union (“CJEU”) has recently rendered another cornerstone judgment in the Data Protection Commissioner v. Facebook Ireland Limited, Maximilian Schrems case (Case C-311/18 – “Schrems II Judgment”) concerning data transfer rules under Regulation (EU) 679/2016 (“GDPR”) and, in particular, from Europe to the United States.
In a highly anticipated judgment, on July 16, 2020 the CJEU on one hand (re)affirmed the validity of standard contractual clauses for data transfers as provided under Commission Decision 2010/87/EU, as amended by Commission Implementing Decision (EU) 2016/2297 (the “SCC Decision”) and, on the other hand, invalidated the Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU – US Privacy Shield (the “Privacy Shield”).
After the first judgment rendered by the CJEU on October 6, 2015 (“Schrems I Judgment”) in which the Court declared Commission Decision 2000/520/EC (the “Safe Harbor Decision”) invalid, the judgment at hand represents yet another protectionist intervention by the CJEU in the commercial relationship between Europe and the US.
In a highly controversial judgment which is poised to reshape personal data transfer rules not only between the EU and the US, the CJEU (re)affirmed the fundamental principle pursuant to which personal data of European citizens being transferred to third-countries must be guaranteed an “essentially equivalent” level of protection by the recipient country.
Indeed, by invalidating the Privacy Shield the CJEU found that the recipient country (US) did not guarantee such essentially equivalent level of protection. Whereas, although the CJEU affirmed the validity of the SCC Decision it set out an additional burden on data controllers wishing to rely on standard contractual clauses under the SCC Decision to regulate data transfers to third countries: the aforementioned data controllers will have to carry out an additional assessment on the laws and practices of the recipient country.
The factual background of the case
The s.c. Schrems Saga began in 2013, when Maximilian Schrems initiated proceedings in front of the Irish Data Protection Commissioner (“DPC”) concerning the validity of personal data transfer practices implemented by Facebook to transfer EU citizens’ personal data from Europe to the US. Following the rejection of his complaint by the DPC, the Austrian activist decided to uphold such decision in front of the Irish High Court which stayed the proceedings and referred to the CJEU several questions for a preliminary ruling. The key question referred related to the validity of the Safe Harbor Decision which was then declared invalid by the CJEU in the Schrems I Judgment.
Following the Schrems I Judgment, the High Court of Ireland annulled the DPC’s decision which rejected Schrems’ initial complaint and the case was referred back to the DPC.
In front of the DPC, Max Schrems lodged new complaints concerning the standard contractual clauses pursuant to the SCC Decision used by Facebook to transfer personal data from the EU to the US and also relating to the validity of the Privacy Shield. The DPC brought the proceedings before the Irish High Court. As in the Schrems I Judgment, the Irish High Court decided to stay the proceedings and referred eleven questions to the CJEU for a preliminary ruling.
In particular, the Irish High Court raised questions on the validity of both the SCC Decision and the Privacy Shield.
On the validity of the SCC Decision
By its 7th and 11th questions, the referring Court asked the CJEU to provide clarifications on the validity of the SCC Decision. In particular, the Irish High Court asked whether the SCC Decision is capable of ensuring an adequate level of protection to personal data transferred to third countries given that the standard data protection clauses contained in the Annex therein do not have any legally binding effect on the supervisory authorities of those third countries.
Indeed, as clearly stated by the CJEU itself “although those clauses are binding on a controller established in the European Union and the recipient of the transfer of personal data established in a third country where they have concluded a contract incorporating those clauses, it is common ground that those clauses are not capable of binding the authorities of that third country, since they are not party to the contract” (para 125).
From a practical standpoint, it might occur that, depending on the laws and practices in force in a given third country, the recipient of a data transfer is in a position to guarantee the protection of the personal data he receives based on standard data protection clauses but said transfer would still be considered unlawful if the law of that third country allows its public authorities to interfere with the rights of the data subjects.
In light of the above, the question that arose was whether the SCC Decision could be considered invalid given that it did not provide guarantees which can be enforced against the public authorities of the third countries to which personal data is transferred pursuant to the standard contractual clauses contained therein.
According to the CJEU, however, “the mere fact that standard data protection clauses in a Commission decision […] such as those in the annex to the SCC Decision, do not bind the authorities of third countries to which personal data may be transferred cannot affect the validity of that decision” (para 136).
By upholding the validity of the SCC clauses, however, the CJEU seems to have additionally and – some might argue – excessively burdened data controllers, as the Luxembourg Court affirmed that “In so far as those standard data protection clauses cannot, having regard to their very nature, provide guarantees beyond a contractual obligation to ensure compliance with the level of protection required under EU law, they may require, depending on the prevailing position in a particular third country, the adoption of supplementary measures by the controller in order to ensure compliance with that level of protection” (para. 133). Additionally, “It is therefore, above all, for that controller or processor to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses” (para. 134).
Therefore, according to the CJEU, if a European data controller wishes to transfer personal data to a third country, simply relying on the standard contractual clauses provided under the SCC Decision will not suffice. The data exporter is now called upon to carry out an additional evaluation on the laws and practices of the data recipient’s country, especially if law enforcement authorities may have access to such data. To the more, the CJEU prescribes that the data exporter shall provide additional safeguards to those offered by such clauses without, however, specifying what said additional safeguards are. As of now, it is not really clear neither what additional safeguards could be adopted by data exporters and data importers to ensure protection of personal data (encryption?) nor the type of assessment that controllers and processors must carry out to assess whether the importer’s country’s legislation ensures an adequate level of protection.
On the invalidation of the Privacy Shield
In light of the findings by the Irish High Court during the main proceedings, the referring court harbored doubts as to whether US law did, in fact, ensure an adequate level of protection under article 45 of the GDPR, read in light of the fundamental rights guaranteed in articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union (the “Charter”). In particular, the referring court considered that the derogations to the protection of personal data provided under US law in case of overriding national security interests did not guarantee adequate safeguards to European citizens’ personal data. To the more, the Irish High Court also considered US law inadequate as to ensuring an appropriate judicial remedy given that the Privacy Shield Ombdudsperson could not, in its view, qualify as a tribunal within the meaning of article 47 of the Charter.
Articles 7 and 8 of the Charter provide, respectively, the right to respect ones private and family life and the right to the protection of personal data. In the commented case, the ability of the Privacy Shield to ensure an essentially equivalent level of protection guaranteed by the GDPR, read in light of articles 7 and 8 of the Charter, was called into question on the ground that the interference arising from surveillance programs provided under US law were not covered by requirements ensuring, subject to the principle of proportionality (under article 52, second sentence, of the Charter), such essentially equivalent level of protection.
In this regard, the CJEU affirmed that “limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to the United States, which the Commission assessed in the Privacy Shield Decision, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required, under EU law, by the second sentence of Article 52(1) of the Charter” (para. 185).
As regards article 47 of the Charter, which must be determined by the Commission before it adopts any adequacy decision, the first paragraph grants the right to an effective remedy before a tribunal to anyone whose rights and freedoms guaranteed by the law of the European union have been violated.
Therefore, in the commented case, the determination provided in the Privacy Shield pursuant to which the US ensured a level of protection essentially equivalent to that guaranteed by article 47 of the Charter was called into question on the ground that the introduction of the Privacy Shield Ombudsperson mechanis could not, in fact, remedy the deficiencies arising in connection with the judicial protection afforded to persons whose personal data are transferred to the US.
In this regard, the CJEU found that “the ombudsperson mechanism to which the Privacy Shield Decision refers does not provide any cause of action before a body which offers the persons whose data is transferred to the United States guarantees essentially equivalent to those required by Article 47 of the Charter” (para. 197).
In light of the above, the CJEU concluded that “the Privacy Shield Decision is invalid” (para. 201).
The immediate aftermath of the Schrems II Judgment
The Schrems II Judgment is poised to reshape personal data transfers from the EU to the US, as well as, from the EU to the other third countries. It is hard to predict the ramifications stemming from such a cornerstone judgment in its immediate aftermath, however, what is sure is that data controllers will have to rethink their data transfer mechanisms.
Indeed, if, on one hand, the standard data protection clauses under the SCC Decision remain valid, on the other hand, data controllers currently relying on them will have to carry out additional assessments on whether the recipient’s national laws actually provide for an essentially equivalent protection to personal data.
Whereas, data controllers currently relying on the Privacy Shield will have to identify alternative data transfer mechanisms to ensure the flow of personal data from the EU to the US.