“The case raises issues of very major, indeed fundamental, concern to millions of people within the European Union and beyond. Firstly, it is relevant to the data protection rights of millions of residents of the [EU]. Secondly, it has implications for billions of euros worth of trade between the EU and the US and, potentially, the EU and other non-EU countries”. Judgment of Ms. Justice Costello, 3 October 2017, Irish High Court.

“At its core, this case is about a conflict of law between US surveillance laws which demand surveillance and EU data protection laws that require privacy”. //noyb.eu/en/project/eu-us-transfers; consulted on 16 July 2020.

“The Court clarified for a second time now that there is a clash between EU privacy law and US surveillance law. As the EU will not change its fundamental rights to please the NSA” [the US National Security Agency], “the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley.” Max Schrems (Chair of noyb.eu and party in the case) First Statement 16 July 2020.

(…) “we are still studying the decision to fully understand its practical impacts.” “We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments”. U.S. Secretary of Commerce Wilbur Ross 16 July 2020 Statement on the Schrems II case.

“Today’s judgment provides” [a decisive statement of position from the CJEU], “firmly endorsing the substance of the concerns expressed by the DPC (and by the Irish High Court) to the effect that EU citizens do not enjoy the level of protection demanded by EU law when their data is transferred to the United States. In that regard, while the judgment most obviously captures Facebook’s transfers of data relating to Mr Schrems, it is of course the case that its scope extends far beyond that, addressing the position of EU citizens generally”. Data Protection Commission (Ireland) Statement on CJEU decision 16/07/2020.

[At the time of writing no written statements from Facebook Inc. or Facebook Ireland Limited were available : // about.fb.com/news/]

Background

Mr Schrems, an Austrian national resident in Austria and a Facebook social network user since 2008, filed a complaint with the Irish Data Protection Commissioner (the DPC) in June 2013 requesting the DPC to prohibit Facebook Ireland, as data controller, from transferring his personal data to the United States. Mr Schrems complaint was that law and practice in the United States did not ensure ‘adequate’ protection of the personal data held in its territory against the surveillance activities of the US public authorities contrary to the requirements of the Data Protection Directive (the DPD). In result of that complaint, and following a reference to the EU Court of Justice {CJEU}, the original EU Commission Decision which had found that the US Safe Harbor arrangements for transfers of personal data to the USA were ‘adequate’ (providing for essentially equivalent protection for such personal data as that required in the EU) was ruled invalid. (‘Schrems I’, Judgment of the CJEU of 6 October 2015).

In practice, thereafter, many companies turned to Standard Contractual Clauses (the SCCs) as a contractual means of ensuring compliant transfers of personal data to the USA. (There are currently three sets of SCCs, adopted by separate Commission Decisions, including the 2010 SCCs).

‘Safe Harbor’ was replaced by the ‘EU-US Privacy Shield’ approved by a Commission Decision of July 2016. An innovation in Privacy Shield was the creation of an Ombudsperson, independent of the intelligence community, to mediate surveillance concerns. In its approval Decision the Commission found that the United States ensured an adequate level of protection for personal data transferred from the EU to organisations in the USA who had self-certified that they comply with the Privacy Shield. The 2010 SCCs were amended in 2016 to take account of Schrems I and Privacy Shield.

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) was adopted in April 2016 and replaced the Data Protection Directive as from 25 May 2018.

The story does not end there. Back in Dublin, the Irish Data Protection Commissioner (DPC) invited Mr Schrems to amend his original 2013 complaint requesting the DPC to prohibit the transfer of his personal data to Facebook in the USA to take account of the Schrems I judgment. Mr Schrems wrote to Facebook and asked them to clarify the lawful grounds they relied on for making such transfers of users’ personal data. Facebook replied that they substantially relied on the 2010 SCCs for their EU data controller to non-EU data processor transfers.

The Reference to the CJEU

In his reformulated complaint, Mr Schrems asserted that the contractual clauses relied on by Facebook do not correspond to the 2010 SCCs and moreover that the SCCs do not themselves offer adequate protection for personal data of Facebook’s users because Facebook is required to make the data available to the US authorities. The DPC investigated to determine: first, whether the USA ensures adequate protection of the personal data of EU Citizens and, second, whether the SCCs offer sufficient safeguards of fundamental rights and freedoms. In a draft Decision of May 2016 the DPC considered, provisionally, that, taking account of EU citizens’ rights to respect for their private life, home and communications; protection of personal data; and to have an effective remedy before a tribunal; as provided respectively by Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union (CFREU): (…) “the SCC Decisions are likely to offend against article 47 of the Charter insofar as they purport to legitimise the transfer of the personal data of EU citizens to the US notwithstanding the absence of a complete framework for any such citizen to pursue effective legal remedies in the US”.

On that basis the DPC brought proceedings before the High Court in Dublin, including Mr Schrems and Facebook as defendants, and requesting the court to determine whether issues regarding validity of the SCCs required a reference to the CJEU, which alone is competent to rule on the validity of EU legislative acts (Schrems I and cf. Achmea, Case C-284/16 [2018] ECLI:EU:C:2018:158). Pursuant to a judgment of Ms. Justice Costello of 3 October 2017, the High Court in Dublin referred eleven detailed questions to the CJEU, under the preliminary ruling procedure, including on the interpretation and validity of the 2010 SCCs.

Case C-311/18 – Advocate General Saugmandsgaard Øe’s Opinion of 19 December 2019

The reference was made on 8 May 2018. In his Opinion the Advocate General stated at the outset that his examination had not disclosed anything to affect the validity of the 2010 SCCs in principle (in abstracto) – but drew a distinction between that determination and whether the transfers in dispute should be suspended in concreto (Opinion at §166). He suggested, however, that the CJEU did not need to respond to the other questions from the referring Court or analyse the validity of the Privacy Shield Decision – because the referring Court had not directly questioned the validity of the finding of adequacy in that Decision. Nevertheless, and in case the CJEU considered that it should respond in detail on the questions asked, he did go on to find that the ‘essential equivalence’ between the judicial protection afforded in the United States legal order to persons whose data are transferred to the United States from the EU was “open to question” (Opinion at §341).

CJEU Judgment in Case C-311/18 of 16 July 2020

The CJEU has been more forthright than the Advocate General felt able to be. Regarding territorial scope, the Court confirmed that Article 2(1) and (2) of the GDPR applied to the transfer of personal data for commercial purposes by an economic operator established in the EU to an economic operator in a third country outside the EU irrespective of whether the data is liable to be processed by authorities in the third country for purposes of public security, defence and State security.
The Court found that the Commission’s Privacy Shield Decision was invalid. On the other hand, it did not invalidate the 2010 SCCs. However, on that subject it clarifiedé that:

Transfers supported by using SCCs, must provide data subjects with a level of protection equivalent to that guaranteed within the European Union by the GDPR read in the light of the CFREU: [The validity of the Commission’s SCC decisions] “depends, … , on whether, … such a [SCC] decision incorporates effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law and that transfers of personal data pursuant to the clauses of such a decision are suspended or prohibited in the event of the breach of such clauses or it being impossible to honour them”. (Judgment at 137.)

Unless there is a valid European Commission adequacy decision, the National Supervisory Authority which is competent to consider a case, is required to suspend or prohibit the transfer of data to a third country pursuant to SCCs if it takes the view that in practice the contractual clauses cannot be complied with in a third country and cannot be assured by other mechanisms if the controller or processor has not itself suspended or put an end to the transfer. (see Judgment at 113.)

Conclusions

The judgment makes very clear how important a finding of adequacy is to permit frictionless personal data transfers to third countries.

It emphasises that SCCs are not ‘sign-and-forget’ documents but need to be reviewed and supported where necessary. “In that regard, recital 109 of the [GDPR] states that ‘the possibility for the controller … to use [SCCs] … should [not] prevent [it] … from adding other clauses or additional safeguards’ and states, in particular, that the controller ‘should be encouraged to provide additional safeguards… that supplement [SCCs]” (Judgment at 132).

The Irish DPC will now need to assess whether it is required to suspend or prohibit the transfer of personal data from Facebook Ireland to Facebook Inc. in the United States. (A more general prohibition on personal data transfers to the USA, would need to be referred to the European Data Protection Board for a binding opinion: see Judgment at 147.)

For the United Kingdom (UK), taking account of the fact that it has chosen to exit from the CFREU, the judgment increases the pressure to secure an adequacy decision before 31 December 2020 and the end of the transition period.

 

Leonard Hawkes

Of Counsel

leonard.hawkes@flinn.law

+32 2 274 51 88

 

FLINN.law

Avenue des Arts 46, 1000 Brussels, Belgium

+32 2 274 51 80

 

Disclaimer: This general memorandum may not deal with every important topic or cover all important aspects of the subject matter. It is not intended, and should not be used, as a substitute for seeking appropriate legal advice on specific questions.