The author of this post is Giulio Monga, a PhD student at the Catholic University of the Sacred Heart, Milan. The editors of the EAPIL blog encourage scholars and practitioners to share their views on the Court’s judgment and its implications. Those interested in submitting guest posts are invited to get in touch with the blog editors at email@example.com.
On 16 July 2020 the Court of Justice of the European Union (CJEU) delivered its judgment on the Schrems II case (a press release is available here). The ruling is part of the judicial saga between Facebook and the Austrian data protection advocate Max Schrems relating to transfers of personal data from the EU to the US. It follows the judgment of 2015 whereby the CJEU invalidated the so-called ‘Safe Harbour’, later replaced by the ‘EU-US Privacy Shield’, the adequacy of which had been established by the European Commission by a Decision of 2016.
Max Schrems lodged a complaint against Facebook Ireland Ltd. before the Irish Supervisory Authority (the Data Protection Commissioner, DPC) over the transfer of personal data relating to him by Facebook Ireland to Facebook Inc., the latter’s parent company established in the US.
In particular, Mr Schrems claimed that the inclusion of the controller-to-processor Standard Contractual Clauses (SCC) approved by the EU Commission through Decision 2010/87 in a data transfer processing agreement between Facebook Ireland, acting as a controller with the meaning of Article 4(7) of the General Data Protection Regulation (GDPR), and Facebook Inc., acting as a processor with the meaning of Article 4(8) GDPR, did not justify the transfer of the personal data relating to him to the US. Under US law, Schrems argued, Facebook Inc. is required to make the personal data of its users available to US authorities, such as the NSA and the Federal Bureau of Investigation (FBI), in the context of surveillance programmes that preclude the exercise of the rights enshrined in Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union (the Charter). On that basis, Mr Schrems asked that DPC suspend the transfer of data.
The DPC, as well as the referring Irish High Court, noted that it was impossible to adjudicate Mr Schrems’ complaint unless the CJEU examined the validity of the Decision 2010/87. Furthermore, the referring High Court also asked CJEU to rule on the validity of the Decision 2016/1250 establishing the ‘EU-US Privacy Shield’.
The Legal Framework
Pursuant to Articles 25-26 of the repealed Directive 95/46/EC and to Articles 44-50 of the GDPR, transfer of personal data to a third country may, in principle, take place only if the third country in question ensures an adequate level of data protection.
According to Article 45 GDPR, the Commission may find that a third country ensures, by reason of its domestic law or its international commitments, such an adequate level of protection. With regard to the US, the EU Commission, by Decision 2000/520/EC, firstly established that adequate protection was ensured by companies joining the so-called ‘Safe Harbour’ mechanism, which was invalidated under the first Schrems ruling. Later, with the new adequacy Decision 2016/1250 the EU-US Privacy Shield has been established.
In the absence of an adequacy decision, transfers of personal data to third countries may take place only if the personal data exporter established in the EU has provided appropriate safeguards provided by for Article 46, which may arise, among others, from standard contractual clauses adopted by the EU Commission. Standard Contractual Clauses, depending on the circumstances, might be controller-to-processor SCC such as those used by Facebook Ireland or controller-to-controller SCC approved by EU Commission through Decisions 2001/497/EC and 2004/915/EC.
In addition to the adoption appropriate safeguards, Article 46 GDPR also requires that enforceable data subject rights and effective legal remedies for data subjects are available.
The Court began with considering that the GDPR applies to the transfer of personal data for commercial purposes by an economic operator established in a Member State to another economic operator established in a third country, even if, at the time of that transfer or thereafter, that data may be processed by the authorities of the third country in question for the purposes of public security, defence and State security. The Court added that this type of data processing by the authorities of a third country cannot preclude such a transfer from the scope of the GDPR.
As in Schrems I, the CJEU stated that, according to the relevant rules of GDPR, data subjects whose personal data are transferred to a third country pursuant to Standard Contractual Clauses must be afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR, read in the light of the Charter. The Court specified that
[t]he assessment of the level of protection afforded in the context of such a transfer must, in particular, take into consideration both the contractual clauses agreed between the controller or processor established in the European Union and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country. (para. 105)
The Decision on the Standard Contractual Clauses
In light of the foregoing, the CJEU Court considered that the validity of Decision 2010/78 is not called into question by the mere fact that the SCC therein approved do not bind the authorities of the third country to which data may be transferred. In fact,
[t]hat validity depends, however, on whether, in accordance with the requirement of Article 46(1) and Article 46(2)(c) of the GDPR, interpreted in the light of Articles 7, 8 and 47 of the Charter, such a standard clauses decision incorporates effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law and that transfers of personal data pursuant to the clauses of such a decision are suspended or prohibited in the event of the breach of such clauses or it being impossible to honour them. (para. 137)
The CJEU found that Decision 2010/87 establishes such mechanisms. Namely, the CJEU pointed out that the decision imposes an obligation on a data exporter and the recipient of the data to verify, prior to any transfer, whether that level of protection is respected in the third country concerned and that the decision requires the recipient to inform the data exporter of any inability to comply with the standard data protection clauses, the latter being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the former. The Court concluded that nothing affected the validity of Decision 2010/87.
The Invalidation of EU-US Privacy Shield
Lastly, the CJEU examines the validity of Decision 2016/1250 establishing the EU-US Privacy Shield.
In that regard, the CJEU notes that that Decision enshrines the position, as did Decision 2000/520, that the requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred under the Privacy Shield framework.
In the view of the Court,
[t]he limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to the United States, which the Commission assessed in the Privacy Shield Decision, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required, under EU law, by the second sentence of Article 52(1) of the Charter. (para. 185)
The Court pointed out that, in respect of certain surveillance programmes, those provisions do not indicate any limitations on the power they confer to implement those programmes, or the existence of guarantees for potentially targeted non-US persons. The Court adds that, although those provisions lay down requirements with which the US authorities must comply when implementing the surveillance programmes in question, the provisions do not grant data subjects actionable rights before the courts against the US authorities.
The Ombudsperson mechanism
As regards the requirement of judicial protection, the CJEU focused its reasoning on the Ombudsperson mechanism provided for by the EU-US Privacy Shield Decision, which the EU Commission found as capable to ensure data subjects with level of protection essentially equivalent to that guaranteed by Article 47 of the Charter.
The CJEU stressed that data subjects must be given an opportunity to seise an independent and impartial court in order to have access to their personal data, or to obtain the rectification or erasure of such data.
The CJEU observed in particular that the Privacy Shield Ombudsperson,
[a]lthough described as ‘independent from the Intelligence Community’, was presented as ‘[reporting] directly to the Secretary of State who will ensure that the Ombudsperson carries out its function objectively and free from improper influence that is liable to have an effect on the response to be provided’. (para. 195)
Furthermore, the CJEU noted that nothing in Decision 2016/1250 indicates that the dismissal or revocation of the appointment of the Ombudsperson is accompanied by any particular guarantees, which is such as to undermine the Ombudsman’s independence from the executive.
Similarly, the Court, noted that
[a]lthough recital 120 of the Privacy Shield Decision refers to a commitment from the US Government that the relevant component of the intelligence services is required to correct any violation of the applicable rules detected by the Privacy Shield Ombudsperson, there is nothing in that decision to indicate that that ombudsperson has the power to adopt decisions that are binding on those intelligence services and does not mention any legal safeguards that would accompany that political commitment on which data subjects could rely.
The CJEU found that
[t]he Ombudsperson mechanism to which the Privacy Shield Decision refers does not provide any cause of action before a body which offers the persons whose data is transferred to the United States guarantees essentially equivalent to those required by Article 47 of the Charter.
In light of the foregoing, the CJEU invalidated Decision 2016/1250 on EU-US Privacy Shield.
The ruling is expected to have a very significant impact on the transfer of personal data from the EU to third countries.
Concerning the immediate effects of the judgment, the Court made the following remarks:
As to whether it is appropriate to maintain the effects of that decision for the purposes of avoiding the creation of a legal vacuum … the Court notes that, in any event, in view of Article 49 of the GDPR, the annulment of an adequacy decision such as the Privacy Shield Decision is not liable to create such a legal vacuum. That article details the conditions under which transfers of personal data to third countries may take place in the absence of an adequacy decision under Article 45(3) of the GDPR or appropriate safeguards under Article 46 of the GDPR (para. 202).