The Court of Justice has handed down its eagerly awaited decision in Data Protection Commissioner v Facebook Ireland and Schrems (C-311/18). The decision will be of particular significance to the UK seeking an adequacy decision after the transitional Brexit period ends as well as generally to organisations carrying out international data transfers to and from the US.
Background
The GDPR provides that the transfer of personal data to a third country may, in principle, take place only if that third country ensures an adequate level of data protection. Under the GDPR, the European Commission may make a finding that a third country ensures, under its domestic law or its international commitments, an adequate level of protection. If there is no adequacy decision, there must be appropriate safeguards, such as from standard data protection clauses adopted by the Commission, and if data subjects have enforceable rights and effective legal remedies.
The case arises out of action brought by Maximilian Schrems under which the original “Safe Harbor” arrangements with the US were found to be invalid, after which the “Privacy Shield” was introduced instead. The referring court asked the Court of Justice to consider the Privacy Shield (Decision 2016/1250) and the Commission’s standard data protection clauses (Decision 2010/87) in light of the GDPR.
Decision
The Court considered that EU law, and in particular the GDPR, applies to the transfer of personal data for commercial purposes by an economic operator established in a member state to another economic operator established in a third country, even if, at the time of that transfer or later, that data may be processed by the authorities of the third country for public security, defence and state security. The Court added that this type of data processing cannot prevent such a transfer being within the scope of the GDPR.
The Court ruled that the requirements in the GDPR concerning appropriate safeguards, enforceable rights and effective legal remedies mean that data subjects whose personal information is transferred to a third country under standard data protection clauses must benefit from a level of protection essentially equivalent to that guaranteed within the EU by the GDPR, read in the light of the EU Charter of Fundamental Rights. The Court specified that assessing that level of protection must take into consideration both the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country concerned and the relevant aspects of the legal system of that third country.
Further, the Court ruled that, unless there is a valid Commission adequacy decision, those competent supervisory authorities must suspend or prohibit a transfer of personal data to a third country where they take the view, in the light of all the circumstances, that the standard data protection clauses are not or cannot be complied with in that country and that protecting the data transferred as required by EU law cannot be ensured by other means, if the data exporter established in the EU has not itself suspended or ended such a transfer.
Contractual clauses
The Court examined the validity of Decision 2010/87, saying that its validity is not called into question by the mere fact that the standard data protection clauses do not, given that they are contractual in nature, bind the authorities of the third country to which data may be transferred. However, the Court added that it depends on whether the decision includes effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law and that transfers of personal data under such clauses are suspended or prohibited if such clauses are breached or it is impossible to honour them.
The Court ruled that Decision 2010/87 establishes such mechanisms. It pointed out, in particular, that the decision imposes an obligation on a data exporter and the recipient of the data to verify, before any transfer, whether that level of protection is respected in the third country concerned and that the decision requires the recipient to inform the data exporter of any inability to comply with the standard data protection clauses, the data exporter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the recipient.
Therefore, Decision 2010/87 remains valid.
Privacy Shield
Lastly, the Court examined the validity of Decision 2016/1250 under the GDPR and the Charter. In that regard, the Court noted that that decision enshrines the position, as did the earlier Safe Harbor Decision 2000/520, that the requirements of US national security, public interest and law enforcement have primacy. According to the Court, this condones interference with the fundamental rights of persons whose data are transferred to that third country. The Court said that the limitations on the protection of personal data arising from the domestic law of the US on the access and use by US public authorities of such data transferred from the EU, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, to the extent that the surveillance programmes based on those provisions are not limited to what is strictly necessary. The Court pointed out that, for certain surveillance programmes, those provisions do not limit the power they confer to implement those programmes, or the existence of guarantees for potentially targeted non-US persons. The Court added that, although those provisions set out requirements with which the US authorities must comply when implementing the surveillance programmes, data subjects do not have actionable rights before the courts against the US authorities.
Considering the requirement of judicial protection, the Court ruled that the Ombudsperson mechanism in the decision does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law, such as to ensure both the independence of the Ombudsperson provided for by that mechanism and the existence of rules empowering the Ombudsperson to adopt decisions that are binding on the US intelligence services.
Because of these reasons, the Court declared Decision 2016/1250 invalid.
Comment
Renzo Marchini, Partner in the Privacy, Security and Information Law group in Fieldfisher’s London office
“This is pretty much a solid victory for Schrems, and it will be interesting to see how the regulators (and businesses) reacts.
As far as the Standard Contractual Clauses, the decision – from a first review – is pretty much as the Advocate General set out in his earlier Opinion in December. The clauses are valid. They in theory can be used. But – and it is big but – the court makes clear that any particular use needs to be assessed by a company relying on these clauses to make sure that they do, in the circumstances, offer an ‘essentially equivalent’ protection. How is any European business (certainly smaller ones) supposed to do that? It will need to look – says the court – at the ability of law enforcement and other authorities in foreign countries to access the data! It will need to look at whether individuals have rights in those countries.
This crying out for urgent guidance from regulators. It is impractical for any but the largest businesses to do this assessment.
In the meantime, I expect there will be a little panic (as there was when in 2015 Safe Harbor was struck down) but things will calm down when all European business that rely on SCCs realise that business and life just has to go on – and many will look for whatever comfort they can find in the safety of numbers. Inevitably there will be some risk here, and my guess is that many businesses will take that risk until regulators have pronounced. Their only alternative is to not share data with their US affiliates.
The regulators are themselves in an unenviable position. They are supposed to police these assessments and transfers. Even if a transfer relies on SCCs, a transfer should be stopped if the regulator identifies that the protections are not there (and the business carried on regardless).
As far as Privacy Shield is concerned, here the court went much further than the Advocate General. This has been struck down. This will be a big shock in EU-US relationships. The Privacy Shield had been painstakingly put together to deal with criticism of oversight under the old regime that was killed in the first Schrems case back in 2015 (Safe Harbor). This is now also found to be invalid and cannot be relied upon. In the light of that, it will be difficult for the regulators to allow SCCs for transfers to the US. If there is too much scope for intrusion into European individuals’ privacy under Privacy Shield, how can there not be for SCCs?
The position of the Irish regulator is key now. What will it do with Facebook?”