International Data Transfers, Schrems I and the CJEU

This is the first of two articles that will summarise the ongoing litigation challenging the validity of legal mechanisms for international data transfers. This first article sets out the background in anticipation of the decision of the Court of Justice of the European Union (‘CJEU’), expected on 16 July 2020 on the validity of Standard Contractual Clauses (‘SCCs’). The second article will examine the conclusions of the CJEU.

SCCs are an approved mechanism for the transfer of personal data from the European Economic Area (‘EEA’) to the rest of the world.[1] The EU-U.S. Privacy Shield[2] (‘the Privacy Shield’) is another approved legal mechanism, specifically dealing with the flow of personal data from the EEA to the U.S. For reasons that shall be explained below, the Privacy Shield replaced the mechanism known as the ‘Safe Harbour’ in 2016. 

The outcome of the CJEU decision this week is important because it will not only determine whether or not personal data transfers can continue under SCCs, but it could affect the validity of the Privacy Shield. Under the General Data Protection Regulation EU 2016/679 (‘GDPR’), there are only a few permitted mechanisms for sending data from Europe to the rest of the world, aside from using SCCs, which is currently the most used mechanism.[3]

Depending on the breadth of its assessment, the CJEU’s decision could also influence the approach to adequacy and will therefore be relevant to the UK’s position on personal data transfers once Brexit is complete.[4] ‘Adequacy’ means that the receiving country (referred to as a ‘third country’ in the GDPR) has been found by the European Commission to provide an adequate level of protection of personal data. 

‘Schrems I’

In 2013, following the revelations made by Edward Snowden about the U.S. government’s surveillance activities,[5] privacy activist Max Schrems complained to the Irish Data Protection Commissioner (‘DPC’) about Facebook’s data transfers from Europe to its servers in the U.S. Schrems argued that the Safe Harbour mechanism did not adequately protect his personal data from being collected and used by U.S. intelligence agencies.

Safe Harbour was established by European Commission Decision 2000/520[6] on the basis of Article 25(6) of Directive 95/46/EC (‘the Data Protection Directive’), giving the mechanism the presumption of adequacy. Personal data transfers were permitted if organisations: complied with the ‘Safe Harbour principles’, publicly disclosed their privacy policies and were subject to the jurisdiction of the U.S. Federal Trade Commission. The Safe Harbour principles were issued by the U.S. Department of Commerce on 21 July 2000. U.S. companies could adopt the principles voluntarily; the system was one of ‘self-certification’.

The DPC rejected the complaint, and Schrems brought a claim in the Irish High Court in Maxmillian Schrems v Data Protection Commissioner (C-362/14) (‘Schrems I’). The High Court, in turn, requested a preliminary ruling from the CJEU on the interpretation of Articles 25(6) and 28 of the Data Protection Directive in light of Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union (‘the Charter’), and on the validity of European Commission Decision 2000/520.

As mentioned above, under Article 25(6) the European Commission can make a finding of adequacy. Article 28 relates to a Member State’s data protection authority and its powers. Article 7 of the Charter protects the right to respect for a person’s private and family life, home and communications. Article 8 of the Charter establishes that ‘everyone has the right to the protection of personal data concerning him or her’ and that the personal data must be processed fairly and on a legitimate basis. Article 47 of the Charter protects the right to an effective remedy. The CJEU considered how these Articles should be interpreted and handed down judgment on 6 October 2015. The ruling can be found here.

The CJEU highlighted the European Commission’s adoption of ‘communication to the European Parliament and the Council entitled ‘Rebuilding Trust in EU-US Data Flows’ (COM(2013)) 846 final)’. The communication had recognised that personal data transferred under Safe Harbour could be accessed by U.S. authorities under its surveillance programmes in a way that was incompatible with the legal basis under which it had been originally transferred. In a subsequent communication[7] it was recognised that redress under U.S. law for privacy violations were available to U.S. citizens or residents, but not to EU data subjects. Further, it found that the U.S. authorities were able to process such data for purposes which were beyond what was strictly necessary and proportionate to the protection of national security.

The CJEU ruled that national Data Protection Authorities (‘DPAs’) are able to examine a finding of adequacy by the Commission, but that only the CJEU could invalidate the finding.[8] It went on to conclude that adequacy under Article 25(6) must be understood to require the country “in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of Directive 95/46 read in light of the Charter”.[9]

This concept of essential equivalence means that whilst the receiving country may not have identical protections or guarantees, it must have, in practical terms, effective protection that meets an equal or equivalent standard of protection as the EU. The Court also noted that the level of protection may change, and this requires the Commission to check periodically that adequacy is factually and legally maintained by the receiving country.[10]

The CJEU concluded that the measures within the Safe Harbour mechanism to provide protection were inadequate given that the principles applied solely to U.S. organisations that self-certified, but not U.S. public authorities. U.S. national security, public interest, or law enforcement requirements had primacy over the Safe Harbour principles so that “United States organisations receiving personal data from the European Union are bound to disregard those principles without limitation where they conflict with those requirements”.[11] The court found that Decision 2000/520 did not establish which rules the U.S. had adopted to limit any interference with the fundamental rights of persons whose data had been transferred from the EU, or the existence of effective legal protection.[12] Accordingly it invalidated the Safe Harbour mechanism.

This led to negotiations between the European Commission and the U.S. Department of Commerce to create the Privacy Shield. On 12 July 2016, the European Commission declared the Privacy Shield as adequate.[13] The Privacy Shield is similar in structure to the Safe Harbour arrangement, and as before there is self-certification by U.S. companies. The content of the Safe Harbour principles was however expanded so that the Privacy Shield includes reference to sensitive data and provides detail on subject access and recourse mechanisms. To address the concerns highlighted by the Commission, the Article 29 Working Party and the CJEU, the Privacy Shield includes written commitments from the U.S. government that access for national security will only occur where there are clear limitations, safeguards and oversight. An Ombudsperson has been created to follow up on complaints from EU individuals regarding access to their data for national security purposes. The Privacy Shield is also reviewed annually, there is a suspension clause, and EU DPAs are involved in the enforcement process.

‘Schrems II’

Schrems next alleged that Facebook’s use of SCCs for data transfers was also invalid, because again, the company is obliged to make personal data available for U.S. government surveillance where requested, and there is no effective remedy for data subjects. SCCs as a mechanism for transfer was approved by the Commission on 5 February 2010 (Commission Decision 2010/87)[14] and the implementing decision was then later amended to take into account the CJEU’s decision in Schrems I (Commission Decision 2016/2297).[15] The DPC brought the proceedings to the High Court, which in turn has referred several questions to the CJEU (Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems C-311/18, the so-called ‘Schrems II’ case).[16] The questions were (in summarised form):

  • How does the Charter, the Treaty on European Union, the Treaty on the Functioning of the European Union, the Data Protection Directive, the European Convention on Human Rights, or any other provision of EU law apply to personal data transfers from the EU to a third country for commercial purposes, but which is then further processed for national security and law enforcement purposes?
  • Is the standard for violations of an individual’s rights under SCCs based on EU law or Member State law?
  • Does U.S. law adequately protect an individual’s data privacy rights that are guaranteed by Article 47 of the Charter?
  • Do SCCs provide adequate safeguards and what level of protection is required under Article 26(4)[17] of the Data Protection Directive?
  • What are the obligations of DPAs if they conclude that a receiving country’s surveillance laws make data transfers under SCCs inadequately protected?
  • What is the relevance of Decision (EU) 2016/1250 on the adequacy of the Privacy Shield on transfers to the U.S. under SCCs?
  • Does the Privacy Shield’s Ombudsperson provide an effective remedy to data subjects that satisfies Article 47 of the Charter?
  • Does Commission Decision 2016/2297 (implementing SCCs) violate Articles 7, 8 and/or 47 of the Charter?

On 19 December 2019, Advocate General Henrik Saugmandsgaard Øe of the CJEU issued his (non-binding) opinion on Schrems II.[18] I do not intend to go into the opinion in detail, other than to summarise his conclusion that the validity of SCCs will not be affected by the preliminary ruling, because it is the legal context in the country of destination that determines whether or not the obligations set out in the clauses of the SCCs are possible to implement. He concludes that it is for the relevant supervisory authority to examine this question, which may then prohibit or suspend the transfer of that data. The Advocate General, whilst expressing reservations about the Privacy Shield, is of the view that the CJEU should refrain from assessing its validity in answering questions about SCCs.

In any event, waiting in the wings is the case of La Quadrature du Net v Commission Case T-738/16, which is pending in the General Court of the European Union and seeks the annulment of the Privacy Shield. Even if the CJEU does not venture to comment on the Privacy Shield in Schrems II, it is only a matter of time before it receives judicial scrutiny.

If you would like any further information or advice, please contact my clerks on 0300 0300 218 or clerks@normantonchambers.com


[1] Some countries have what is known as ‘Adequacy’ and personal data can flow freely to those countries as if they are part of the European Union. 

[2]See: https://www.privacyshield.gov/Program-Overview

[3] See IAPP-EY Annual Governance Report 2019, in which 88% of respondents confirmed they used SCCs to transfer data outside the EU: https://iapp.org/resources/article/iapp-ey-annual-governance-report-2019/.

[4] The Withdrawal Agreement currently provides for a transition period that will end on 31 December 2020.

[5] The former CIA contractor revealed that the U.S. National Security Agency (the ‘NSA’) was using a software programme called ‘PRISM’ to spy on, and to obtain direct access to personal data held on the servers of Apple, Facebook, Google and other technology companies. 

[6] To read the Commission’s Safe Harbour adequacy decision click here.

[7] ‘Functioning of Safe Harbour from the Perspective of EU Citizens and Companies Established in the European Union’ (COM(2013) 847 final). 

[8] See paragraphs 43 to 47, and 61 to 65 of the judgment.

[9] Ibid. paragraph 73.

[10] Ibid. paragraph 76.

[11] Ibid. paragraph 86.

[12] Ibid. paragraphs 88 and 89.

[13] Commission Decision 2016/1250.

[14] Commission Decision 2010/87.

[15] Commission Decision 2016/2297.

[16] The reference for the preliminary ruling can be found here.

[17] Article 26(4) of the Data Protection Directive is as follows: “Where the Commission decides, in accordance with the procedure referred to in Article 31 (2), that certain standard contractual clauses offer sufficient safeguards as required by paragraph 2, Member States shall take the necessary measures to comply with the Commission’s decision”.

[18] The Opinion is available here.