International Data Transfers, Schrems II and the CJEU

Introduction

The Court of Justice of the European Union (‘CJEU’) has decided in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems Case C-311/18 (the so-called “Schrems II” case) that the EU-U.S. Privacy Shield is invalid, but that the legal mechanism of Standard Contractual Clauses remains valid. The case was heard by all 15 justices of the court.

This is my second article considering legal mechanisms for international data flows from Europe in light of the legal challenges brought by privacy activist Max Schrems. In my first article, I summarised the CJEU’s ruling in the so-called ‘Schrems I’ case[1], which invalidated the Safe Harbour mechanism that existed for data transfers from the European Economic Area (‘EEA’) to the United States (‘U.S.’). In Schrems I, the CJEU concluded that U.S. surveillance laws were incompatible with the rights found in the Charter of Fundamental Rights of the European Union (‘the Charter’), such that the Safe Harbour mechanism could not guarantee the required standard of data protection for EU data subjects. The Safe Harbour mechanism was replaced by the EU-U.S. Privacy Shield.

After the first ruling, Max Schrems applied to Ireland’s Data Protection Commissioner (‘DPC’) to prohibit or suspend transfers of his personal data from Facebook Ireland to its servers in the U.S. using Standard Contractual Clauses (SCCs). The basis of his request was that U.S. surveillance laws meant that it would not be possible for Facebook to adhere to the obligations in the clauses. Schrems was not challenging the SCC mechanism itself, but he argued that the DPC had authority to suspend such transfers, and that it should do so.

The DPC however took the view that the SCC mechanism was problematic, because it was not possible to remedy the defect in the clauses, which confer contractual rights on data subjects against the data exporter and importer, but not against public authorities in the U.S. The DPC brought an action to the High Court of Ireland, which in turn requested a preliminary ruling from the CJEU.[2]

The Schrems II Decision

The EU-U.S. Privacy Shield (‘the Privacy Shield’)

I shall begin with the CJEU’s decision on the Privacy Shield, before summarising the decision on SCCs. In Schrems I, the court invalidated the Safe Harbour mechanism on the basis that the Safe Harbour principles applied solely to U.S. organisations, but not to U.S. public authorities, and were inadequate because U.S. national security and law enforcement held primacy over the principles. The crux of the problem is that the U.S. government’s mass surveillance programs conflict with the fundamental rights of European data subjects. In Schrems II (as it had in Schrems I), the CJEU outlined the specific areas of U.S. surveillance laws that are problematic, and which I set out in the next few paragraphs.  

Section 702 of the Foreign Intelligence Surveillance Act (‘FISA’) authorises the surveillance programs ‘PRISM’ and ‘UPSTREAM’, which collect intelligence information on non-U.S. citizens. FISA compels electronic communications service providers[3] to give data, when requested, to intelligence agencies. PRISM requires Internet Service Providers to supply the U.S. National Security Agency (‘NSA’) with all communications to and from a ‘selector’, which may then be given to other security agencies. UPSTREAM requires telecommunications operators to allow the NSA to copy and filter internet traffic flows in order to gather communications from, to, or about non-U.S. citizens. Whilst FISA permits legal challenges by U.S. citizens, it is in practical terms, almost impossible for non-U.S. citizens to bring legal challenges due to the problem establishing locus standi.[4]

Under Executive Order 12333 (‘EO12333’), the U.S. President can direct the U.S. Intelligence Community to access data ‘in transit’, by tapping into the submarine communications cables laid on the seabed, to collect data before it enters the U.S. The NSA’s activities under EO12333 are not subject to judicial oversight. In 2014, Presidential Policy Directive 28 (‘PPD-28’) was issued by the administration under President Barack Obama to address the international fallout from Edward Snowden’s revelations of the extent of the U.S. government’s surveillance programs. PPD-28 established principles to impose limitations on signals intelligence operations. After the decision in Schrems I, the content of the Safe Harbour principles was expanded in the Privacy Shield to address the concerns about the U.S. government’s surveillance activities. An Ombudsperson was created to follow up on complaints from EU individuals regarding access to their personal data for national security purposes. 

However, the CJEU highlighted that the European Commission’s Decision on the Privacy Shield[5] still states that adherence to the Privacy Shield’s principles may be limited to meet U.S. national security, public interest, or law enforcement requirements.[6] Therefore, as before, “those requirements have primacy over those principles, primacy pursuant to which self-certified United States organisations receiving personal data from the European Union are bound to disregard the principles without limitation where they conflict with the requirements and therefore prove incompatible with them”.[7]

The CJEU made clear that any limitation on the exercise of fundamental rights must be provided for by law, which must define the scope of the limitation as well as set clear and precise rules on the scope of the application of the interference.[8] There must also be “sufficient guarantees to protect effectively their personal data against the risk of abuse. It must, in particular, indicate in what circumstances and under which conditions a measure for providing for the processing of such data may be adopted, thereby ensuring that the interference is limited to what is strictly necessary”.[9]

It concluded that section 702 FISA does not include any limitations on the implementation of surveillance programs for gathering foreign intelligence, nor does it provide guarantees for non-U.S. citizens targeted by those programs, and so it cannot ensure a level of protection that is ‘essentially equivalent’ to that required by the Charter. Further, in its opinion, neither PPD-28, nor the monitoring programs based on EO12333, grant European data subjects actionable rights before the courts against U.S. public authorities. The Ombudsperson mechanism provided for in the Privacy Shield was also deemed inadequate. The CJEU’s reasoning was that this is because the appointment is not independent of the executive, the Ombudsperson cannot adopt decisions that bind the U.S. intelligence services, and the Ombudsperson procedure does not provide a data subject with any cause of action that can provide the legal guarantees required by Article 47 of the Charter.[10] Accordingly the CJEU invalidated the Privacy Shield. 

Standard Contractual Clauses (SCCs)

Chapter V of the General Data Protection Regulation EU 2016/679 (‘GDPR’) sets out the principles that apply to the transfer of personal data to countries outside the EEA (referred to as ‘third countries’). Where the European Commission has not granted a third country ‘adequacy’ under Article 45, the alternative permissible mechanisms are set out in Articles 46 and 49. According to Article 46(1):

“In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country…only if the controller or processor has provided appropriate safeguardsand on condition that enforceable data subject rights and effective legal remedies for data subjects are available”.

Under Article 46(2)(c) of the GDPR, the European Commission may adopt standard data protection clauses. SCCs as a mechanism for transfer was approved by the European Commission on 5 February 2010 (Commission Decision 2010/87)[11] and the implementing decision was then later amended to take into account the CJEU’s decision in Schrems I (Commission Decision 2016/2297)(‘the SCC Decision’).[12] Recital 11 of the SCC Decision gives supervisory authorities the power to prohibit or suspend data transfers where it may ‘have a substantial adverse effect on the warranties and obligations providing adequate protection for the data subject’

According to Clause 5(d)(i) in the annex to the SCC Decision, the data importer (the organisation in the third country receiving the data) will notify the data exporter (the organisation in the EEA that is sending the data) if there is a legally binding request for disclosure of the personal data by a law enforcement authority, unless disclosure is prohibited to preserve the confidentiality of the investigation. However, the footnote to Clause 5 states that such a legal requirement must ‘not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46’. In the GDPR, the interests are replicated in Article 23(1), namely, national security, defence, public security and the prevention of serious crime.

The Irish High Court referred a number of questions to the CJEU regarding the relationship between EU law and the SCC mechanism (see my previous article). In response, the CJEU has stated the following:

  • The GDPR must be interpreted as applying to the transfer of personal data for commercial purposes to a third country, irrespective of whether or not it is later processed by the authorities in the third country for the purposes of national security.[13]
  • The level of protection required by GDPR Article 46(1) and 46(2)(c) is such that it ensures a ‘high level of protection…in accordance with the objective set out in recital 6’ and as confirmed in recital 104, requires the third country ‘in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of the regulation, read in light of the Charter’.[14]
  • The factors that should be taken into consideration when determining the adequacy of the level of protection under SCCs are those relevant to assess whether the conditions of transfer specified in GDPR Article 46(1) are satisfied. To do so, the data controller or processor must take into consideration the contractual clauses agreed, any access to the data by public authorities in the third country, and the legal system in the third country. A non-exhaustive list of factors to consider are provided in GDPR Article 45(2).[15]
  • A supervisory authority has the power to take action if it concludes that a data subject whose data is being transferred to a third country is not afforded adequate protection in that country and is ‘required to execute its responsibility for ensuring that the GDPR is fully enforced with all due diligence’ by suspending or prohibiting such a transfer in accordance with GDPR Article 58(2)(f) and (j).[16] This includes transfers under the SCC mechanism, even where there is a valid Commission Decision on the SCC mechanism.[17]
  • The SCC mechanism is valid, notwithstanding that the Commission Decision on the SCC mechanism does not include guarantees within the clauses that can be enforced against public authorities in third countries. GDPR Article 46(2)(c) does not state that such safeguards must be provided for by the Commission Decision, unlike GDPR Article 45(3).[18]
  • Article 46(1) requires the data controller or processor established in the European Union to provide appropriate safeguards and to take measures that compensate for any lack of equivalent data protection in the third country. This is to be examined on a ‘case-by-case’ basis.[19] It may require supplementing SCCs with additional clauses and safeguards, as is permitted by the GDPR, as long as they do not contradict the SCCs adopted by the Commission.[20]
  • The data exporter and data importer need to consider the legislation in the third country, and be satisfied that it provides the level of data protection that is expected in EU law to enable them to comply with the clauses contained within the SCCs; this is an exercise that needs to take place before the data transfers occur.[21]
  • Whilst Clause 5(d)(i) in the annex to the SCC Decision permits a data importer to disclose personal data to law enforcement authorities without notifying the data exporter, it must nevertheless inform the data exporter of the inability to comply with the SCCs pursuant to Clause 5(a).[22] If so informed, the data exporter is obliged to suspend the transfer of data and/or terminate the contract, or it will be in breach of its obligations under Clause 4(a) as interpreted in light of the GDPR and the Charter.[23]
  • However, if the mandatory requirements of the legislation in the third country do not ‘go beyond what is necessary in a democratic society to safeguard national security defence or public security’, as per the footnote to Clause 5, then such a request by law enforcement authorities will not constitute a breach of the SCCs.[24]
  • If, after being informed that the data importer cannot comply with the SCCs, the data exporter decides that it is not necessary to suspend the data transfers, it must give notice to the data protection authority, which may then investigate to come to its own conclusion.[25]

Concluding comments

The decision to invalidate the Privacy Shield is another landmark ruling from the CJEU, and will pose significant issues for data transfers from Europe to the U.S. Now that the Privacy Shield is invalid, it is likely that organisations using it for data transfers to the U.S. will move to SCCs, given the narrow options available in Article 49 of the GDPR. However, as for the Privacy Shield, the main issue for the use of SCCs is the lack of redress for EU citizens against U.S. surveillance measures.

The CJEU has made clear that the onus is on data exporters using SCCs to ensure that data subjects’ fundamental rights are protected and that they are required to take measures to compensate for any shortcomings by adding further clauses, or by introducing additional safeguards. Exactly what safeguards will be effective is unclear, given the substantial shortcomings of U.S. surveillance law with respect to the provision of redress. 

The European Data Protection Board issued a statement in response to the ruling, in which it said it will consider what additional measures could be adopted.[26] It intends to issue guidance on the transfer of personal data to third countries in light of this ruling in due course. In the meantime, it will be necessary for the DPC to apply the ruling to Max Schrems’ original objection to Facebook’s transfers of his personal data to the U.S. 

If you would like any further information or advice, please contact my clerks on 0300 0300 218 or clerks@normantonchambers.com


[1] Maxmillian Schrems v Data Protection Commissioner (C-362/14), available here.

[2] The reference for the preliminary ruling can be found here.

[3] Defined by U.S. Code §1881(b)(4) as a telecommunications carrier, a provider of electronic communication service, a provider of a remote computing service, and any other communication service provider who has access to wire or electronic communications.

[4] See paragraph 65 of the (Schrems II) ruling.

[5] Commission Decision 2016/1250.

[6] In paragraph 1.5 of Annex II of the Commission Decision, ibid.

[7] Paragraph 164 of the (Schrems II) ruling.

[8] Paragraphs 175 and 176, ibid.

[9] Paragraph 176, ibid.

[10] Paragraphs 193 to 197, ibid.

[11] Commission Decision 2010/87.

[12] Commission Decision 2016/2297.

[13] Paragraphs 87 to 89 of the (Schrems II) ruling.

[14] Paragraphs 93 to 94, ibid.

[15] Paragraphs 101 to 105, ibid.

[16] Paragraphs 111 to 113, ibid.

[17] Paragraph 121, ibid.

[18] Paragraphs 127 to 129, ibid.

[19] Paragraph 131 and 134, ibid.

[20] Paragraph 132, ibid.

[21] Paragraph 141, ibid.

[22] Paragraph 139, ibid.

[23] Paragraph 140, ibid.

[24] Paragraph 141, ibid.

[25] Paragraph 145, ibid.

[26] The statement is available here.