(Aug. 4, 2020) On July 16, 2020, the Court of Justice of the European Union (CJEU) held that the Privacy Shield Adequacy Decision of the European Commission on personal data transfer from the European Union (EU) to the United States (U.S.) was invalid because the level of data protection in the U.S. was not essentially equivalent to that required under EU law. However, it further ruled that Decision 2010/87 on standard contractual clauses (SCCs) remained valid, and that data transfers to third countries could still be performed according to such clauses provided that supplementary measures were put in place where necessary in order to ensure an essentially equivalent level of protection.
The General Data Protection Regulation (GDPR), which replaced the Data Protection Directive effective in 2018, provides in article 45 that “[a] transfer of personal data to a third country… may take place where the Commission has decided that the third country … ensures an adequate level of protection” and has adopted an implementing act to that regard. For such an adequacy decision, the European Commission must take into account, among other things, relevant legislation that concerns public security; defense; and national security, criminal law, and the access of public authorities to personal data. It must also take into account the implementation of such legislation, effective and enforceable data subject rights with effective administrative and judicial redress for the data subjects, and the existence and effective functioning of one or more independent supervisory authorities in the third country to ensure and enforce compliance with data protection rules.
In the absence of an adequacy decision, data transfer to a third country may take place if the data controller or processor has provided appropriate safeguards, such as data transfers according to binding corporate rules or standard data protection clauses adopted by the European Commission, and data subjects are afforded enforceable rights and effective legal remedies. (GDPR art. 46.)
Facts of the Case
On October 6, 2015, the CJEU declared the Safe Harbour Decision of the European Commission, the previous adequacy decision that allowed personal data transfer from the EU to certified companies in the U.S., invalid. (Case C‑311/18, para. 42.) The European Commission subsequently adopted the Privacy Shield Decision in July 2016, in which it reassessed the U.S. legislation with regard to limitations and safeguards available and concluded that “the United States ensures an adequate level of protection for personal data transferred from the Union to self-certified organisations in the United States under the EU-U.S. Privacy Shield.” (Privacy Shield Decision para. 136.) Among other reasons for this conclusion, the European Commission stated that the U.S. government agreed to “create a new oversight mechanism for national security interference, the Privacy Shield Ombudsperson, who is independent from the Intelligence Community.” (Para. 65.) Furthermore it stated that “the Commission considers that any interference by U.S. public authorities with the fundamental rights of the persons whose data are transferred … will be limited to what is strictly necessary to achieve the legitimate objective in question, and that there exists effective legal protection against such interference.” (Para. 140.)
The Commission Decision 2010/87 on standard contractual clauses (SCCs) provided in its article 1 that “[t]he standard contractual clauses set out in the Annex are considered as offering adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights as required by Article 26(2) of Directive [95/46] [Data Protection Directive].” The findings of the decision are binding on the competent national authorities. (Decision 2010/87, recital 5.) Competent national authorities must suspend or prohibit a transfer of personal data to a third country when they determine that the transfer is carried out in violation of EU or national data protection law, such as when the data importer does not respect the SCCs or when the law to which the data importer is subject imposes upon him or her requirements to derogate from the applicable data protection law. (Art. 4.)
Maximillian Schrems is an Austrian national who has been using Facebook since 2008. Every Facebook user in the EU concludes a contract with Facebook Ireland, a subsidiary of Facebook Inc., a U.S. company. Some or all of the user data is transferred to servers of Facebook Inc. located in the U.S. In 2013, Schrems filed a complaint with the Austrian Data Protection commissioner in which he requested that Facebook Ireland be prohibited from transferring his personal data to the U.S. The data commissioner denied the request because the Safe Harbour Decision of the European Commission declared the standard of data protection in the U.S. essentially equivalent to the one required under the EU Data Protection Directive. Schrems brought judicial proceedings before the High Court of Ireland, which submitted the case to the CJEU for a preliminary ruling. The CJEU declared the Safe Harbour Decision invalid. (Case C‑311/18, paras. 50–53.)
The data commissioner asked Schrems to reformulate his complaint in light of that decision and because Facebook Ireland had stated that most data transfers to Facebook Inc. were based on SCCs. On December 1, 2015, Schrems submitted his reformulated complaint, alleging that U.S. law required Facebook Inc. to make the personal data transferred to it available to certain U.S. authorities, such as the NSA and the FBI, which is incompatible with articles 7 (respect for private and family life), 8 (protection of personal data), and 47 (right to an effective remedy and to a fair trial) of the EU Charter of Fundamental Rights. He concluded that the SCCs could therefore not justify the transfer and asked the data commissioner to order the suspension or prohibition of the transfer of his personal data. On May 31, 2016, the data commissioner initiated judicial proceedings, and the High Court of Ireland referred the questions of whether the SCC Decision was valid and what the required level of protection was, among others, to the CJEU for a preliminary ruling. (Paras. 54–68.)
The CJEU first considered data transfers according to the SCCs provided for in Commission Decision 2010/87. It stated that data transfers to third countries in the absence of an adequacy decision must take into account both the SCCs and the relevant aspects of the legal system of that third country, in particular access by public authorities to the data to assess the level of protection. (Para. 105.) The CJEU explained that “the [national] supervisory authority is required … to suspend or prohibit a transfer of personal data to a third country if … the standard data protection clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law cannot be ensured by other means.” (Para. 113.) The CJEU pointed out, however, that national competent authorities are required to comply with European Commission adequacy decisions in which it finds that the third country in question provides an adequate level of protection. Until such a decision is declared invalid by the CJEU, the competent authorities may not suspend or prohibit the data transfer. (Paras. 116–118.)
The CJEU stated that the SCCs are “solely intended to provide contractual guarantees that apply uniformly in all third countries … and, consequently, independently of the level of protection guaranteed in each third country.” They cannot be enforced against public authorities in third countries because the public authorities are not party to the contract. Supplementary measures may therefore be necessary to ensure an adequate level of protection. The CJEU stated that, according to the SCC Decision 2010/87, data importers are under an obligation to verify before a data transfer whether they can comply with the SCCs given the level of protection in the third country and, if necessary, adopt such supplementary measures. If such additional measures cannot guarantee adequate protection, the data transfer must be suspended or ended. The CJEU concluded that the SCC decision remains valid in that it provides for effective mechanisms that ensure that the data transfer is suspended or prohibited where the recipient does not comply with the SCCs or is unable to comply with them. (Paras. 125, 132–149.)
With regard to the validity of the Privacy Shield Decision of the European Commission, the CJEU held that it does not comply with the requirements set out in the GDPR in light of the EU Charter. It reiterated its jurisprudence on privacy and data protection, stating that “the communication of personal data to a third party, such as a public authority, constitutes an interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter, whatever the subsequent use of the information communicated” and that “[t]he same is true of … access to that data with a view to its use by public authorities.” (Para. 171.) The CJEU explained that even though the implementation of the U.S. surveillance programs based on Section 702 of the Foreign Intelligence Surveillance Act is subject to the requirements of Presidential Policy Directive 28 (PPD‑28), PPD-28 does not grant data subjects actionable rights before the courts against the U.S. authorities. In the opinion of the CJEU, the Privacy Shield Decision therefore cannot ensure a level of protection essentially equivalent to that required under EU law. (Para. 181.)
The CJEU further held that the introduction of a privacy shield ombudsperson does not provide effective judicial redress in the U.S. for data subjects because the ombudsperson is not independent from the executive and does not have the power to adopt decisions that are binding on the intelligence services. The cause of action for data subjects is therefore not essentially equivalent to that afforded under EU law. The CJEU therefore concluded that the Privacy Shield Decision was invalid. (Paras. 195–201.)