Observations on the Schrems II judgment

Facebook Ireland and Schrems (Protection of individuals with regard to the processing of personal data - Transfers of personal data to third countries for commercial purposes - Judgment) [2020] EUECJ C-311/18 (16 July 2020)

Observations on the judgment of the Grand Chamber

Background

The reference for a preliminary ruling was submitted to the CJEU by the High Court of Ireland during proceedings between the Data Protection Commissioner (the Irish data protection regulator, “the DPC”), Facebook Ireland Ltd and Maximillian Schrems. As set out in para. 1 of the judgment, the proceedings concerned a complaint by Mr Schrems in relation to the transfer of his personal data by Facebook Ireland Ltd to Facebook Inc. in the USA.

It is said that this case represents the next stage in Mr Schrems’ pursuit of Facebook or, alternatively, Mr Schrems’ pursuit of the European Commission, in respect of the transfer of personal data to the USA. The procedural history is lengthy and it is well known that Mr Schrems prevailed spectacularly in his original case when, in 2015, the Grand Chamber declared that Commission Decision 2000/520, which enabled the so-called “Safe Harbor” [sic] data transfer regime to cover EU/USA transfers of personal data, to be void ab initio.

This decision caused significant concern within the business community which relied upon ‘Safe Harbor’ to support the legality of transferring personal data from the EU to the USA.

In a remarkably short time, the European Commission replaced ‘Safe Harbor’ with ‘Privacy Shield’ in implementing decision (EU) 2016/1250 of 12th July 2016.

Following the decision of the CJEU on 6th October 2015 the original complaint was remitted to the DPC who invited him to reformulate his complaint as Facebook Ireland had (at least by then) stated that it relied upon standard contractual clauses (“SCC”s) in order to safeguard the data subjects’ rights when transferring personal data to the USA.

Mr Schrems duly reformulated his complaint which was lodged on 1st December 2015 in which it was alleged that, as US law required Facebook Inc. to disclose data that it transferred to US authorities (including the NSA and the FBI), the Commission’s SCC decision (Commission Decision 2010/87/EU of 5th February 2010) was breached by Facebook’s transfer of his personal data to the USA. He alleged breaches of Articles 7, 8 and 47 of the Charter of Fundamental Rights of the EU (2012/C 326/02) being, respectively, the right for respect for private and family life; the right of protection of personal data; and the right to an effective remedy and to a fair trial.

The DPC reviewed the matter and published a ‘draft decision’ on 24th May 2016 in which she concluded (at 64) that US law did not provide EU citizens with legal remedies compatible with Article 47 of the Charter and that the SCCs were not capable of remedying the defect as they conferred only contractual rights which were not binding on the US authorities.

The DPC took the matter to the High Court of Ireland which led to the reference to which this ruling refers.

In the reference, the High Court took of its own motion the question not only of the validity of the SCCs (Mr Schrems’ reformulated complaint) but also of the validity of the “Privacy Shield” decision which had replaced “Safe Harbor”.

The procedural history is set out in paragraphs 50-67 of the judgment with the questions put to the CJEU set out in para. 68.

Jurisdictional challenge

Facebook Ireland, the German Government and the UK Government claimed that the reference to the CJEU was inadmissible because, respectively: the questions for a preliminary ruling were based on Directive 95/46 which had been repealed with effect from 25th May 2018; that the DPC had merely expressed doubts and had not given a definitive opinion; and that the questions referred were hypothetical as the referring court had not found that data had actually been transferred. The court was not persuaded by these submissions.

The questions referred

Firstly, the court decided (at 77-79) that the questions referred should be answered in the light of the provisions of the GDPR (Regulation 2016/679) rather than those of Directive 95/46.

The first question

Should Art. 2(1) and Art. 2(2)(a), (b) and (d) of the GDPR, when read together with Art. 4(2) TEU be interpreted as meaning that that regulation applies to the transfer of personal data from the EU to a third country where the data is liable to be processed by the authorities of that third country?

The acourt answered: First, as national security remains the responsibility of each Member State, the rule in Art. 4(2) TEU is not relevant in the present case to the consideration of Art. 2(1) and Art. 2(2)(a), (b) and (d) of the GDPR.  Second, the Regulation does apply to the type of data transfer for commercial purposes whether or not at the time of the transfer or thereafter the data was liable to be processed by the authorities of the third country for public, defence or State security purposes.

The second, third and sixth questions

In short, these questions asked whether EU law should be considered in the light of relevant Member State law; on what basis the third country’s level of protection of personal data should be assessed; and how should that assessment be carried out?

In consideration of these questions, the court confirmed that, inter-alia, rights conferred by the Charter (and the ECHR) override other considerations. Where EU legislation does not refer to Member State legislation, even that of a constitutional nature, EU law cannot be construed in the light of that Member State law. EU law prevails, therefore, except where it expressly does not.

The court held that Articles 46(1) and 46(2)(c) of the GDPR must be interpreted as meaning that the appropriate safeguards, enforceable rights and effective legal remedies required by those provisions must ensure that data subjects whose personal data are transferred to a third country pursuant to SCCs are afforded a level of protection essentially equivalent to that guaranteed within the EU by the Regulation (the GDPR) read in the light of the Charter [my emphasis]. This is, in essence, a repeat of the test set down by the court when it struck down “Safe Harbor” in 2015.

The eighth question

Should Art. 68(2)(f) and (j) of the GDPR be interpreted as meaning that the competent supervisory authority is required to suspend or prohibit a transfer of personal data to a third country pursuant to SCCs adopted by the Commission if the court is satisfied that they cannot be complied with in the third country to the extent that the rights conferred by the GDPR and the Charter cannot be ensured.

This is, in essence, a question of remedy and powers of the regulator.

The court confirmed that in the absence of a valid adequacy decision, the supervisory authority is required to suspend or prohibit a transfer of data to a third country pursuant to SCCs under the circumstances outlined above and in particular if the GDPR Art. 45 and 46 rights and Charter rights cannot be ensured by other means (and where the data controller has not itself suspended or put an end to the transfer).

The seventh and eleventh questions

In short, was the Commission Decision valid in the light of Articles 7, 8 and 47 of the Charter?

The short answer given to these questions was “yes”. However, this was qualified, not only in the court’s answer to the second, third and sixth questions, as being limited to circumstances where the data subjects’ rights are appropriately protected. Therefore, a straightforward reading of the court’s analysis is that while SCCs are in principle valid, they are only valid where the third country’s laws do not give authorities there the right to access the data in a manner which would breach the data subjects’ rights under the GDPR and the Charter.

The long answer to these questions is therefore a “qualified yes”.

The fourth, fifth, ninth and tenth questions

In short, is the “Privacy Shield” decision valid?

The short answer to this question is a clear “no”.

In getting to this point, the court of its own motion considered the question of the validity of the “Privacy Shield” decision (notwithstanding that the questions were included in the reference) as the main proceedings did not actually deal with the validity of the “Privacy Shield” decision otherwise than by implication. This was the area of the reference which the Advocate General in his opinion suggested that the court need not consider.

The court concluded (after detailed analysis (163-198)) that Art. 1 of the “Privacy Shield” decision is incompatible with Art. 45(1) of the GDPR when read in the light of Articles 7, 8 and 47 of the Charter. On that basis, as Art. 1 of the decision is inseparable from Articles 2 and 6 and the annexes, that failing undid the validity of the whole decision.

Fall-out considered by the court

The court considered (at 202) whether its decision would create a legal vacuum. It concluded rapidly that Art. 49 GDPR covered the conditions under which transfers of personal data to third countries may take place in the absence of an adequacy decision under Art. 45(3) GDPR or appropriate safeguards under Art. 46 GDPR. The court was satisfied that no legal vacuum would be created.

Discussion

First, as the Commission decision relating to “Privacy Shield” was struck down as invalid, it was in effect rendered unlawful ab initio. Therefore, it seems that any transfer of personal data made under the cover of “Privacy Shield” is and was always unlawful. This is an almost identical situation to that which prevailed following the fateful 2015 decision concerning “Safe Harbor”.

The result of this decision raises two significant issues:

A. The decision making competence of the Commission in relation to these serious matters must be called into question. While a political matter rather than a legal one, it follows that business now needs to see a greater degree of transparency and rigour in Commission decision making in order to be confident that future decisions can be relied upon; and

B. Data subjects whose data was transferred (and especially those whose data continues to be transferred following the handing down of this judgment) have potential cause for complaint against the organisations relying on “Privacy Shield” for that transfer. Such a breach, were a court to find that it is actionable, is irremediable by the data controller.

Second, while a skim read of the judgment (or a read of only the press release) suggests that SCCs remain valid, it is clear from a detailed analysis that they are only valid where the laws of the third country allow the relevant protections required by the GDPR and the Charter to be maintained. This, it seems, puts a significant burden of due diligence on the companies which are seeking to rely on SCCs to investigate the laws of third countries to ensure that the SCCs can be effective. In effect, the data controller is responsible for doing the work which should be undertaken by the Commission when making (or not) an adequacy decision.

Conclusion

Any organisation relying on “Privacy Shield” to support the lawfulness of its transfers of personal data to the USA needs to cease doing so immediately. Other organisations could do worse than to check that they are not using the services of those who are reliant on “Privacy Shield” to avoid issues including loss of service from those suppliers.

While SCCs remain valid, that validity has been qualified by the court and it seems to me that the judgment in this case renders the value of SCCs somewhat limited. Organisations relying on SCCs need to consider very carefully whether the protections purported to be provided by the SCCs can actually be delivered.

The issue with SCCs is wider than that with “Privacy Shield” as the latter only applies to transfers to one jurisdiction whereas SCCs can be used to any jurisdiction. A careful review of the use of SCCs would be prudent.

Any organisation or data controller which currently relies upon either “Privacy Shield” or SCCs should consider carefully the necessity of data transfer outside of the EU to any third country and take legal advice in respect of the risks and any mitigations that might be applied in respect of a complaint raised by an aggrieved data subject now or in the future.

Ian Beeby