EU-US Data Transfers: CJEU Shatters Privacy Shield − Schrems II
In response to questions referred by the Irish High Court, the CJEU’s Grand Chamber ruled on 16 July 2020 in case C-311/18 that Commission Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield was invalid. By contrast, Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to third countries is valid because it contains mechanisms to achieve the necessary level of protection for personal data.
The standard contractual clauses:
Regarding transfers to third countries, the level of protection of personal data must be “essentially equivalent” to that guaranteed within the EU (by the General Data Protection Regulation (GDPR) in the light of the Charter of Fundamental Rights (CFR)). User data of EU citizens can therefore continue to be transferred to the USA and other countries on the basis of so-called standard contractual clauses. The clauses are intended to ensure that there is adequate protection for the data of EU citizens when data is transferred abroad. Decision 2010/87 includes effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law. Personal data transfers pursuant to such clauses are to be suspended or prohibited in the event of breach of such clauses or it being impossible to honour them. The CJEU highlights that, under Art. 58(2)(f) and (j) GDPR, the competent data protection supervisory authority is required to suspend or prohibit a data transfer if, in its view and in light of all the circumstances of this transfer, these clauses are not or cannot be complied with in the respective third country and the protection of the transferred data as required by EU law cannot be ensured by other means, where the data controller or data exporter has not itself suspended or put an end to the transfer.
The EU-US Privacy Shield:
The CJEU justified the invalidity of Decision 2016/1250 by stating that it does not sufficiently guarantee that transferred data in the USA is subject to the same level of protection as in the EU. The existing surveillance programmes in the USA have not been sufficiently limited in terms of proportionality. The provisions in Decision 2016/1250 do not indicate any limitations on the power they confer to implement these programmes or on the existence of guarantees for potentially targeted non-US citizens. In addition, the provisions do not grant data subjects actionable rights against US authorities before US courts. The CJEU also considers the requirement for judicial protection insufficient, since the established Ombudsperson mechanism is not equivalent to guarantees required by EU law. The Ombudsperson particularly lacks independence as well as the power to adopt binding decisions for the US intelligence services. European companies therefore cannot continue to transfer personal data to other companies on the basis of existing EU law.
Put in focus:
The case has its background in a complaint by Austrian data protection activist Maximilian Schrems. In his legal suit, he complained that Facebook in the USA was obliged to make data available to US authorities, such as the FBI, without the possibility of individuals being able to take action against their disclosure. The case is the sequel to the Schrems I case (C-362/14), which resulted in the CJEU’s judgment of October 2015, declaring the invalidation of the Safe Harbor Framework (Commission Decision 2000/520/EC), a mechanism that many companies were relying on at that time to legitimize data flows from the EU to the US (see also eucrim 3/2015, p. 85). In the aftermath, Schrems decided to challenge anew the transfers performed on the basis of the EU’s standard contractual clauses – the alternative mechanism Facebook has chosen to rely on to legitimize its EU-US data flows − on the basis of arguments similar to those raised in the Schrems I case. After the initiation of these proceedings in Ireland, the Commission adopted Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield.
At a press point immediately following the judgment on 16 July 2020, Commission Vice-President Věra Jourová declared that the CJEU’s decision “means that the transatlantic data flows can continue, based on the broad toolbox for international transfers provided by the GDPR, for instance binding corporate rules or Standard Contractual Clauses. …. [It] once again underlined that the right of European citizens to data protection is absolutely fundamental. It confirms also what the Commission has said many times and what we have been working on: When personal data travels abroad from Europe, it must remain safe.”
Commissioner for Justice Didier Reynders stressed the rule-of-law aspect, which is shared by the US counterparts. He added that the Commission is committed “to putting into place all the necessary measures to implement the decision of the Court.”
In a statement of 17 July 2020, the EDPS welcomed the Schrems II decision as a landmark judgment in which the CJEU “reaffirmed the importance of maintaining a high level of protection of personal data transferred from the European Union to third countries.” The EDPS also highlighted that the CJEU confirmed the criticism of the Privacy Shield repeatedly expressed by the EDPS and the EDPB.