On July 16, 2020, the Court of Justice of the European Union (CJEU) issued a preliminary ruling in Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems effectively invalidating the European Commission’s Decision (EU) 2016/1250 relating to the EU – U.S. Privacy Shield. At the other end of the spectrum, the CJEU affirmed the validity of Standard Contractual Clauses (SCCs) as a means of ensuring an adequate level of protection to personal data being transferred to third countries, subject always to the strict adherence to the requirements provided under EU data protection legislation and the EU Charter.
The Schrems judgment is especially important in relation to entities engaged in the transfer of personal data to processors established in third countries and, in particular, the United States.
What is the EU – U.S. Privacy Shield?
The EU-U.S. Privacy Shield is a self-certification mechanism designed by the U.S. Department of Commerce and the European Commission to ensure compliance with data protection requirements in the course of transferring personal data from the European Union to the United States for the purpose of facilitating transatlantic commerce. The EU – U.S. Privacy Shield had been recognised as providing an adequate level of protection taking into consideration the applicable framework relating to personal data protection applicable in the EU, following the European Commission’s Implementing Decision (EU) 2016/1250 of 12 July, 2016 (the Privacy Shield Decision). The Privacy Shield Decision was formally incorporated into the European Economic Area Agreement by Decision No. 144/2017 of the European Economic Area Joint Committee of 7 July 2017. In essence, the EU – U.S. Privacy Shield allows for the transfer of personal data from entities based in the European Economic Area (EEA) that have been self-certified as providing appropriate legal guarantees in respect of such transfers of data and undertake to uphold and observe a series of data protection principles enshrined in the EU – U.S. Privacy Shield, to entities based in the United States.
Factual Background and Ruling of the CJEU in Schrems
Schrems concerned an application for a preliminary ruling submitted to the CJEU by the High Court of Ireland in the context of judicial proceedings with regards to a complaint lodged by MS in respect of the transfer of his personal data from Facebook Ireland to Facebook Inc., an entity established in the United States. In effect MS sought to preclude the transfer of his personal data to the United States by Facebook Ireland, claiming that the legislation and practices appliable in the United States with regards to personal data protection did not ensure adequate protection of the personal data held in its territory against the surveillance activities in which the public authorities were engaged. In particular, MS argued, among other things, that United States law requires Facebook Inc. to make the personal data transferred to it available to certain United States authorities such as the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) in the context of various monitoring programmes incompatible in a manner inconsistent with applicable EU law.
In addressing the issues raised in Schrem, the CJEU was asked to examine, among other things, whether the Privacy Shield Decision complied with the requirements stemming from Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR) read in light of the EU Charter.
In holding that the Privacy Shield Decision was invalid, the Court found that the application of U.S. law is incompatible with the principles of necessity and proportionality enshrined in the GDPR. Going further, the CJEU found that EU citizens – data subjects whose personal data are subject to unlawful processing in the United States are not afforded with an effective administrative and judicial redress mechanism. The Court therefore reasoned that in light of the fact that U.S. law does not provide for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data, it falls afoul of the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the EU Charter and is incompatible with Article 45 of the GDPR.
In Schrems, the CJEU also proceeded to examine the interpretation and validity of Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46 (OJ 2010 L 39, p. 5), as amended by Commission Implementing Decision (EU) 2016/2297 of 16 December 2016 (OJ 2016 L 344, p. 100) (the SCC Decision). In particular, it was held that the ‘SCC Decision provides for effective mechanisms which, in practice, ensure that the transfer to a third country of personal data pursuant to the standard data protection clauses […] is suspended or prohibited where the recipient of the transfer does not comply with those clauses or is unable to comply with them.’
Commentary on the Importance of the Schrems Judgment in the context of EU Data Protection Legislation
As a general remark, it can be said that, in many ways the Schrems ruling, recognizes the merit in the concerns that have long been expressed at EU level (most notably by the European Data Protection Board) with regards to the adequacy of protection granted to personal data under the Privacy Shield, particularly with regards to the transfer of personal data to processors established outside the EEA. More explicitly, in the context of its annual joint reviews of the Privacy Shield, the European Data Protection Board called into question the compliance with the data protection principles of necessity and proportionality in the application of U.S. law.
In light of the lacuna that has arisen in the wake of the Schrems Judgment (due to the Privacy Shield being ruled as invalid), it is almost certain that the EU-US data protection framework will have to be revisited in a manner that ensures compliance with applicable EU data protection legislation.
At the same time, the CJEU has affirmed the validity of SCCs in the context of the transfer of personal data to processors established outside the European Union to the extent, and in so far as the SCCs maintain a level of protection that is essentially equivalent to the one guaranteed by the GDPR in light of the Charter of Fundamental Rights of the European Union.
In this respect, when considering whether to enter into SCCs, the importer and the exporter are tasked with the responsibility of carrying out an assessment of whether the legislative framework relating to personal data protection in the country to which personal data will be transferred offers an adequate level of protection.
In the course of any such prior assessment, the exporter is expected to take into consideration all material factors including the circumstances of the transfer, the content of the SCC and the legal and regulatory framework with regards to personal data protection applicable in the importer’s country. Where, following such an assessment it appears that an essentially equivalent level of protection is not or cannot be guaranteed in the country of the importer, the exporter may have to adopt additional measures to those included in the SCCs in order to ensure compliance with his obligations under the GDPR. Importantly, in the event that the stipulations included in the SCCs cannot be complied with for whatever reason, the exporter is under an obligation to suspend the transfer or terminate the SCCs or notify its competent supervisory authority if it intends to continue transferring data.