The US, China, and Case 311/18 on Standard Contractual Clauses
By Peter Swire
On July 9, the Court of Justice for the European Union (CJEU) held eight hours of oral argument in hearing case C-311/18, on whether US surveillance practices violate the fundamental rights of EU citizens. This case could potentially rupture the mechanisms that allow personal data to flow across the Atlantic. Should the Court so decide, it would soon be illegal for companies and services we use every day to transfer personal data from the EU to the US. Such a determination, however, may result in an absurdity; EU citizens’ data could not travel to the US for fear of intrusive surveillance, but could flow unimpeded to China, a nation with surveillance practices ripped from the pages of a dystopian science fiction novel.
Although a cut-off of data flows may seem far-fetched, Austrian lawyer Max Schrems, the plaintiff in the case pending before the CJEU, won a similar earlier case in 2015 (previously discussed on this blog). That case concerned the EU/US “Safe Harbor,” the earlier version of today’s Privacy Shield, which permits entities in the US and Europe to exchange personal data across borders. In the earlier case, the Court invalidated the decision in which the European Commission found adequate protections for personal data sent to the US pursuant to the Safe Harbor
In the aftermath of the 2015 case, most companies that transfer data from the EU were left to rely on contract standards promulgated by the European Commission, called Standard Contractual Clauses (SCC). The SCCs set strict requirements for handling personal data by the company that transfers the data.
The legality of SCCs is now before the CJEU, with a similar challenge to Privacy Shield awaiting the outcome of the first case.
A CJEU decision that invalidates SCCs would result in the prohibition of most transfers of personal data from the EU to the US. The case primarily concerns the quality of legal safeguards in the United States for government surveillance, especially by the NSA. (Note – I was selected to provide independent expert testimony on US law by Facebook; under Irish law, I was prohibited from contact with Facebook while serving as an expert, and I have played no further role in the litigation.)
A decision invalidating SCCs, however, would pose a terrible dilemma to EU courts and decisionmakers.
At a minimum, the CJEU might “merely” prohibit data flows to the US due to a finding of lack of sufficient safeguards, notably an insufficient remedy for an EU data subject who makes a subject access request to the NSA. The EU on this approach would continue to authorize the transfer of personal data to countries not directly covered by the Court decision, such as, for example, China. This approach would be completely unjustified: it would prohibit transfers of data to the US, which has numerous legal safeguards characteristic of a state under the rule of law, while allowing such transfers toward China, where the protection of personal data vis-à-vis the government is essentially non-existent.
At the maximum, the Court could acknowledge that a cut-off of transfers to the US would also require cutting off transfers of personal data to China and the many other countries that allow government access to personal data without protections of the sort expected by Europeans. On this approach, which would seem legally more justifiable, the EU would really be creating its “Great Firewall of Europe,” under which the personal data of European citizens would (practically) no longer circulate, banning an enormous range of routine business practices that involve transferring personal data to other countries.
Our extensive research on China, published as an annotated bibliography for this post, shows intrusive government data collection categorically at odds with the privacy protections of the EU’s General Data Protection Regulation. Surveillance has become particularly pervasive in Xinjiang Province, especially targeted at the Uighur ethnic minority, which is primarily Muslim. Among many surveillance initiatives, China is deploying its Social Credit System, scheduled for full deployment in 2020, with constant assessment of each person’s “trustworthiness.” Indeed, Freedom House reported: “China was once again the worst abuser of internet freedom in 2018.” (The US ranked sixth best of the 65 countries surveyed.)
Chinese economic growth means that Europeans’ personal data is increasingly held by Chinese companies, and thus legally available to the Chinese government. The German government has reported “China is Germany’s top trading partner in the world.” A third of European smartphone purchases last year went to Chinese manufacturers, creating a pipeline of customer data. A recent New York Times story noted: “Products created for China’s vast surveilled and censored domestic market are increasingly popular overseas, where they are often cheaper and more appealing to consumers.” As previously discussed on this blog, Italy this past March joined China’s Belt and Road Initiative, designed among other goals to increase connectivity with China.
The legal protections for data in China are notably weak. One study found China to have the fewest protections against surveillance among the 13 nations examined, stating: “Chinese national security law allows for the inspection of electronic communication instruments belonging to ‘any organization or individual’ for purposes of state security with few if any limitations.” By contrast, a leading Oxford researcher examined US legal safeguards and concluded that “the US now serves as a baseline for foreign intelligence standards.” My work on President Obama’s NSA Review Group led to the same view, that US legal safeguards for surveillance are among the strongest in the world, especially in light of reforms enacted after Snowden.
The key difficulty is that the pending litigation challenges transfers to the US, where protections against government surveillance are notably in place. Prohibiting data transfers to the US while allowing transfers to the Chinese surveillance state would be unjust and entirely incongruous with the EU goal of protecting the privacy and security of its citizens’ data. Such a prohibition would also raise serious international trade issues by unfairly discriminating against one trading partner (US) while allowing worse abuses by another (China). On the other hand, if the Court strikes down transfers to all trading partners, then the economic and political consequences would be global.
The Court of Justice, and all the concerned European actors, should therefore consider these enormous practical consequences as the Court considers the case. The Advocate General for the case, Henrik Saugmandsgaard Øe, said he will give his non-binding opinion in the case December 12 this year, with a full decision expected by early 2020.
A version of this article was first published in French in Le Monde.
Thank you for the article, it was an interesting read. Might I ask what your take is on the SCCs from a practical perspective? E.g., a US-based company receives from its EU-based subsidiary HR data about the subsidiary’s employees and, to do that lawfully, they use the SCCs. Do you find the SCCs in similiar scenarios as a formality or as an effective tool that translates into the business activities of the parties signing them?
Thank you in advance!
Many thanks for your comment.
SCCs are the most widely-used lawful basis for transfer from the EU to third countries. I have seen statistics that between 80% and 90% of companies that transfer data use SCCs. In addition to my position as a professor, I consult under university rules with the law firm of Alston & Bird. Clients use who SCCs generally treat them seriously – they are not a formality. Especially with the large fines that can apply under GDPR, companies often have a large compliance operation for SCCs and the rest of their processing for personal data. My greatest experience is with large companies that are based in the US – the culture and practice of compliance in such companies is often extensive.
Okay, so you mention China and the surveillance systems in place, but hat about the UK’s police forces whole scale collection of facial images without so much as any your leave which is every bit as intrusive. Indeed,the court rules DNA and fingerprints cannot be retained but gathering and retaining facial imagining is every bit as problematic in terms of data privacy.
Many thanks for your comment.
I agree that facial recognition raises serious privacy issues. As cited in the annotated bibliography, the use of facial recognition is especially developed in the Chinese province of Xinjiang – it appears that facial recognition is used for active policing there in ways that are far more extensive than in the UK or other EU member states. As you know, after Brexit the UK will be subject to an adequacy review by the EU, and the issues of police and national security surveillance in the UK are likely to receive considerable attention in that process.