International data transfers, standard contractual clauses, and the Privacy Shield: the AG Opinion in Schrems II
On 19 December 2019, Advocate General (AG) Henrik Saugmandsgaard Øe of the Court of Justice of the EU (CJEU) issued his Opinion in the case Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18, referred to throughout as “Schrems II”). The case has received a great deal of attention, and raises a number of significant questions about the regulation of international data transfers under EU data protection law. I will briefly describe the facts, before analysing some key questions the Opinion deals with, and will finally draw some conclusions. The relevant paragraphs of the Opinion are indicated in parentheses.
The plaintiff Max Schrems complained in 2013 to the Irish Data Protection Commissioner (DPC) about the data transfer practices of Facebook under the Data Protection Directive 95/46/EU. This complaint was rejected. He then brought an action against the decision before the Irish High Court, which referred a number of questions to the CJEU, in particular concerning the validity of the EU-US Safe Harbour arrangement that Facebook had joined and which the Commission had found in a decision to provide an adequate level of data protection. In its judgment of 6 October 2015 (Case C-362/14, previously discussed on this blog), the CJEU invalidated the adequacy decision, and held that an adequate level of data protection requires that third country law be “essentially equivalent” to EU law. The High Court then annulled the decision rejecting Schrems’ complaint and referred the case back to the DPC.
Schrems then alleged that Facebook’s use of the standard contractual clauses for data transfers approved by Commission Decision 2010/87 (and later amended by Commission Decision 2016/2297) (collectively referred to here as “the SCCs”) could not provide a valid legal basis for transfers to the US, in part because Facebook is obliged to make the personal data of its users available to US government authorities in the context of their surveillance programs. After investigating Schrems’ allegations and finding that it could not adjudicate on them until the CJEU examined the validity of the SCCs, the DPC brought proceedings before the High Court. These proceedings also dealt with US law and practice regarding surveillance and the level of protection provided by the EU-US Privacy Shield, a self-regulatory system that Facebook had joined as the successor to the Safe Harbor and which was found to provide adequate protection in Commission Decision 2016/1250.
On 9 May 2018 the High Court stayed the proceedings and referred eleven questions to the CJEU. The questions are too lengthy to be quoted here, but concern the following topics: the application of EU law to data transfers made for commercial purposes but further processed for national security and law enforcement purposes in the third country of transfer; whether the standard for a violation of individual rights under the SCCs should be EU law or Member State law; whether data transfers under the SCCs violate the EU Charter of Fundamental Rights (the “Charter”), in particular Articles 7, 8, 47, and 52, including the essence of those rights; the level of protection for transfers under the SCCs; whether the SCCs provide adequate safeguards; the obligations of data protection authorities (DPAs) if they find that the SCCs conflict with EU law; the relevance of the Privacy Shield to transfers under the SCCs; and whether the Ombudsperson mechanism under the Privacy Shield is compatible with Article 47 of the Charter.
The AG examined these questions under both the Directive and the EU General Data Protection Regulation (GDPR), which in the meantime had become fully applicable. He responded to them in the aggregate in one brief paragraph (para. 343), stating that “analysis of the questions for a preliminary ruling has disclosed nothing to affect the validity” of the SCCs. Earlier in the Opinion, he also found that there was no need to examine the validity of the Privacy Shield (see, e.g., para. 161 et seq.). The judgment of the Court will now be issued in the coming months.
Because of space constraints, I will focus on four important issues that the Opinion deals with, namely the scope of EU data transfer rules; the standard of protection that SCCs must meet under EU law; the validity of the SCCs in light of the level of data protection provided in the third country of transfer; and the validity of the Privacy Shield.
With regard to the scope of EU data transfer rules, the AG found that EU law may apply to “processing consisting in the transfer itself” (para. 104, emphasis in the original), but that “subsequent processing by the United States authorities for national security purposes of the data transferred to the United States” is “excluded from the scope ratione territoriae of the GDPR” (para. 104, emphasis in the original). He based this conclusion on the distinction he made in Ministerio Fiscale (Case C-207/16, see para. 47 of his Opinion in that case) between the “direct processing of data in the context of sovereign activities of the State and, on the other hand, commercial processing following which the data are used by the public authorities” (footnote 40 of his Opinion in Schrems II).
However, privileging certain acts of the State based on them relating to its “sovereign activities” seems artificial given the difficulty of agreeing on what these activities are, and goes against the growing trend to hold States accountable for human rights violations. One can also question the distinction between “the transfer itself” and subsequent processing of the data by US authorities: surely the raison d’être of EU data transfer regulation is to ensure protection not only at the time of transfer but also post-transfer. And the AG’s statement excluding the national security activities of the United States from the territorial scope of the GDPR seems to conflate this issue with the applicability of the GDPR, although they are two separate matters.
With regard to the standard of protection that SCCs must meet, the AG concluded that they must result in “essential equivalence” with EU law, which is the same standard that applies to EU adequacy decisions; as the AG stated, “the requirements of protection of fundamental rights guaranteed by the Charter do not differ according to the legal basis for a specific transfer” (para. 117). While this conclusion helps avoid circumvention of the high level of protection for data transfers that the CJEU required in the first Schrems case, it is unclear how a standard of fundamental rights protection based on a detailed evaluation of a third country’s entire legal order as in an adequacy decision (see para. 74 of the first Schrems judgment) can be applied to the much narrower set of protections contained in the SCCs that, as the AG stated, are used for specific transfers and must be evaluated on a case-by-case basis (para. 126).
The AG tried to bridge this gap by stating that if a DPA concludes that the SCCs are not being complied with and that appropriate protection of the data cannot be ensured, it must suspend the transfer, i.e., suspension by a DPA is not optional (para. 148). He also required data controllers to conduct a detailed examination of “all the circumstances characterizing each transfer” when using the SCCs. This examination may include consideration of the criteria that the Commission is required to assess under Article 45(2) GDPR when considering whether to issue an adequacy decision (para. 135), such as the rule of law and respect for human rights in the country of transfer. However, one can ask whether commercial data controllers are qualified to assess such factors, a point that has led to controversy concerning the role of data controllers in balancing rights under the Court’s Google Spain judgment (Case C-131/12), and that of social media platforms with regard to removing online content under its recent Glawischnig-Piesczek v Facebook judgment (Case C-18/18).
A crucial question in the case concerns the effect of government surveillance in the third country of transfer on the validity of SCCs in light of the Charter. The AG found that the SCCs are “a general mechanism applicable to transfers irrespective of the third country of destination and the level of protection guaranteed there” (para. 120), so that they can be used for transfers to any third country regardless of the level of protection that exists in it. This is correct as a matter of law, but represents, as I have argued previously, a retreat into legal fiction, since the level of protection in the third country can have an impact on the protection that the data will receive under the SCCs, particularly in light of the fact that they do not require DPA authorization (see GDPR Article 46(2)) so that penalties for violation can only be imposed after the fact, at which time it will often be too late for any effective remedial action. The AG seemed to recognize this point, but still found that it does not render the SCCs invalid (see para. 153).
The Roman orator Cicero often used the rhetorical device praeteritio, by which he would draw attention to a point by denying it. This device finds a renaissance in the Opinion, where the AG stated several times that the Court need not rule on the validity of the Privacy Shield, before launching into a detailed 10-page analysis of it (see para. 196 et seq. of the Opinion). While he concluded that the Court should not consider its validity, the AG did find several important deficiencies in the Privacy Shield, raising doubts about whether it would be upheld should the CJEU wish to opine on it, either in the final judgment of Schrems II or elsewhere (and it should be remembered that La Quadrature du Net, Case T-738/16, which seeks annulment of the Privacy Shield, is currently pending in the General Court).
The Opinion combines a meticulous and thorough analysis of the legal issues with an eye for the larger questions involved, such as the case’s international implications (see para. 7). The AG refrained from advocating sweeping action (such as invalidating the SCCs or the Privacy Shield), and sought to ensure protection of data transfers under the SCCs by strengthening the obligations of both data controllers and DPAs. With regard to data controllers, this means that they should conduct a detailed examination of the circumstances surrounding each transfer and the parties processing the data before using the SCCs, while DPAs should suspend data transfers under the SCCs when they find there is a lack of protection. In effect, this divides responsibility for the transfer between the two, with data controllers ensuring protection before the transfer has been carried out, and the DPAs doing so afterwards.
By finding that DPAs must suspend transfers when data protection is not ensured, the Opinion would seem to increase the pressure on the DPC to take some kind of enforcement action against Facebook. The DPC has been criticized for failing to sanction Facebook earlier, but given the Court’s insistence in the first Schrems case on questions concerning adequacy being referred to it (see para. 64 of that judgment), one can understand the DPC’s reluctance to take action before questions of such fundamental importance were clarified by the courts, which also has the advantage of furthering legal harmonisation.
The outstanding question now is whether the Court will follow the conclusions of the AG with regard to the two issues of greatest practical and political significance, namely the validity of the SCCs and of the Privacy Shield. The AG’s decision not to invalidate the SCCs seems to be based largely on strategic and procedural considerations on which the Court could take a different view if it wants to (see paras. 174-186), and one cannot help but recall Google Spain, where AG Jääskinen struck a balanced tone in his opinion concerning the “right to be forgotten” that was not followed by the Court in its judgment. Thus, the SCCs are not “out of the woods” yet. Concerning the Privacy Shield, the AG’s criticisms of it seem to indicate that it may be living on borrowed time. However the Court ultimately rules in Schrems II, its judgment can be eagerly awaited as likely representing a milestone in the law of international data transfers.