On 16 July 2020, the Court of Justice of the EU (CJEU) issued its judgment in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18, “Schrems II”). The case is a companion to the Court’s 2015 ruling in Maximillian Schrems v. Data Protection Commissioner (Case C-362/14, “Schrems I”), in which the Court invalidated the Commission adequacy decision underlying the EU-US Safe Harbour arrangement.
In Schrems II the Court both affirmed the validity of the standard contractual clauses (SCCs) for data transfers under Commission Decision 2010/87/EU (later amended by Commission Decision 2016/2297), and invalidated Commission Decision 2016/1250 that was the legal basis of the EU-US Privacy Shield, which was the successor to the Safe Harbour. Beyond its impact on the SCCs and the Privacy Shield, the Schrems II judgment has important implications for the future regulation of international data transfers.
I have already set out the facts of the case in my previous posting analyzing the Opinion of Advocate General (AG) Henrik Saugmandsgaard Øe. In brief, the case arose from proceedings brought in Ireland by the complainant Max Schrems against the Irish Data Protection Commissioner relating to Facebook’s data transfers to the US. The Court of Justice summarized the questions referred to it by the Irish High Court as follows (with parenthetical references to the relevant paragraphs of the judgment): (1) whether the EU General Data Protection Regulation (GDPR) applies to data transfers between economic operators in situations where the data are likely to be processed in a third country for public security and law enforcement purposes (para. 80); (2) what level of protection applies under the SCCs adopted under Art. 46 of the GDPR (para. 90); (3) whether the data protection authorities (DPAs) are required to suspend or prohibit data transfers under the SCCs if in their view the clauses are not complied with or the level of protection cannot be ensured (para. 106); (4) whether the SCCs are valid in light of Arts. 7, 8, and 47 of the Charter (para. 122); and (5) whether the Privacy Shield ensures an adequate level of protection under Art. 45 GDPR (para. 160).
The scope and standards of the GDPR
The Court first rejected various objections that the GDPR did not apply to the case under Art. 2 GDPR (see paras. 82-85), and also found that Art. 4(2) TEU placing national security within the sole responsibility of the Member States could not affect the applicability of the GDPR (para. 81). The Court did not, as the AG had done, distinguish between “processing consisting in the transfer itself” and subsequent processing by national security authorities of a third country (see para. 104 of his Opinion), but instead found that the possibility of such subsequent processing did not matter in light of its being mentioned in Art. 45 GDPR (para. 87).
The Court also affirmed the AG’s view that “essential equivalence” with EU law under Art. 45 GDPR also applies to the SCCs under Art. 46 (para. 96). It confirmed that these standards must be based on EU law, particularly the EU Charter of Fundamental Rights (the “Charter”) (para. 99), and not on Member State law (para. 100).
The judgment also contains important holdings regarding the roles of the DPAs; while the Court discussed these with regard to the SCCs, they can be seen as being broadly applicable to all appropriate safeguards under Art. 46. In particular, the Court confirmed the duty of the DPAs under Art. 46 to suspend or prohibit data transfers if the SCCs cannot be complied with or if protection of the data cannot be otherwise ensured (para. 113). This will put pressure on the DPAs to suspend data flows under the SCCs when necessary.
Many data controllers had been concerned that the Court might invalidate the use per se of SCCs as a data transfer mechanism. However, the Court followed the AG in upholding their use, and also affirmed that the Commission has no obligation to evaluate the level of data protection in countries to which data are transferred under them (para. 130).
In upholding the use of SCCs the Court relied on statements in the GDPR (e.g. Recital 109) foreseeing the use of “other clauses and additional safeguards” in cases (such as those involving law enforcement access) where the SCCs cannot ensure protection (para. 132), which seems like a tautology (i.e., upholding the use of SCCs in cases where contractual clauses cannot provide protection through the use of other contractual clauses). Even if one can agree with the Court’s conclusion regarding the SCCs, its reasoning here seems weak and betrays a lack of familiarity with the practical implications of using them; for example, it suggests using “supplementary measures” (para. 133) to protect data under the SCCs, but does not explain what measures these could be.
The price of upholding the SCCs seems to have been making data controllers more accountable for taking action when legislation in the country of import allows for access to data going beyond EU standards. These requirements have always existed in the SCCs (see, e.g., footnote 2 to clause 5 of Decision 2010/87/EU), but the Court interpreted them more expansively than could be expected from the text of the SCCs and from Art. 46 GDPR. Thus, the Court states that data controllers transferring data under the SCCs must “verify whether the law of the third country of destination ensures adequate protection under EU law” (para. 134), and that they “are required to verify, prior to any transfer, whether the level of protection required by EU law is respected in the third country concerned” (para. 142). This will require data controllers to become experts in third-country law in a way that is probably beyond the capabilities of many of them, and raises questions in particular about data transfers to third countries that are non-democratic or where the rule of law does not apply.
The Privacy Shield
The AG had given the Court arguments to avoid having to opine on the validity of the Privacy Shield (see paras. 174-186 of his Opinion), but the Court found that it had no choice but to do so (see para. 151 of the judgment). The Court’s invalidation of the Privacy Shield was based on several factors: (1) the primacy of US law enforcement requirements over those of the Privacy Shield (para. 164); (2) a lack of necessary limitations and safeguards on the power of the authorities under US law, particularly in light of proportionality requirements (paras. 168-185); (3) the lack of an effective remedy in the US by EU data subjects (paras. 191-192); and (4) deficiencies in the Privacy Shield Ombudsman mechanism (paras. 193-197). In its evaluation of these issues, the Court paid particular concern to Arts. 7, 8, and 47 of the Charter. In light of these deficiencies, the Court found that the Privacy Shield Decision was invalid (para. 201) with immediate effect (para. 202).
The holdings of the Schrems II judgment are not unexpected: strengthening the standard of protection for data transfers and the role of DPAs fits with the Court’s strong affirmation of data protection rights in recent years, invalidating the use of SCCs would have been an extreme step that the Court was unlikely to take, and the Privacy Shield was already strongly criticized in the past. Thus, the judgment represents a continuation of the Court’s approach to the regulation of international data transfers rather than a radical departure from it.
However, there is no doubt that the Schrems II judgment will have major implications that go well beyond regulation of data transfers to the US. Data controllers will be expected to conduct a detailed examination of the circumstances surrounding each transfer, the adequacy of protection in the country to which the data will be transferred, and the parties processing the data. The fact that the Court expects data controllers to verify that there is an adequate level of protection in the country of import, a role that Art. 45 GDPR reserves to the Commission, would seem to make use of the SCCs in effect “mini adequacy decisions”. The obligations that the Court puts on data controllers to investigate the level of protection will be even more difficult for transfers to countries such as China, where legislation dealing with law enforcement and the security services may be difficult to obtain or non-existent.
The judgment will also put DPAs under pressure to take enforcement actions against companies that rely on the SCCs, even though under the GDPR the DPAs do not approve the SCCs and generally will not even know that they are being used. This standard presumably also applies to other appropriate safeguards under Art. 46 (such as BCRs), which will raise the bar for them as well. The judgment will also make it more difficult to reach agreement on a possible adequacy decision for the UK post-Brexit.
The judgment lays out the parameters for the regulation of international data transfers under EU law in the coming years: a standard of protection quite close to that of the GDPR, strong powers for the DPAs to police violations, and increased burdens for both data controllers that transfer data and the parties in third countries that receive them. All of this fits with the Court’s approach in its recent data protection cases.
Having invalidated two Commission adequacy decisions for data transfers to the US (in Schrems I and Schrems II) and a proposed international agreement for airline passenger data transfers to Canada (in Opinion 1/15) within five years, the Court has left in tatters the statement of former European Data Protection Commissioner Peter Hustinx that EU data transfer rules “are based on a reasonable degree of pragmatism in order to allow interaction with other parts of the world” (see p. 43 of the linked document). Rather, it is now clear that essential equivalence with EU data protection law leaves little room for manoeuvre in accommodating third country norms. Depending on one’s point of view, this could be viewed either as a missed opportunity to provide increased global interoperability between data protection systems, or as a necessary step to avoid the circumvention of the standards of the GDPR.
The invalidation of the Privacy Shield also raises questions about how adequacy decisions are negotiated and issued. There is a disconnect between the political pressure to reach an accommodation with the US to which the Commission seems to be subject, and the Court’s insistence on a high standard of data protection, which can be seen in the Commission’s willingness to accept formulations that seem obviously questionable. For example, the Court criticized the fact that US national security requirements were given primacy over the protections of the Privacy Shield (para. 164); given that this was also one of the Court’s main criticisms of the Safe Harbour (see para. 86 of the Schrems I judgment), it would obviously have been advisable for the Commission to avoid agreeing to such language. Greater transparency and accountability in the negotiations might result in the Commission adopting adequacy decisions of a higher quality.
Merely reaching a third agreement with the US that makes minor changes to the Privacy Shield would not be credible or give parties involved in transatlantic data transfers the necessary legal certainty; rather, new approaches and new thinking are needed. One idea could be to develop codes of conduct or certification mechanisms together with enforceable commitments covering US data flows as foreseen under Article 46(2) GDPR. Codes of conduct and certification mechanisms as a legal basis for data transfers have not been approved under the GDPR thus far, but seem worthy of investigation as potentially a new way forward.
The Schrems II judgment is thus a milestone in EU data transfers regulation, but one that raises a number of important questions. The next step will be to see how data controllers, DPAs, and third countries deal with its implications in the coming months and years.