Ex-ante measures regarding data transfers and ex-post enforcement of rights
There is of course a strong will to accept a framework for transfers of personal data to organisations in the U.S. that undertake to comply with certain standards for data processing. However, the committee must take into consideration the reasoning of the European Court of Justice (“ECJ”) in Case C-362/14 (“Schrems I”) where the Court revoked the Safe Harbour decision, and the meaning of an “adequate protection” of personal data as explained in Case C-311/18 (“Schrems II”) where the Court annulled the Privacy Shield decision. As the U.S. legislator has agreed to ensure that all data processing in the context of signal intelligence activities is proportionate and to introduce a new redress mechanism with an independent and binding authority, the European Commission hopes to make it third time lucky.
Although the internet infrastructure does not necessarily know of any geographical borders, the transfer of personal data from the European Economic Area (“EEA”) to legal entities in countries beyond that territory (“third countries”) or to international organisations, shall be suspended if it enables data processing without appropriate rights and remedies for the data subjects. More to the point, personal data may according to Article 44 GDPR be transferred from the EU only in so far as the conditions set out in the provisions of Chapter V GDPR are met. In the absence of an implementing act, which in accordance with Article 45 GDPR confirms that “the third country, a territory or one or more specified sectors within that country, or the international organisation in question ensures an adequate level of protection”, the data can be transferred if an appropriate safeguard is adopted pursuant to Articles 46-47 GDPR. Most importantly, the “exporter” and “importer” may exchange personal data without authorisation in each individual case from a data protection authority (“DPA”) if they implement the Commission’s standard contractual clauses or adopt appropriate corporate rules. Furthermore, a DPA may authorise data transfers based on negotiated contractual clauses.
In case no adequacy decision or appropriate safeguard has been adopted, the personal data uploaded in the EU may only be “transferred” with “consent” of the data subject concerned unless the transfer is considered “necessary” pursuant to the criteria enshrined in Article 49 GDPR. Evidently, the GDPR is underenforced in the Union and the EU data subjects are in many instances unaware of what personal data is retrieved by legal entities in third countries. Nonetheless, transfers of data from the EU without legal frameworks adopted in advance entails a risk that compliance with the “consent” or “necessity” requirements will be challenged repeatedly without a presumption that the processing entities abide by appropriate standards. Whereas big business may have the necessary resources to adopt own safeguards for data transfers, many “exporters” in the EU are unable to set up and maintain a transfer regime. Furthermore, the substantive and procedural rights established by the appropriate safeguards may be conditioned on the fact that third country law measures up to certain standards. Indeed, the main reason why the European Commission negotiates frameworks for data transfers is to promote the Union’s concepts of fundamental rights relating to data processing in accordance with primarily Articles 2, 3(5) and 21 of the Treaty on European Union (“TEU”), and the Charter of Fundamental Rights of the European Union (“the EU Charter”).
A framework for data transfers negotiated by the European Commission can be approved only in so far as it confirms that the third country legal system encompasses rights and remedies that are “essentially equivalent” to those available within the territorial scope of the GDPR. For instance, the Safe Harbour- and Privacy Shield decisions manifested that the U.S. legislator had taken adequate normative measure applicable to the legal entities listed in an appendix. Moreover, the adequacy decisions confirmed that DPAs in the EU should suspend data transfers if a U.S. authority had established an infringement and introduced notification mechanisms. As organisations overseas have much to gain from seamless access to personal data from the Union, and data “transfers” are pivotal for international trade, the third country legislator may agree to change domestic law and afford the organisations a self-certification system. However, a generally applicable decision that establishes ex-ante that EU data subjects enjoy an adequate level of protection under third country law is inapplicable per se when deciding ex post facto whether a given processing has infringed the rights of the data subject. In other words, an implementing act that confirms the adequacy of data protection in third country law must not deprive the EU data subjects of access to justice in the individual case. That would be contrary to the right to an effective remedy and to a fair trial under Article 47 of the EU Charter as particularised in internal EU-law and promoted in external relations. Questions may arise as to whether a case is to be decided by a DPA in the EU or by authorities in the third country, but it must be tried in accordance with one legal system or the other.
As the “exporter” is per definition in an EU Member State, the GDPR applies without reservation. An EU Regulation is directly applicable across the Union and the substantive scope of data protection is the same for all kinds of processing within the territorial scope of the GDPR, albeit special rules may apply to certain data, data subjects or “controllers” and “processors”. Indeed, to afford data subjects but “essentially equivalent” legal rights in intra-EU cases when data has been retrieved overseas would sit uncomfortably with the rule of law. Even if third country law provides an “essentially equivalent” level of protection, the rights and remedies in that system may differ in nature and scope from those applicable in the Union. Hence, an adequacy decision has bearing only on processing by “importers” in the third country concerned and on onward transfers from the “importer” to other organisations overseas. When it comes to infringement cases brought in a third country, it can be argued that third country law does not provide the rights and remedies referred to in an adequacy decision. However, these cases are decided in accordance with available rights and remedies in that legal order and the adequacy decision by the European Commission is but a matter of fact.
There seems to be a widespread misunderstanding about the nature of an approved adequacy decision. In the main proceeding resulting in the Schrems I ruling the Irish DPA had rejected the complaints lodged by the Austrian citizen about the transfers of his personal data from Facebook Ireland Ltd to Facebook Inc. because of the mere existence of the Safe Harbour decision. Also, the ECJ treated the adequacy decision as substantive law at least implicitly when assessing the validity of the implementing act instead of explaining the data subject’s rights. As the ECJ considered the possibility to review the legality of implementing acts to be an overriding objective, the Court recognised a duty for national courts to refer questions about the validity of adequacy decisions under Article 267 of the Treaty on the Functioning of the European Union (“TFEU”) in cases concerning infringements of the rights of data subjects. Hence, in Schrems II, it was the Irish DPA that brought actions against the Austrian citizen, and the Irish court stopped the proceedings and referred questions about the validity of the Privacy Shield decision in accordance with the procedural rules explained in Schrems I. However, the transformation of individual infringement proceedings within the territorial scope of the GDPR into revocation proceedings regarding adequacy decisions is far from convincing. Because, the same rules apply to legal entities within the territorial scope of the GDPR irrespective of whether an adequacy decision regarding third country law is valid or not. Arguably, the references for preliminary rulings in both Schrems cases should have been declared inadmissible and there is at least a need to clarify why the ECJ focused only on the validity of the adequacy decisions without at all addressing the substantive rights of the data subject.
In this article, three aspects of the preliminary rulings in the Schrems I and II cases will be scrutinised. First of all, what is the relationship between the territorial scope of the GDPR and the applicability of an implementing act regarding the protection of personal data in a third country? Secondly, if accepting that the GDPR applies without reservation in intra-EU cases, why would an EU data subject invoke “essentially equivalent” rights under third country law? Thirdly, why did the ECJ accept the Schrems I and II cases and elaborate on the validity of the adequacy decisions instead of simply considering the questions referred to be hypothetical? In the light of the answers to these questions, some words can be said about the importance of the envisaged adequacy decision on U.S. law and the need to get it right this time.
What is the relationship between the territorial scope of the GDPR and the applicability of an adequacy decision?
According to Article 3(1) GDPR, the substantive obligations laid down in the Regulation apply “to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.” Furthermore, the Regulation applies directly when data subjects in the Union are monitored or when commercial offers are directed to them pursuant to Article 3(2) GDPR. There are good reasons for not taking the location of the dedicated servers into account when determining whether a given processing is subject to intra-EU data protection law. It would otherwise be too easy for undertakings in the Union to circumvent their obligations. Indeed, the location of data at a given moment is even more inappropriate as a criterion for establishing jurisdiction. For instance, the undertakings within the Facebook business group (nowadays Meta Platforms Inc.) have traditionally stored most of the data regarding EU data subjects in Singapore. If the territorial scope of the GDPR would have been determined by the location of data, the “transfer” of personal data uploaded in the Union and retrieved from the Tajong Kling data centre when downloaded in the U.S. would have escaped the jurisdiction of the EU-institutions. Moreover, considering the development of the internet and the transition from cloud computing to edge computing, it will become even more difficult to establish the location from where data is downloaded. Then again, neither the location of the dedicated servers, nor of the data, is relevant when determining whether a processing activity has taken place within the territorial scope of the GDPR. EU law applies if data is processed in the context of the activities of an EU-establishment of the controller or processor.
It stands to reason that the European Commission can negotiate and conclude agreements regarding data transfers with a third country only in so far as the processing is expected to take place within the EU-institutions’ jurisdiction, i.e. within the territorial scope of the GDPR. At the same time, the Commission’s competence to take measures ex ante may seem to create a norm conflict when a data subject challenges the transfer of personal data ex post facto. On the one hand, the GDPR should apply directly within the territorial scope of the Regulation. On the other hand, the “exporter” and “importer” should be able to rely on the decision by the Commission to clear the limitations and safeguards adduced in third country law. Perhaps, the tension could be resolved by treating data “transfers” as a separate category of “processing” that is exempted from the general standards for data protection within the Union? Indisputably, the answer to that question is “no” in a lexical construction of the GDPR. Pursuant to Article 4(2) GDPR, “processing” of personal data means “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as […] use […], dissemination or otherwise making available […]”. Since “use” of data is a broad concept and “making available” can be the same thing as “exporting” from a technical point of view, directly applicable provisions such as Article 6 GDPR can be invoked by a data subject also when data is “processed” in terms of “transferred”. Indeed, the fundamental rights enshrined in primarily Articles 7, 8, 47 and 52 of the EU Charter, are given same legal effect by the directly applicable provisions of the GDPR with respect to all kinds of data “processing” within the territorial scope of the Regulation.
As a decision regarding the adequacy of limitations and safeguards adduced in third country law is inapplicable per se when deciding a case ex post facto, the reliance on such an implementing act would suggest that third country law applied instead of EU law in the Union. Although there might be overlapping jurisdictions in cyberspace, the DPA in an EU Member State must not substitute the Union rights with rights and remedies in third country law. True, a self-certified organisation may, pursuant to an adequacy decision, accept the authority of the DPA in an EU Member State with regard to the application of third country law. But that is relevant only in so far as the organisation has no affiliated EU-establishment that would bring the assessment of the given processing within the territorial scope of the GDPR. In a systematic analysis, internal EU law must apply within the territorial scope of the GDPR.
Unlike an adequacy decision, safeguards based on Articles 46-47 GDPR apply as substantive law. For instance, the European Commission’s standard contractual clauses or binding corporate rules regulate the behaviour of the parties concerned along the lines of pacta sunt servanda. However, that does not imply that contractual arrangements override fundamental rights for data subjects as particularised by the GDPR within the territorial scope of the Regulation. It follows from basic contractual principles that the “exporter” and “importer” of personal data cannot contract away the full effect of these rights of the data subject in the Union. Hence, it is clarified in Clause 2(b) of the Commission’s standard contractual clauses that they are without prejudice to obligations to which an entity is subject by virtue of the GDPR. Whereas data subjects may benefit from clauses which they can invoke against the contracting parties, those parties cannot avoid obligations by agreements applicable inter partes.
In fact, the EU legislator has clarified how to deal with false norm conflicts regarding data protection. Article 44 GDPR ensures system-coherency by establishing that the provision in Chapter V of the Regulation shall “be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.” Correspondingly, Article 2 of both the Safe Harbour- and Privacy Shield decision established that the frameworks did not affect the application of the DPD preceding the GDPR (with only some legal-technical exemptions). Particularly provisions defining the territorial scope of EU law should be left unaffected. Furthermore, paragraph 2 of Annex 1 to the Safe Harbour decision stated that the principles to which the self-certified U.S. companies and organisations adhered could not be used as a substitute to EU rules “that apply to the processing of personal data in the Member States”. Similarly, Recital 15 of the preamble to the Privacy Shield decision elucidated that the listed principles “apply solely to the processing of personal data by the U.S. organisation in as far as processing by such organisations does not fall within the scope of Union legislation.”
It is difficult not to arrive at the conclusion that it was an error in law to apply an adequacy decision instead of internal EU law in the proceeding that resulted in the Schrems I and II cases. However, in the wake of the two Schrems rulings the EDPB issued its draft guidelines 5/2021 “on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR”, which are anything than clear on that point. According to the EDPB, “controllers and processors whose processing is subject to the GDPR pursuant to Article 3 always have to comply with Chapter V of the GDPR when they disclose personal data to a controller or processor in a third country or to an international organisation”. According to paragraph 7 of the guidelines, the EDPB has identified “three cumulative criteria that qualify a processing as a transfer”: 1) A controller or a processor is subject to the GDPR for the given processing; 2) This controller or processor (“exporter”) discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”); 3) The importer is in a third country or is an international organisation, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing in accordance with Article 3. In paragraph 24 of the guidelines, the EDPB concludes that “if the criteria as identified by the EDPB are not met, there is no data ‘transfer’ and Chapter V of the GDPR does not apply.”
Indisputably, Chapter V of the GDPR applies to processing activities classified among “transfers” in so far as the chapter contains various legal bases for opening the doors to EU data. If an implementing act regarding data “transfers” to a third country has been adopted, the act can later on be revoked if not all the criteria enshrined in Article 45 GDPR have been met. Similarly, if the “exporter” and “importer” have adopted appropriate safeguards, the DPA in the Union has no duty to assess in each individual case whether the processing is allowed. Nonetheless, also these safeguards can later on be reviewed and declared null and void. If there is no adequacy decision or appropriate safeguard, the DPA must establish before the transfer that the data subject has “consented” to the processing or that it is “necessary”. These criteria mirror those applicable in infringement cases brought after the transfer. It is, of course, questionable to what extent a DPA can assess and establish ex-ante whether there are appropriate safeguards or individual justification grounds for all data transfers. However, that is the state of the law according to the provisions in Chapter V of the GDPR.
What complicates things is that the guidelines are centred around the nature of a “given processing” and the idea that “transfers” require a special analysis in cases brought ex post facto. Since adequacy decisions and appropriate safeguards are intended to deliberate DPAs from a duty to casuistically assess whether data can be shared with legal entities overseas, the nature of each given processing is relevant under Chapter V of the GDPR only when the authority needs to determine whether derogations can be made from the requirement for a transfer regime and “consent” or “necessity” justifies the processing pursuant to Article 49 GDPR. Then again, the ex-ante assessment must not preclude assessments of transfers ex post facto. Chapter V of the GDPR is silent on the rules and procedures that apply in infringement cases, and it is therefore far from convincing that the EDPB states in paragraph 2 of the guidelines that “[w]hen personal data is transferred and made accessible to entities outside the EU territory, the overarching legal framework provided within the Union no longer applies.”
There are some passages in for instance paragraph 23 of the guidelines regarding Article 3(2) GDPR, that seem to rectify the false assumption that the “transfer” of data constitutes a kind of processing that is subject to separate rights and procedures within the territorial scop of the Regulation. However, the examples given in the guidelines and the reasoning that shifts between ex-ante adequacy decisions and ex post facto assessments reveal a confusion of concepts. Whereas Article 45 GDPR provides the legal basis for the Commission to adopt adequacy decisions in accordance with the comitology procedure, it cannot be invoked casuistically to determine whether a “given processing” has infringed the rights of a data subject. Neither can the Commission clear all future processing activities classified among “transfers” when assessing the adequacy of the level of protection in a third country pursuant to Article 45(2), nor can it be required to assess that level of protection in each individual case. If the reference to “Chapter V of the GDPR” in the guidelines implies that controllers and processors shall substitute substantive rules such as Article 6 GDPR with the legal basis for an adequacy decision enshrined in Article 45 GDPR, the EDPB simply mixes apples and pears.
If instead the reference to “Chapter V of the GDPR” implies that controllers and processors shall comply with an adequacy decision adopted on the basis of Article 45 GDPR, it would as mentioned mean that the limitations and safeguards adduced in the system of a third country should apply instead of EU law and override the GDPR within the territorial scope of the Regulation. That is incompatible with the direct applicability of a Regulation in the Member States. Indeed, such a qualification of fundamental rights within the territorial scope of the GDPR must be called into question even if the legal system concerned provides a level of protection which is “essentially equivalent” to that afforded data subjects under internal EU law. What could justify a ban on invoking substantive EU legislation for data subjects in the Union if they had to accept but an “essentially equivalent” level of protection in third country law? It would be a systematic anomaly to treat the act of transmitting or making personal data available to legal entities in third countries in a different way than other data processing in the Union. Indeed, that would to some extent undermine the substantive rights laid down by the GDPR within the territorial scope of the Regulation, contrary to the letter of Article 44 thereof. In a system-coherent construction of EU law that ultimately the ECJ is required by the Member States to ensure pursuant to primarily Articles 13 and 19 of the TEU and Article 7 of the TFEU, the EU data subject is entitled to invoke directly applicable provisions of the GDPR before DPAs and courts without any restrictions within the territorial scope of the Regulation. Hence, to substitute directly applicable provisions of the GDPR with third country law or contractual arrangements within the territorial scope of the Regulation is unacceptable.
Why would an EU data subject invoke “essentially equivalent” rights under third country law?
Considering the broadly defined territorial scope of the GDPR and the fact that all processing of personal data by the controller or processor in a third country is caught by the Regulation as soon as the legal entity has an affiliated establishment in the Union, there is often no need for the EU data subject to seek redress against an organisation overseas under third country law. For instance, in the Schrems I and II cases the “importing” organisation Facebook Inc. had a daughter company in the Union, namely the “exporting” organisation Facebook Ireland Inc. Hence, Mr Schrems was in a lexical and systematic construction of the GDPR entitled to invoke the directly applicable provisions in the Regulation against both the “exporter” and “importer”. Indeed, the Irish DPA had a duty to give effect to the relevant fundamental rights enshrined in the EU Charter as particularised in the directly applicable provisions of the GDPR. Although data transfers from Facebook Ireland Inc. to Facebook Ltd. were prima facie allowed without an individual decision due to the consecutive adequacy decisions, the data subject was entitled to a factual assessment of the transfers of his personal data ex post facto.
In the proceedings relating to the Schrems I and II cases the Irish DPA could exercise its extensive powers established by Article 58 GDPR in relation to both of the Facebook companies. Hence, the DPA could ban or suspend data transfers from a European Facebook account. However, it may be difficult to technically separate information about one data subject from information about another data subject that may have nothing against the data “transfer”. If for instance the complaining individual and other data subjects appear in the same photograph it may not be possible to separate their data even if using advanced artificial intelligence. In the best of worlds, the data transfers are in accordance with valid adequacy decisions or appropriate measures and the filters are calibrated to EU law and third country law. Nonetheless, a data subject is always entitled to an assessment of data transfers ex post facto.
In addition to preventing future data transfers, the data subject may seek compensation for damages. In that connection, access to rights and remedies in a third country becomes more important. If the data “exporter” is an individual or a micro-, small- or even medium sized enterprise, and the “importer” is a big business it may be worthwhile challenging the foreign organisation before authorities and courts overseas. There may also be linguistic, logistic or information barriers and so on for the EU data subject to enforce the rights in a Member State. Since anyone who is in the Union at the time when the data regarding her or him is processed is an EU data subject, third country residents may enjoy the same rights as EU residents. For instance, a U.S. citizen who is monitored by U.S. authorities when on holiday in Germany, may prefer to seek redress against these authorities upon her or his return to the U.S. In all these cases the given processing is caught by Article 3(1) or (2) GDPR and it could, therefore, be argued that the authorities and courts overseas should directly apply the GDPR. Substantive rights recognised in one legal system can in many instances be invoked also in forums provided in another legal system in accordance with private international law principles. However, in the same way as DPAs and courts in the Union must not substitute the substantive rights laid down by the GDPR with third-country law, authorities and courts in third countries are unlikely to give EU law precedence over domestic law in case of a norm conflict. In these situations, the EU data subject benefits from the principles enshrined in an adequacy decision that ensure “essentially equivalent” rights at least vis-à-vis self-certified organisations.
There are also situations where the processing of personal data regarding EU data subjects entirely escapes the territorial scope of the GDPR and, hence, the overall applicability EU law. If, for instance, the “exporting” legal entity does no longer exist because of a business reorganisation or bankruptcy, and the “importer” has no other EU-establishment, the only way for the EU data subject to seek redress would be to file a complaint under third country law. Furthermore, an alleged infringement may take place after onward transfers of the data to an organisation that does not have an EU-establishment or other link to the Union that brings the processing activity within the territorial scope of the GDPR pursuant to Article 3 thereof. Whereas a self-certified “importer” can be held liable pursuant to the adequacy principles, the implementing act may be an empty blow against organisations further down the road. For instance, the Safe Harbour- and Privacy Shield decisions did not ensure an adequate protection against U.S. intelligence services retrieving data from companies in the Facebook group. That is why the new adequacy decision on the U.S. must reach beyond self-certified “importers” and ensure that processing in the context of signal intelligence activities is proportionate. In that regard, the new implementing act may be relevant in ex post facto cases. Then again, the declaration ex-ante that the legal system in a third country provides sufficient safeguards, is inapplicable per se when the EU data subject seeks redress ex post facto. Although the data subject can rely on the adequacy decision and require that authorities and courts in the third country abide by the adequacy principles, those authorities and courts apply the substantive and procedural rules in that system as opposed to the adequacy decision.
Why did the ECJ accept the Schrems I and II cases and elaborate on the validity of the adequacy decisions?
During the proceeding before the ECJ that resulted in the preliminary ruling in Schrems I, several EU Member States intervened and questioned the competence of a national DPA to assess the validity of an adequacy decision in order to determine whether data transfers are allowed. Probably, the fact that the data subject questioned the validity of the Safe Harbour decision lead many good lawyers astray which resulted in a debate about the implementing act. It was a widely held view that the Irish authority had no other choice than to accept the data transfers since the Commission had declared that U.S. law provided adequate data protection. If instead accepting the complainant’s arguments that the “transfer” constituted an infringement would require the Irish DPA to assess the validity of the Commission’s decision. That would be contrary to the basic principle of subsidiarity the amicus curiae feared.
Obviously, the decision by a national authority or court in a case concerning “transfers” of personal data brought by a data subject ex post facto can, as any authoritative decision, set a precedent. Instead of focusing on the rights of the data subject in the case at hand, the authority or court may therefore be inclined to assess the legal framework for data transfers in general. Then again, it is an error in logic to apply an adequacy decision casuistically ex post facto. If there is an adequacy decision regarding a third country, the DPA must in the individual case apply either EU law or the system for data protection that has been declared adequate. Since fundamental rights such as those enshrined in Articles 7, 8 and 47 of the EU Charter apply as particularised by the directly applicable provisions in the GDPR without reservation within the territorial scope of the Regulation, a national DPA in the Union must apply third country legislation only in the rare case where an “importing” organisation overseas which has neither an establishment in the Union, nor has monitored or targeted EU data subjects, invokes the possibility in an adequacy decision to have cases tried before that DPA. Conversely, the existence of an adequacy decision is immaterial when an EU DPA decides a case concerning the processing of personal data within the territorial scope of the GDPR.
It is easily believed that the rigorous protection of personal data “in the Union” is relaxed when personal data is “transferred” at least to a third country that is covered by an adequacy decision. Are not normative compromises a prerequisite for worldwide interconnectivity online? Well, for the better or worse the EU legislator has taken another strategic approach to the different views on fundamental rights around the world namely to promote its legal standards. People in the Union shall, as far as possible, enjoy the same rights in cyberspace irrespective of whether their personal data is processed by legal entities in a Member State or not. Conversely, authorities and courts in the Union must pursuant to Article 44 GDPR avoid undermining the EU privacy rights by way of applying third country law within their jurisdictions. Nonetheless, the ECJ found it opportune to clarify the system for review of adequacy decisions in Shrems I and explain the meaning of “essential equivalent” in Schrems II.
It is true that the questions referred to the ECJ by the Irish court in Schrems I concerned only the validity of the Safe Harbour decision, but the ECJ should (or must) reconstruct questions referred for a preliminary ruling and even make digression from them in order to provide answers that are useful for the national court when deciding the case on the facts in the main proceedings. Nonetheless, the ECJ explained Schrems I that if questions are raised about the validity of an adequacy decision, the DPA must bring actions before a national court that in turn has to refer questions about validity to the ECJ in case the doubts are considered well-founded. That was of little help for the referring court as well as for any authority or court in the Union that must decide whether a given processing has infringed the rights of a data subject. Similarly, the answers provided in Schrems II to the questions referred by the same Irish court regarding the validity of the Privacy Shield decision were of little help for national authorities and courts in the EU seeking to establish whether a data subject’s rights have been infringed. Indeed, the outcome of the legal actions by Mr Schrems remains unclear as to this day.
So why did the ECJ venture down the road to transform individual complaints into revisions of Commission decisions instead of dismissing the questions referred in Schrems I and II as hypothetical? Only a systematic analysis of constitutional EU law can explain this procedural artifice. When it comes to the validity of a generally applicable decision adopted by the European Commission pursuant to Article 291 TFEU such as an adequacy decision, it can be revoked only by the ECJ, and typically pursuant to the procedure laid down in Article 263 TFEU. All the main EU-institutions and the Member States may bring such direct revocation proceedings. By contrast, the ECJ has never recognised a right for private parties to challenge generally applicable legal acts albeit the letter of the provision does not entirely prevent such standing. Hence, this route to review of an adequacy decision is not available for an activist such as Mr Schrems or his friends in the Austrian organisation None of Your Business (“NOYB”). That could in turn entail a rule of law problem since the EU-institutions and Member States involved in the comitology process that results in the approval of an adequacy decision may be reluctant to bring revocation proceedings regarding the very same adequacy decision. Whereas there is a risk that EU acts which are incompatible with the fundamental rights enshrined in the EU Charter remain in force, the ECJ must avoid opening the floodgates and allow each and everyone in the Union to challenge the validity of all Union acts. This procedural dilemma that has to some extent been remedied by the possibility for the ECJ to assess the validity of a legal act that is applicable in the main proceedings in response to questions referred by the national for preliminary rulings pursuant to Article 267 TFEU.
Article 267 TFEU states that a court of a Member State may, “if it considers that a decision on the question is necessary to enable it to give judgement request the Court to give a ruling thereon.” If the questions concern a legal act that the ECJ considers to be incompatible with primary EU law including the EU Charter, the Court can revoke the act in the preliminary ruling. For instance, in Joined Cases C-293/12 and C-594/12 the ECJ revoked the data retention directive in response to questions regarding the meaning of some provisions of the act. However, such an indirect revocation procedure requires that the act is applicable in the main proceedings and clarifications are needed for the national court to decide the case on the facts. As mentioned, the adequacy decisions which were revoked by the ECJ in the Schrems I and II cases were inapplicable per se in the infringement proceedings brought by the EU data subject. Hence, the ECJ probably exceeded its jurisdiction when revoking the adequacy decisions. Questions referred from national courts in cases regarding the assessment of a given processing ex post facto must not result in the indirect revocation of an adequacy decision.
What complicates the preliminary rulings in the Schrems I and II cases even more is that the ECJ overstretched the meaning of Article 267 TFEU by translating the right to refer questions for preliminary rulings if the national court finds it necessary, into an obligation to submit questions. There is a limit to how far the ECJ can bend the law without breaking it and teleology cannot justify the setting aside of Treaty provisions whether the objective is to uphold the fundamental right to data protection or the more complex task to ensure system-coherency. Indeed, a lexical construction applies a fortiori to provisions in international agreements that set up a Court and defines the competences of that Court to interpret the agreements. In the EU system of checks and balances the ECJ has the last word, but the Court should be vigilant about political aspects of reinterpreting the powers conferred on it by the Treaties. It is at some level understandable that the ECJ ceased the opportunity in the Schrems cases to make certain that the validity of adequacy decisions can be assessed, particularly as the Safe Harbour- and the Privacy Shield decisions were deemed to be inadequate. However, to ensure systematic consistency by indirect revocation of adequacy decisions at the expense of the basic principle of conferred powers, can do more harm than good.
At the end of the day, the Member States have given themselves as well as the main EU-institutions including the European Parliament powers to challenge acts under Article 263 TFEU. There is no other way for the ECJ to assess the validity of an adequacy decision unless the existence of such an implementing act is relevant for the outcome of the main proceedings and questions for preliminary rulings have been referred pursuant to Article 267 TFEU. As mentioned, that is the case only when an EU data subject brings legal proceedings overseas. However, a third-country court that decides a case in accordance with the principles laid down in an adequacy decision cannot refer questions at all for preliminary rulings since that is according to Article 267 TFEU an option only for national tribunals and courts in the Union. Hence, the objective to assess the validity of implementing acts can neither justify the acceptance of hypothetical questions for preliminary rulings nor that Treaty provisions are disregarded.
Arguably, Article 263 TFEU provides a useful tool to ensure that adequacy decisions fit the bill. If one or more DPAs in the Union perceive problems with an adequacy decision, the national Governments should listen to their expert authorities and test the validity of the legal act. True, the Member States are represented in the committee that approves an adequacy decision. But they shall ensure that people within their jurisdictions can enjoy an adequate protection. In contrast, the EU system is not designed to give activists a right to challenge EU acts.
A look ahead
In the light of all the aforementioned, the relevance of the envisaged new adequacy decision on the U.S. is of less importance to the individual data subject than what appears from the debate. Personal data can be transferred to third countries with or without an implementing act and the duties for “exporting” entities in the Union are the same irrespective of whether the EDPB and the Member States have approved such an ex-ante measure by the European Commission. However, in the absence of a categorical clearance of the legal system for data protection in a third country and other appropriate safeguards, the DPA in the Union must ensure ex ante that the transfer can be justified by “consent” or “necessity” in each individual case. It is of course much to ask of a DPA to keep track of where all the data exchanged in the interconnected computer networks is uploaded and downloaded, if it is a realistic task at all. Hence, the Union seeks to as far as possible relocate the responsibility to the processing entities and preferably to internet giants such as Meta Platforms Inc. that develop the internet infrastructure. Within the territorial scope of the GDPR, the “exporters” and “importers” of data are encouraged to implement the Commission’s standard contractual clauses, adopt binding corporate rules or make other contractual arrangements pursuant to Articles 46-47 GDPR. Because, without such appropriate safeguards there is a risk that the “transfers” are suspended.
Although the idea of the DPA as a “post office” that decides whether or not to send packages of personal data to organisations overseas is antiquated, each supervisory authority has a wide range of investigative powers pursuant to Article 58 GDPR including the banning of “transfers”. It is possible for a lead DPA to prevent access to data from an online location until appropriate safeguards have been adopted, albeit only technology can ultimately set the limits. Having said that, things get much easier if a framework for data “transfers” that the European Commission has negotiated is approved in accordance with the comitology procedure. Most likely, the committee that currently evaluates the envisaged new adequacy decision on the U.S. will take on board the message that was clearly conveyed by the ECJ in Schrems I and II, namely that essentially the same level of protection as that provided in internal EU law is required for a third country data protection system to be categorically cleared. In the press releases regarding the new framework for data transfers to the U.S., access to justice and proportionality when assessing the legality of onward transfers are highlighted.
Having said that, it cannot be emphasised enough that a framework for data transfers adopted ex-ante cannot be invoked by data subjects as substantive law in infringement cases ex post facto. Moreover, EU data subjects are likely to resort to the U.S. system for data protection in accordance with the envisaged adequacy decision instead of relying on EU law only on rare occasions. Indeed, the EU data subject can in most instances invoke the fundamental rights relating to data protection as particularised by the directly applicable provision in the GDPR without any reservation also when the “given processing” is classified among data “transfers”. Since the assessment ex post facto of whether data protection rights have been infringed within the territorial scope of the GDPR is unaffected by the new adequacy decision, the ECJ should avoid developing the procedural doctrine explained in the Schrems cases. Questions about the validity of an adequacy decision are hypothetical and should be dismissed in so far as the implementing act is inapplicable as law per se in the main proceedings. In fact, the ECJ must be careful not to undermine its authority by disregarding Treaty provisions that circumscribe its powers in the name of teleology and system-coherency.
It is a good thing for the EU data subject that the European Commission is forced to maintain Union values pursuant to Articles 2, 3(5) and 21 TEU including fundamental rights when negotiating and concluding agreements regarding frameworks for data protection with third countries. From an international trade point of view, it may be tempting to pave the way for seamless data transfers with third countries that mainly share the same values, even if there are loopholes that give foreign authorities extensive access to information about people in the Union. However, that is exactly what activists such as those in the organisation NOYB react strongly against, and rightfully so according to the preliminary rulings in the two Schrems cases. Notably, the EU Member States should be careful not to undermine the Union’s values. It can be difficult for the members of a committee that evaluate an adequacy decision to understand the consequences of including and omitting principles, but when a lead DPA raises serious doubts about the implementing act it is better challenged under Article 263 TFEU. Indeed, the ECJ could be criticised for turning the right of national courts to refer questions for preliminary rulings under Article 267 TFEU into a duty only in so far as other EU-institutions and the Member States shoulder their responsibilities in the system of checks and balances and bring direct revocation proceedings if required against an allegedly illegal act. Hopefully, however, there will be no need to challenge the new adequacy decision on the U.S.