EU-US Privacy Shield Decision is invalid, but standard contractual clauses can in essence be used for EU-US data transfers: Court of Justice’s ruling in Facebook Ireland and Schrems
The Grand Chamber of the Court of Justice has today ruled that EU-US Privacy Shield Decision 2016/1250 is invalid, so that companies transferring large amounts of data from the EU to the US must find a new agreement to do so. However, it has upheld the validity of Decision 2010/87 establishing standard contractual clauses for certain categories of transfers of personal data to processors established in third countries – not finding it in breach the Charter of Fundamental Rights, and therefore not taking issue with the use of contractual clauses for such data transfers out of the EU to occur (Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (C-311/18)).
This preliminary ruling answers questions referred by the Irish High Court arising from Mr Maximilian Schrems’ (reformulated) complaint (his first complaint having been rejected – Schrems I, C-362/14) to the Irish data protection authorities: he argued that Facebook Ireland Ltd transferred his personal data under standard data protection clauses to servers belonging to Facebook Inc in the US in breach of the GDPR (Regulation 2016/679) because sufficient protection under Article 45 was not provided of his data protection rights under that EU law (in reference to the US mass surveillance regime uncovered by the Snowden revelations in 2013), and that the Irish authorities had an obligation to prevent such transfers.
In its ruling, the Court reaffirmed that the Article 2(1) and (2) GDPR applies to transfers of personal data for commercial purposes to an economic operator in a third country, even if that third country may subsequently process that data for public security, defence and State security purposes without being bound by the GDPR.
Standard Contractual Clauses not a problem in and of themselves as long as effective mechanisms are available and used
The GDPR requires that the level of protection for data subjects for such transfers must be essentially equivalent to that guaranteed within the EU by Article 46(1) and Article 46(2)(c) GDPR, read in the light of the Charter. Assessment of that level of protection must take into account both (i) the contractual clauses agreed between the EU data exporter and the third country recipient of the transfer, and (ii) the relevant aspects of the legal system of the third country that may access the data that has been transferred.
The Court acknowledged that under Article 58(2)(f) and (j) GDPR the supervisory authorities’ obligations in this respect are to suspend or prohibit such transfers of personal data to a third country if there is no valid Commission adequacy decision, and ‘they take the view, in the light of all the circumstances of that transfer, that the standard data protection clauses are not or cannot be complied with in that country and that the protection of the data transferred that is required by EU law cannot be ensured by other means, where the data exporter established in the EU has not itself suspended or put an end to such a transfer’.
Decision 2010/87 could not be invalidated, according to the Court, merely because of the use of standard contractual clauses (which do not bind the authorities of the third country). It did however state that the decision should include effective mechanisms that allow compliance with EU law to be ensured, and that allow the suspension of prohibition of such transfers if the clauses are breached/impossible to honour.
The Court has found that Decision 2010/87 does establish such mechanisms: prior to transfer, verification must be provided by both the data exporter and recipient that the level of protection is respected in the third country; and the recipient has an obligation to inform the data exporter of any inability to comply with the standard data protection clauses, which would oblige the transfer of data to be suspended, and the contract to be terminated.
EU-US Privacy Shield Decision – US surveillance programmes not compatible with EU law rights
As for the EU-US Privacy Shield Decision 2016/1250, the Court notes that that decision enshrines the position, as did Safe Harbor Decision 2000/520, that the requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country. The Court holds that limitations on the protection of personal data due to US law on access and use by US public authorities of EU-transferred data were not sufficient to satisfy EU law requirements, by the principle of proportionality, as the surveillance programmes based on those provisions are not limited to what is strictly necessary.
On the basis of the findings made in that decision, the Court pointed out that, in respect of certain surveillance programmes, those provisions do not indicate any limitations on the power they confer to implement those programmes, or the existence of guarantees for potentially targeted non-US persons.
The Court raised the fact that its provisions do not enable data subjects to commence legal proceedings based on actionable rights before the courts against the US authorities.
As regards the requirement of judicial protection, the Court holds that, contrary to the view taken by the Commission in Decision 2016/1250, the Ombudsperson mechanism referred to in that decision does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law, such as to ensure both the independence of the Ombudsperson provided for by that mechanism and the existence of rules empowering the Ombudsperson to adopt decisions that are binding on the US intelligence services.On all those grounds, the Court declares Decision 2016/1250 invalid.