Schrems and the future of EU-US data transfers (or lack thereof…)
Everyone knows the story of the Privacy Shield. Or at least they think they do. But, I’ll let you in on a little secret. Nobody knows the real story, because nobody has ever heard my version of it.
I am a lecturer at Santa Clara Law.
You can call me L.
I don’t know how this whole Big Bad Schrems thing got started, but it’s all wrong.
Maybe it is because his case brought down Safe Harbor and Privacy Shield. Hey, it’s not his fault nobody told him Facebook relied on SCCs for exports to the US. If you believed Facebook relied on Safe Harbor, you would have included it in your complaint too.
Like I was saying, the whole Big Bad Schrems thing is all wrong.
The real story is about a guest lecturer, a persistent activist, a famous whistle-blower, and a friend of mine who let us all down when it mattered most.
This Is the Real Story…
He wisely decided to attend one of Santa Clara Law School’s core privacy certificate classes: Prof. Glancy’s Privacy Law class.
Glancy regularly invites Silicon Valley privacy professionals to be guest speakers at her class. That year she invited Ed Palmieri, who at the time was Privacy Associate General Counsel at Facebook.
Schrems listened to Palmieri’s lecture on privacy and, well, found it all wrong. So he tried to explain to Palmieri how things are supposed to work in Europe and a discussion ensued.
Guess who else was perching in that class?
Yes, my friend and now successful Oakland based privacy-pro.
I won’t name names here but you should follow her on Twitter because she is hilarious.
That Oakland bluebird had a golden opportunity right there to save US privacy-pros a lot of work by persuading Mr. Schrems to pursue a career in hair-styling (Yes Max, we all are dying to know more about your morning hair routine.)
She evidently failed us.
Schrems decided to write his term paper on Facebook’s lack of awareness of European law (and no, I do not know what grade the paper got and, even if I knew, I could not tell you because of FERPA.)
The rest, as they say, is history.
“[…] the interpretation of EU law and examination of the legality of EU legislation must be undertaken in the light of the fundamental rights guaranteed by the Charter”
C‑311/18, Data Protection Commissioner v. Schrems and Facebook (¶99)
Max returned to Austria after writing his paper and was in Europe in 2013, when a famous whistle blower then working for the CIA (Edward Snowden) blew the cover on US National Security Agency (NSA) surveillance by leaking highly classified information.
This must have been the straw that broke the camel’s back, because on June 25th of that same year Schrems filed a complaint with the Irish Data Protection Commissioner (the “Commissioner”.)
In essence, Schrems asked the Commissioner to prohibit Facebook Ireland from transferring his personal data to the United States because, in doing so, Facebook, he argued, exposed his data to US surveillance in violation of EU law.
The underlying data protection principle Schrems relied on has been embedded in EU data protection law since the 1973 CoE Resolution (Resolution (73) 22). It boils down to this: personal data subject to EU data protection law must be treated to EU standards (a.k.a. “essential equivalence”) after being exported or not be exported at all.
“When personal data moves across borders outside the Union it may put at increased risk the ability of natural persons to exercise data protection rights in particular to protect themselves from the unlawful use or disclosure of that information.”
Recital 116 of GDPR
Schrems assumed at the time that Facebook was relying for exports on the EU-US Safe Harbor Decision 2000/520/EC (an executive decision made by the European Commission in 2000.) It turned out Facebook relied on SCCs, but Schrems would not find out until years later (although the record is not entirely clear so perhaps Facebook relied on both?).
The Irish Data Protection Commissioner was not entirely thrilled to receive Mr. Shrems’ complaint.
It described it as “frivolous and vexatious” and argued that, if Facebook was relying on Safe Harbor (an adequacy decision by the European Commission), the Commissioner lacked the authority to ban the transfer even if the allegations were true.
Indeed, the European Commission is the EU authority responsible for investigating and making findings as to whether a third country or territory meets adequacy (e.g. Safe Harbor and Privacy Shield) and a Supervisory Authority cannot overrule such finding.
And, yes, if you are starting to suspect by now that Safe Harbor may still be “safe” today had Facebook or the Irish Commissioner told Schrems in 2013 that Facebook actually relied on SCCs for exports, you are getting this story right.
“[…] a Commission adequacy decision is, in its entirety, binding on all the Member States to which it is addressed and is therefore binding on all their organs in so far as it finds that the third country in question ensures an adequate level of protection and has the effect of authorising such transfers of personal data”
C‑311/18, Data Protection Commissioner v. Schrems and Facebook (¶117)
Schrems must have had more faith in the powers of the Irish Commissioner than the Irish Commissioner itself, because he contested their position before Irish courts. The question eventually made its way up to the CJEU, which lead Schrems I in 2015, the decision that made Safe harbor “unsafe”.
In Schrems I the CJEU pointed out that the European Commission had not done its homework when approving Safe Harbor (there were no findings on the record regarding US surveillance) and that, in any event, no export framework can pass EU muster where (i) the exported data is subject to “legislation permitting public authorities to have access on a generalised basis” (which would violate Art. 7 of the EU Charter of Fundamental Rights (CFR)-right to private life) and/or (ii) data subjects have no real remedy (which would violate Art. 47 CFR -right to effective remedy.)
“Decision 2000/520 does not contain any finding regarding the existence, in the United States, of rules adopted by the State intended to limit any interference with the fundamental rights of the persons whose data is transferred from the European Union to the United States, interference which the State entities of that country would be authorised to engage in when they pursue legitimate objectives, such as national security.”
C-362/14, Schrems v. Data Protection Commissioner, 6.10.2015 (Paragraph 88)
On November 2015, just as Mr. Schrems was buying his plane ticket back to Austria to celebrate Schrems I, the Irish Commissioner informed him the CJEU decision on Schrems I was actually irrelevant for his original complaint. Turns out Facebook relied on Standard Model Clauses (approved by Decision 2010/87 of the European Commission ‘the SCC Decision’) for its exports and not Safe Harbor.
Apparently, the Irish Commissioner did not feel compelled to disclose this information to Schrems before the case was decided (despite receiving it from Facebook in an email response to the complaint back in 2013 according to the article posted by NYOB on the case — see link to it in resources below.)
Mr Schrems went back to the drawing board and amended his complaint to include the SCCs and (for good measure) any other legal basis for data transfers that could be relied on by Facebook.
He filed the complaint with the DPC on December 1st of 2015, requesting again the suspension of Facebook Ireland data transfers to the US.
“In the present case, in essence, Mr Schrems requested the Commissioner to prohibit or suspend the transfer by Facebook Ireland of his personal data to Facebook Inc., established in the United States, on the ground that that third country did not ensure an adequate level of protection.”
C‑311/18, Data Protection Commissioner v. Schrems and Facebook (¶159)
In the meanwhile in Brussels, with Safe Harbor gone, the European Commission accelerated its ongoing conversation with the US Department of Commerce to speed up the approval of a new framework for US-EU transfers. The conversations were fruitful and ultimately lead to Adequacy Decision (EU) 2016/1250 (‘the Privacy Shield Decision’)
Back in Ireland, after receiving Schrems updated complaint, the Irish Commissioner got busy conducting an investigation on Facebook transfers and US surveillance and, on May 24, 2016, published a ‘draft decision’ summarizing its findings.
The findings were not good for Facebook.
The Commissioner took the provisional view that the personal data of EU citizens transferred to the United States was likely to be “consulted and processed” by the US authorities in a manner incompatible with the European fundamental rights to privacy and to data protection (Articles 7 and 8 of the EU CFR), and that US law did not provide those citizens with legal remedies compatible with Art. 47 of EU CFR.
It also found the SCCs were likely not capable of remedying that defect, since they confer only contractual rights on data subjects against the data exporter and importer, without, however, binding the United States authorities responsible for the surveillance.
“…the national supervisory authorities are responsible for monitoring compliance with the EU rules concerning the protection of individuals with regard to the processing of personal data, each of them is therefore vested with the power to check whether a transfer of personal data from its own Member State to a third country complies with the requirements…”
C-362/14, Schrems v. Data Protection Commissioner, 6.10.2015 (Paragraph 47)
Once again, the Irish Commissioner took the view that it was up to the Courts to invalidate the transfer (see my comment on who gets to suspend what under EU law above — for adequacy the EU Commission/Courts, for transfers done under safeguards any Supervisory Authorities with the caveat that, in this particular case, a finding by the Commissioner suspending or prohibiting transfers under SCCs de facto would have equated to a rebuttal of the European Commission adequacy finding under Privacy Shield — )
I tend to agree with the Commissioner that taking this to the Courts was the logical path. That said, I do find the procedural solution awkward.
The Irish Commission filed lawsuit before Irish courts both against Facebook Ireland Ltd and against Mr. Schrems.
You got that right.
The Commissioner sued the data subject whose fundamental rights the Commissioner was supposed to protect.
(And yes, this is why Schrems is actually a defendant and not a plaintiff in Schrems II.)
A finding of adequacy does not require an identical level of protection but it requires “the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union”
C-362/14, Schrems v. Data Protection Commissioner, 6.10.2015 (Paragraph 73)
In his response, Facebook took the view that “national security” is excluded from EU law (and therefore surveillance was not an issue) and reasoned that, since the Privacy Shield Decision (EU) 2016/1250 by the European Commission found no conflict between US surveillance laws and EU fundamental rights, logically such finding should also apply to transfers under the SCCs as well.
If you invested time an efford getting your organization to file for and comply with Privacy Shield and are starting to feel a bit ticked off with Facebook right about now, I don’t blame you. Yes, Facebook is the one who dragged Privacy Shield into the Schrems II.
Once Facebook brought Privacy Shield into the ring, Mr Schrems took the view that the Privacy Shield decision misrepresented US surveillance laws, was invalid, and therefore constituted no authority to interpret the SCCs in the first place.
“[…] it is clear from the information provided in the order for reference that, in the main proceedings, Facebook Ireland claims that the Privacy Shield Decision is binding on the Commissioner in respect of the finding on the adequacy of the level of protection ensured by the United States and therefore in respect of the lawfulness of a transfer to that third country of personal data pursuant to the standard data protection clauses in the annex to the SCC Decision”
C‑311/18, Data Protection Commissioner v. Schrems and Facebook (¶152)
In a judgment of 3 October 2017  IEHC 545, after several procedural steps and more than five weeks of hearings featuring multiple expert witnesses on US surveillance law, the Irish High Court found the US government run mass surveillance programs, summarized all factual findings, and, on 13 April 2018, wrapped the file up in a bundled and sent to Brussels for the CJEU to read together with eleven questions.
Facebook applied to the Irish Supreme Court in a bid to stop the referal by the High Court to the CEU, but the appeal was ultimately rejected on 31 May 2019.
And that is basically how Schrems II got to the CJEU.
“[…] the referring court harbours doubts as to whether US law in fact ensures the adequate level of protection […] As far as concerns effective judicial protection, it adds that the introduction of a Privacy Shield Ombudsperson cannot, in its view, remedy those deficiencies since an ombudsperson cannot be regarded as a tribunal within the meaning of Article 47 of the Charter.”
C‑311/18, Data Protection Commissioner v. Schrems and Facebook (¶168)
Now a bit about the decision of the CJEU…
The CJEU is responsible for interpreting EU law, which is why the Irish Court suspended proceeding and sent the case up for the CJEU to answer eleven questions bearing on the interpretation of several EU laws (including articles 7, 8 and 47 of the EU Charter of Fundamental Rights (the EU equivalent of the US Constitution.)
I summarize the decision itself below in the “This case in a nutshell” section.
Before going there: Apologies for being blunt but, whether we like it or not, the remedy data protection has provided since the 70s when an exporter cannot warranty the fundamental rights of the data subject will not be negatively impacted by an export is data localization.
If (like me) you conceive the core of the right to data protection to be ensuring the use of automated technologies does not impinge or diminish your other fundamental rights, the requirement is actually quite intuitive and absolutely unavoidable.
For those who remember, initially, the requirement applied only to computerized data, but the 1995 Directive expanded the scope of data protection law to include data in filing systems as well.
In fact, this is exactly why we got the 1995 Data Protection Directive in the first place: EU countries with data protection legislation were reluctant to export personal data to more “lax” EU jurisdictions. The Directive was a necessary step to level the play field in terms of data protection requirements inside the EU, which then enabled free movement of personal data within the EU.
There are now narrow exceptions to the rule (called “derogations” in GDPR) but the rule has always been, well, the rule.
And yes, nobody is quite ready to turn off the internet but, if this case proves something, is that there are persistent activists out there who are not ready to give up on their rights in order to have access to it.
So, in essence, surveillance v. data protection is a frontal collision
Next time you see a case crawling up the EU court system where a data subject (or Supervisory Authority) is seeking to suspend or prohibit a cross-border transfer, buckle up because the law is likely on their side.
“… legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter…”
C-362/14, Schrems v. Data Protection Commissioner, 6.10.2015 (Paragraph 94)
This case in a nutshell….
There is not a shell capable of containing this nutty case but I will do my best.
Setting aside the procedural arguments and the findings of the powers of the Supervisory Authorities, the core legal questions in the Schrems cases are three: whether the US can be adequate, what constitutes “essential equivalence” in practice in the absence of adequacy, and who is responsible for ensuring the standard is met.
But before going into the answers, let’s summarize the rules for personal data transfers out of the EEA under EU data protection law
There are basically three ways to export personal personal data out of the EEA legally:
- The country, territory, or sector receiving the exported data has been deemed adequate by the European Commission. Both Safe Harbor and Privacy Shield were adequacy determinations made by the European Commission
- Appropriate safeguards are in place to ensure the rights and freedoms of the data subjects are effectively protected, there are enforceable data subject rights, AND an effective legal remedy exists. SCCs are one of the steps that can be taken to achieve this. (Let’s call this Safeguards PLUS)
- Where no adequacy decision exists and ensuring adequate safeguards is not possible, cross-border transfers are still permitted under certain exceptions called “derogations.”
Neither Schrems I nor Schrems II contain findings on derogations.
Both adequacy and safeguards PLUS must equate to “essential equivalence” in practice.
NOTE: If you are not familiar with cross-border data transfers requirements start by reading my article on that here and Charter V of GDPR.
“such appropriate guarantees must be capable of ensuring that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses are afforded, as in the context of a transfer based on an adequacy decision, a level of protection essentially equivalent to that which is guaranteed within the European Union.”
C‑311/18, Data Protection Commissioner v. Schrems and Facebook (¶96)
(1) Can the US be adequate?
The short answer is that, absent new regulations limiting surveillance and enabling effective legal remedies for Europeans, the US cannot be adequate.
Let’s back-up a bit.
When it comes to adequacy, the European Commission is indisputably in charge of identifying what “essential equivalence” means, with the caveat that the Courts may review and overrule the Commission (as it happened both in Schrems I -for Safe Harbor- and Schrems II -for Privacy Shield-)
The Commission has gone through the complex, long process of conducting a holistic review of US law twice, and has found both times that US organizations can meet the “adequacy” threshold when they self-certify to comply with a program containing certain principles and conditions.
The first program was Safe Harbor (which was invalidated in Schrems I) and the second program was Privacy Shield (which was invalidated in Schrems II).
So the one thing that is crystal-clear after Schrems I and Schrems II is that, when it comes to transfers to the US, the European Commission’s standards are bellow-par for the CJEU’s taste.
And the one spice the CJEU has particular intolerance for is US surveillance.
The CJEU made it abundantly clear that it could neither stomach Section 702 of the US Foreign Intelligence Surveillance Act (FISA) (“Section 702”) nor digest Executive Order 12333 (“E.O. 12333”) even if sprinkled with fancy privacy principles enforced by the Federal Trade Commission and wrapped into a Privacy Shield burrito with an ombudsman antacid gum on the side.
So, if the US is to ever to be deemed adequate, we either limit surveillance in the US or we wait for the CJEU to abandon its interpretation of the European fundamental rights of data protection, privacy and adequate legal remedy (which would probably require its sister court -the European Court of Human Rights (ECtHR)- to take the same approach since ECtHR jurisprudence in binding for the Constitutional Courts of all Member States and only viable path to square the differences is raising the bar.)
Hope may spring eternal, but mortal souls may be wise to assume the CJEU is not budging on this one.
What about changes on the US side?
The political winds of the US are quite unpredictable, but we may see changes that pave the way to some form of “adequacy” in the future. Spoiler alert for EU friends: The US is not signing up for CoE 108 or enacting a US version of GDPR (and, if any State does, SCOTUS is going to strike it down as soon as someone brings it up for review so it is not going to be much help anyway.)
One final point: Schrems II has repercussions beyond EU-US transfers.
The one open question everyone is now asking is whether the UK can achieve adequacy after Brexit (which took place January 1st this year with the transition period ending at the end of the year), given Schrems I and II considering their information sharing with the US. Many also wonder if Canada and New Zealand (members of Five Eyes) will find their adequacy decisions revoked when they come up for review.
My favorite puzzle personally is how Guernsey, Isle of Man, and Jersey (all British Crown dependencies) existing adequacy decisions will fare post Brexit. And, yes, I am rooting for the islands because they are cool islands and I like Cinderella stories…
“[…] in the light of the fact that the level of protection ensured by a third country is liable to change, it is incumbent upon the Commission […] to check periodically whether the finding relating to the adequacy of the level of protection ensured by the third country in question is still factually and legally justified. Such a check is required, in any event, when evidence gives rise to a doubt in that regard.”
C-362/14, Schrems v. Data Protection Commissioner, 6.10.2015 (Paragraph 76)
(2) What constitutes “essential equivalence” in practice absent adequacy?
So let’s accept that the US is not adequate and may never be.
The only path to “essential equivalence” left then is what I called Safeguards PLUS in my summary above (of course, using derogation is always theoretically possible but leads to a fairly narrow path.)
What is the path forward to achieve the “essential equivalence” GDPR trifecta which requires: “appropriate safeguards” + enforceable data subject rights + effective legal remedy?
In terms of frameworks from which multiple organizations could benefit, one viable possibility would creating a Code of Conduct for cross-border transfers. If we are honest, Safe Harbor and Privacy Shield were, in essence, codes of conduct with the FTC acting as the enforcement body. A Code of Conduct can get you to essential equivalence (like SCCs) for transfers to multiple jurisdictions (not only US) -which cuts down on the paper work- and would be more resilient to a challenge before the CJEU.
However, a Code of Conduct is a team effort. It would take time and will require major player to get involved.
So let’s talk about what individual organizations can do on their own now.
Clearly organizations that relied on Privacy Shield need a plan B ASAP.
To be clear, we are in “individual assessment for each transfer” land now.
The most likely path forward for individual transfers is SCCs. Since those Annexes need to be completed and signed ASAP.
Who knows, possibly even read them?
And, since we are on the topic of reading, here are some of the “best hits” embedded in Controller-Processor SCCs everyone should be aware of (since the CJEU made it clear that it expects exporters and importers to comply with them):
- The exporter/controller, the importer and any processor thereof mutually undertake to ensure continued compliance with ‘the applicable data protection law’ (i.e. GDPR (in most cases) + the ePrivacy Directive + the Charter of Fundamental Rights at the minimum).
- Before transferring, the exporter and the importer, should verify if there are any mandatory requirements in the legislation of the foreign jurisdiction that goes beyond what is necessary in a democratic society to safeguard, inter alia, national security, defense and public security [and it means necessary by EU standards, not US standards].
- The importer must inform the exporter promptly of any inability to comply and certify that it has no reason to believe that applicable legislation prevents it from fulfilling its obligations. The importer must also notify if those requirements change in a manner that would have a substantial adverse effect.
- If the importer receives a legally binding request for disclosure by a law enforcement authority, it need not notify of the request where national law prohibits such notification, but is nevertheless required to inform the controller/exporter of his or her inability to comply with SCCs.
- The controller/exporter has the right to suspend the transfer and/or terminate the contract and, in fact, must suspend the transfer/terminate the contract where the importer is not able to comply.
- Any breach of the requirements above gives the data subject the right to receive compensation for the damage suffered.
- For special categories of data, if the exporter/controller is transferring to a country not providing adequate protection, it must inform the data subject before, or as soon as possible after, the transfer (which enables the data subject to bring legal action against the controller to suspend the transfer or, where appropriate, requires the recipient to return or destroy the data transferred.)
- If the controller/exporter receives a notification from the recipient of a change in the relevant legislation likely to have a substantial adverse effect on the transfer, it must forward the notification to the competent supervisory authority if it decides to not suspend the transfer. Then, the supervisory authority has a right to conduct an audit of the importer to ascertain whether the proposed transfer should be suspended or prohibited in order to ensure an adequate level of protection.
Now ask yourself: Is your organization doing that?
And, if you have BCRs and for some reason do not believe those contain similar requirements, perhaps you should read them again too.
SIDE NOTE: If you are exporting data directly from data subjects, good luck and God bless. SCCs are not going to help and, depending on who drafted BCRs for you, they might not help either.
[…] validity depends, however, on whether, […], such a standard clauses decision incorporates effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law and that transfers of personal data pursuant to the clauses of such a decision are suspended or prohibited in the event of the breach of such clauses or it being impossible to honour them.”
C‑311/18, Data Protection Commissioner v. Schrems and Facebook (¶137)
In short, signing documents and staffing them in a drawer won’t get organizations where they need to be. And since, US surveillance law is not changing anytime soon, the real path to meeting EU obligations for exporters (particularly for organizations directly subject to Section 702 as “internet service providers” -telcos, cloud storage providers, and other organizations that form the internet back-bone) does not stop with paperwork (I offer some suggestions on where to start below.)
My final (but unpopular with my US friends) advice is this: you need help and should not rely on US counsel to support you on this one.
Even assuming your US counsel actually knows enough EU law to be deemed competent to serve EU legal advice at premium price (which is a big “if”), he or she is not licensed to provide it.
But more importantly, there are deep cultural differences between EU and US and you definitely need someone on your side that actually speaks and thinks “European” on this one.
“Although Article 46 of the GDPR does not specify the nature of the requirements which flow from that reference to ‘appropriate safeguards’, ‘enforceable rights’ and ‘effective legal remedies’, it should be noted that that article appears in Chapter V of that regulation and, accordingly, must be read in the light of Article 44 of that regulation, entitled ‘General principle for transfers’, which lays down that ‘all provisions [in that chapter] shall be applied in order to ensure that the level of protection of natural persons guaranteed by [that regulation] is not undermined’. That level of protection must therefore be guaranteed irrespective of the provision of that chapter on the basis of which a transfer of personal data to a third country is carried out.”
C‑311/18, Data Protection Commissioner v. Schrems and Facebook (Paragraph 91)
(3) Who is responsible for ensuring that the standard is met?
If you work for an organization that exports data to the US you are it.
If this sounds to you like you are now responsible for achieving what the mighty US Commerce Department failed to achieve twice (with Safe Harbor and Privacy Shield), you are about right.
On top of the paper work (which you do need to get in place), from now on the path to essential equivalence includes (non-exhaustive list of course):
- Technology: This case was about surveillance and the best remedy for surveillance from a tech perspective is encryption. I am not talking only about in-transit end-to-end encryption (or as “end-to-end” as you can possibly make it), but also workable solutions for encryption at rest (searchable encryption anyone?)
- Transparency: Detailed transparency reports are already published by some but there are issues as to how to compare reports from different organizations as there is no standardized format for them.
- Tracking: This is a transfer by transfer analysis, and keeping track requires records and an efficient way to identify and weed-out sub-processors that are not ready to bear their share of the burden. Invest in vendor management and keep those records of processing up-to-date.
- Theology?: If you are subject to invasive surveillance laws of non-democratic countries, praying cannot hurt. Although the Schrems decision does not directly address jurisdictions other than the US, if Supervisory Authorities start doing what the CJEU ordered them to do and proactively investigate practices in, let’s say, China or Russia (or are prompted by an activist to do so), I am not sure there is a viable path to compliance with all the obligations that may be at play absent data segregation. Sorry, but it is the truth.
There is always the path of going for local storage in the EU, which may somewhat reduce the surveillance risks and could avoid some (but likely not all) cross-border transfers. There will be EU vendors pushing for this and they do have a point.
“… in the absence of an adequacy decision […] a controller or processor may transfer personal data to a third country only if the controller or processor has provided ‘appropriate safeguards’, and on condition that ‘enforceable data subject rights and effective legal remedies for data subjects’ are available, such safeguards being able to be provided, inter alia, by the standard data protection clauses adopted by the Commission.”
C‑311/18, Data Protection Commissioner v. Schrems and Facebook (Paragraph 91)
Now my two cents:
My real personal axe to grind on this one is that the CJEU missed yet another golden opportunity to create a cohesive doctrine around the EU fundamental right to data protection.
I get it that most US scholars and practitioners are blissfully ignorant (if not dismissive) of the difference between the right to privacy and the right to data protection.
But the CJEU not being ready to create a legal doctrine conceptualizing the right to data protection?
Well, that sucks…
So dear CJEU: I wrote you a letter:
To: The Court of Justice of the European Union (Grand Chamber)
In regards: Overdue homework
Dear Grand Chamber:
I have been waiting for years for you to give us a hint as to what is the essence of the european right to data protection.
I know you know the right to a private life and the right to data protection are two different rights, but I am starting to suspect you can’t tell them apart as you keep citing to them as if they were twins.
And that is a scary proposition, since the ECtHR is not going to steal your thunder because the European Convention of Human Rights (that the ECtHR has the authority to adjudicate on) does not recognize a right to data protection.
Perhaps reading member state caselaw on the right to data protection could get your creative juices flowing? Jurisprudence under Article 35 of the Portuguese Constitution or Article 18(4) of the Spanish Constitution? How about the German classics on Recht auf informationelle Selbstbestimmung?
And yes, I know you are not bound to follow preceding from the Constitutional Courts of Member States.
But let’s be honest.
You can’t claim copyright over the EU Charter of Fundamental Rights either. We all know the Charter it is just a compilation of the rights granted on Europeans, initially, by Member State law.
So please, do your homework next time you rule on a GDPR case and hand down something that tells us what the core of the European right to data protection exactly is. Is data localization absent essential equivalence for a cross-border transfer part of it? If Privacy Shield had passed muster from a privacy perspective, would a violation of Article 47 of the Charter (since the Ombudsperson did not equate to a tribunal within the meaning) trigger a violation of the fundamental right to data protection under Article 8.3of the Charter?
Looking forward hearing from you soon.
BACKGROUND ON THE CASES
C-362/14, Schrems V. Data Protection Commissioner (“SCHREMS I” -decided June 10, 2015) & C-311/18 Data Protection Commissioner v. Facebook and Schrems (“SCHREMS II” — decided July 15, 2020.)
Understanding the US surveillance laws connected with this case
The Schrems decision relates mainly to two provisions under US law:
- Section 702 (s702 / 50 USC §§ 1881a et seq) was enacted to authorize the acquisition of foreign intelligence information about non-US persons located outside the US. A non-US person is anyone who is not a US citizen or permanent US resident. This section permits the Attorney General and the Director of National Intelligence to authorize jointly, following approval by the Foreign Intelligence Surveillance Court (FISC), the surveillance of individuals who are not United States citizens located outside the United States in order to obtain ‘foreign intelligence information’, and provides, inter alia, the basis for the PRISM and UPSTREAM surveillance programs. Once the FISC has approved a certification under s702, the government issues directives to US electronic communications service providers that compel the providers to “immediately provide the government with all information, facilities, or assistance necessary to accomplish the acquisition” of communications. In practice, the government sends the providers “selectors” (such as telephone numbers or email addresses) that are associated with specific “targets” (such as a non-US person, persons, or legal entity). Service providers must comply with these directives in secret and are not allowed to notify their users. s702 reportedly provides the basis for more than a quarter of US international terrorism intelligence. Although targeted at non-US persons, it is also believed to result in the “incidental” collection of millions of Americans’ communications.
- In the context of the PRISM program, “Internet service providers” are required, according to the findings of that court, to supply the NSA with all communications to and from a ‘selector’, some of which are also transmitted to the FBI and the Central Intelligence Agency (CIA). As regards the UPSTREAM program, telecommunications undertakings operating the ‘backbone’ of the Internet — that is to say, the network of cables, switches and routers — are required to allow the NSA to copy and filter Internet traffic flows in order to acquire communications from, to or about a non-US national associated with a ‘selector’. Under that program, the NSA has, according to the findings of the court, access both to the metadata and to the content of the communications concerned. (See, paragraphs 61 and 62 of the Schrems II decision.)
- The term “electronic communications service provider” is defined broadly to include telecommunications carriers (e.g., AT&T, T-Mobile, Verizon), providers of electronic communications services and remote computing services (e.g., Facebook and Google), as well as any other communications service providers that have access to wire or electronic communications (either in transit or in storage). According to testimony by Peter Swire submitted in Schrems II, which cited guidance issued by the Department of Justice, the definition is so broad that it could capture any company that provides its employees with corporate email or a similar ability to send and receive electronic communications.
- Executive Order 12333 (EO 12333) regarding United States intelligence activities allows the NSA to access data ‘in transit’ to the United States, by accessing underwater cables on the floor of the Atlantic, and to collect and retain such data before arriving in the United States and being subject there to the FISA.
- Activities conducted pursuant to E.O. 12333 are not governed by statute. (See, paragraphs 63 of the Schrems II decision.)
- While FISA generally covers surveillance activities inside the US, the government may also conduct surveillance outside the US under the authority of EO 12333.
- In broad terms, EO 12333 provides the foundational authority by which US intelligence agencies collect foreign “signals intelligence” information, being information collected from communications and other data passed or accessible by radio, wire and other electromagnetic means.
- Unlike FISA, surveillance under EO 12333 does not rely on the compelled assistance of electronic communications service providers. Little is known about how information is actually collected, but the NSA has confirmed it involves exploiting vulnerabilities in telecommunications infrastructure.
- In 2014, President Obama issued Presidential Policy Directive 28 (PPD-28) directing US intelligence agencies to review their policies regarding the treatment of non-US persons in connection with signals intelligence programs.
- Effectively, PPD-28 imposes restrictions on signals intelligence activities, including those conducted under s702 FISA and EO 12333, regardless of the target’s nationality or location.
- In Schrems II, the CJEU found that the protections afforded by PPD-28 are not sufficient to ensure an adequate level of protection for personal data under EU law.
- As regards the limits on intelligence activities, non-US persons are effectively only covered only by Presidential Policy Directive 28 (PPD-28), which states that intelligence activities should be ‘as tailored as feasible’. (See, paragraphs 64 of the Schrems II decision.)
PRISM and UPSTREAM
- In 2013, Snowden leaked a number of NSA slides revealing the existence of two secret government surveillance programs: PRISM and UPSTREAM. Both are conducted under s702 of FISA but operate in different ways.
- PRISM involves the direct ‘downstream’ collection of communications by the NSA through the compelled assistance of electronic communications service providers. Effectively, the government sends a selector, such as an email address, to a US-based provider, and the provider is required to provide the government with all communications sent to or from that selector.
- UPSTREAM involves the indirect ‘upstream’ collection of communications through the compelled assistance of telecommunications providers that provide the backbone of the internet (e.g. AT&T and Verizon). Essentially, the NSA copies and filters the vast quantity of data flowing through the network of cables, switches and routers that make up the Internet. Because the data is obtained without the knowledge or assistance of downstream providers. UPSTREAM has been described as ‘backdoor’ surveillance.
Procedural background for the Schrems cases.
- Maximillian Schrems (Schrems), an Austrian national residing in Austria, has been a Facebook user since 2008.
- As in the case of other users residing in the European Union, some or all of Mr Schrems’s personal data is transferred by Facebook Ireland to servers belonging to Facebook Inc. that are located in the United States, where it undergoes processing.
- Mr Schrems lodged a complaint with the Irish supervisory authority seeking, in essence, to prohibit those transfers. He claimed that the law and practices in the United States do not offer sufficient protection against access by the public authorities to the data transferred to that country. That complaint was rejected on the ground, inter alia, that, in Decision 2000/5205 (‘the Safe Harbour Decision’), the Commission had found that the United States ensured an adequate level of protection. In a judgment delivered on 6 October 2015, the Court of Justice, before which the High Court (Ireland) had referred questions for a preliminary ruling, declared that decision invalid (‘Schrems I’)
- Following the Schrems I judgment and the subsequent annulment by the referring court of the decision rejecting Mr Schrems’s complaint, the Irish supervisory authority asked Mr Schrems to reformulate his complaint in the light of the declaration by the Court that Decision 2000/520 was invalid.
- In his reformulated complaint, Mr Schrems claimed that the United States does not offer sufficient protection of data transferred to that country. He seeked the suspension or prohibition of future transfers of his personal data from the EU to the United States, which Facebook Ireland now carries out pursuant to the standard data protection clauses set out in the Annex to Decision 2010/87 (‘the SCC Decision’ approving Standard Contractual Clauses)
- Taking the view that the outcome of Mr Schrems’s complaint depends, in particular, on the validity of Decision 2010/87, the Irish supervisory authority brought proceedings before the High Court in order for it to refer questions to the Court of Justice for a preliminary ruling.
- After the initiation of those proceedings, the Commission adopted Decision 2016/1250 (‘the Privacy Shield Decision’).
- In its request for a preliminary ruling, the referring court asked the CJEU whether the GDPR applies to transfers of personal data pursuant to the standard data protection clauses in Decision 2010/87, what level of protection is required by the GDPR in connection with such a transfer, and what obligations are incumbent on supervisory authorities in those circumstances. The High Court also raised the question of the validity both of Decision 2010/87 and of Decision 2016/1250.
ANALYSIS OF THE CASES:
Schrems I: Questions referred
Reference for a preliminary ruling by the Irish High Court on the following questions:
- Whether a national DPA deciding the validity of a transfer of personal data to a third country is bound by a EU finding of adequacy
- Whether the DPA may and/or must conduct his/her own investigation of the matter in the light of factual developments in the meantime since that Commission decision was first published
Schrems I: Court findings
Independence of DPA: The Directive seeks to ensure an effective, complete, and high level of protection of the fundamental rights and freedoms of natural persons. The guarantee of a DPA’s independence is intended to ensure effectiveness and reliability of the monitoring of compliance, and is an essential component of data protection. DPAs powers extend to their own Member State, but not to processing in third countries. However, DPAs are responsible for monitoring transfers from a Member State to a third country, as the transfer is processing carried out in the Member State. (¶¶ 40-47)
An adequacy decision adopted by the Commission pursuant to Article 25(6) of Directive 95/46 is addressed to the Member States, which must take the necessary measures to comply with it. Until the Commission decision is declared invalid by the ECJ, it has legal effect in the Member States. However, it cannot eliminate or reduce the powers of the DPA accorded by Article 8(3) of the EU Charter of Fundamental Rights, and therefore cannot prevent data subjects whose personal data has been transferred from lodging a claim pursuant to Article 28(4) with the DPA, alleging that an adequate level of protection is not ensured in that third country, which in essence challenges the validity of the Commission’s adequacy decision. But the ECJ alone has jurisdiction to declare that the decision is invalid; neither the DPA nor a national court may do so. The latter must refer the claim to the ECJ for a preliminary ruling to examine the validity of the Commission decision. (¶¶ 51-64)
Article 3 of Decision 2000/520 lays down specific rules regarding DPA’s powers in light of a Commission adequacy finding (to suspend data flows to self-certified US organizations under restrictive conditions establishing a high threshold for intervention). It excludes the possibility of DPA’s taking action to ensure compliance with Article 25 (adequacy), in particular, it denies DPAs powers which they derive from Article 28 to consider a data subject claim which puts into question whether a Commission adequacy decision is compatible with protection of privacy and fundamental rights and freedoms of individuals. This goes beyond the power conferred on the Commission in Article 25(6). Thus, Article 3 is invalid. (¶¶ 100-104)
Adequate level of protection: The word “adequate” in Article 25(6) signifies that a third country cannot be required to ensure a level of protection identical to that guaranteed by the EU legal order. However, it requires the third country to ensure, by reason of its domestic law or international commitments, a level of protection of fundamental rights and freedoms essentially equivalent to that guaranteed in the EU, otherwise that protection could be easily circumvented by transfers. Thus, the legal order of the third country covered by a Commission adequacy decision must have means to ensure protection essentially equivalent to that guaranteed within the EU. When examining the level of protection afforded by a third country, the Commission must assess the content of the applicable rules resulting from domestic law or international commitments and the practice designed to ensure compliance. Also, in light of the fact that the level of protection ensured by the third country is liable to change, the Commission must, after adopting an adequacy decision, check periodically whether the adequacy finding remains factually and legally justified. Account must be taken of the circumstances that have arisen after the adoption of the decision. The Commission’s discretion as to adequacy is reduced and is subject to strict scrutiny, in view of the important role played by data protection in the light of the fundamental right to respect for private life and the large number of persons potentially concerned by transfers. (¶¶ 73-78)
Safe harbour: US public authorities are not required to comply with safe harbor principles. Decision 2000/520 specifies that safe harbor principles may be limited to the extent necessary to meet national security, public interest or law enforcement requirements, or statute, regulation or caselaw. Self-certified US organizations receiving personal data from the EU are thus bound to disregard safe harbor principles when they conflict with US legal requirements. Decision 2000/520 does not contain sufficient findings regarding US measures which ensure adequacy by reason of domestic law or international commitments. (¶¶ 82-87)
Interference with fundamental right: Decision 2000/520 enables interference with the fundamental right to respect for private life of persons whose personal data is or could be transferred from the EU to the US. (¶87)
Necessity/proportionality: The Decision does not contain any finding regarding US rules intended to limit the interference when they pursue legitimate objectives such as national security, nor refer to effective legal protection against such interference. FTC procedures and private dispute resolution mechanisms concern compliance with safe harbor principles (against US organizations) and cannot be applied with respect to measures originating from the State. Moreover, the Commission found that if US authorities could access the personal data transferred and process it in a way incompatible with the purposes for which it was transferred, and beyond what was strictly necessary and proportionate for the protection of national security, and data subjects had no redress regarding their rights of access, rectification and erasure. Legislation permitting public authorities to have generalized access to the content of electronic communications compromises the essence of the fundamental right to respect for private life. Legislation not providing for any possibility for an individual to pursue legal remedies in order to have access, rectification or erasure of his own personal data does not respect the essence of the fundamental right to effective judicial protection. (¶¶ 88-95)
Thus, Article 1 of the Decision does not ensure adequacy and the decision is consequently invalid. (¶ 98)
Articles 1 and 3 are inseparable from 2 and 4 and the annexes, thus the entire Decision 2000/520 is invalid. (¶105)
Schrems II: Questions referred (as combined by the Court in its answers)
- 1st Question: Whether Article 2(1) and Article 2(2)(a), (b) and (d) of the GDPR, read in conjunction with Article 4(2) TEU, must be interpreted as meaning that that regulation applies to the transfer of personal data by an economic operator established in a Member State to another economic operator established in a third country, in circumstances where, at the time of that transfer or thereafter, that data is liable to be processed by the authorities of that third country for the purposes of public security, defence and State security.
- 2nd, 3rd, and 6th Questions: What is the level of protection required by Article 46(1) and Article 46(2)(c) of the GDPR in respect of a transfer of personal data to a third country based on standard data protection clauses? In particular, the referring court asked the Court to specify which factors need to be taken into consideration for the purpose of determining whether that level of protection is ensured in the context of such a transfer.
- 8th Question: Whether Article 58(2)(f) and (j) of the GDPR must be interpreted as meaning that the competent supervisory authority is required to suspend or prohibit a transfer of personal data to a third country pursuant to standard data protection clauses adopted by the Commission, if, in the view of that supervisory authority, those clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law, in particular by Articles 45 and 46 of the GDPR and by the Charter, cannot be ensured, or as meaning that the exercise of those powers is limited to exceptional cases.
- 7th and 11th Questions: Is the Decision of the European Commission approving SCCs valid in the light of Articles 7, 8 and 47 of the Charter?
- 4th, 5th, 9th and 10th Questions: Whether, in view of it the findings of the Commission on US surveillace law, the transfer to the US of personal data pursuant to the standard data protection clauses breaches the rights enshrined in Articles 7, 8 and 47 of the Charter and, in particular, whether the introduction of the ombudsperson (referred to in Annex III to the Privacy Shield Decision) is compatible with Article 47 of the Charter.
NOTE: The questions referred in Schrems II were answered in the light of the provisions of the GDPR rather than those of Directive 95/46. (¶79)
Schrems II: Court findings.
Admissibility of request for preliminary ruling:
- “it is solely for the national court before which the dispute has been brought, and which must assume responsibility for the subsequent judicial decision, to determine, in the light of the particular circumstances of the case, both the need for a preliminary ruling in order to enable it to deliver judgment and the relevance of the questions which it submits to the Court. […]. [Q]uestions referred by national courts enjoy a presumption of relevance.” (¶73)
Scope of the national security exclusion in the Treaty of the European Union (TEU)
- “the rule in Article 4(2) TEU, according to which, within the European Union, national security remains the sole responsibility of each Member State, concerns Member States of the European Union only. That rule is therefore irrelevant, in the present case, for the purposes of interpreting Article 2(1) and Article 2(2)(a), (b) and (d) of the GDPR.” (¶81)
Scope of the exclusions under Article 2(2) of GDPR:
- “it should be noted that that provision lays down exceptions to the scope of that regulation, as defined in Article 2(1) thereof, which must be interpreted strictly” (¶84)
- “… since the transfer of personal data at issue in the main proceedings is from Facebook Ireland to Facebook Inc., namely between two legal persons, that transfer does not fall within Article 2(2)(c) of the GDPR, which refers to the processing of data by a natural person in the course of a purely personal or household activity. Such a transfer also does not fall within the exceptions laid down in Article 2(2)(a), (b) and (d) of that regulation, since the activities mentioned therein by way of example are, in any event, activities of the State or of State authorities and are unrelated to fields in which individuals are active” (¶85)
- “by expressly requiring the Commission, when assessing the adequacy of the level of protection afforded by a third country, to take account, inter alia, of ‘relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation’, it is patent from the very wording of Article 45(2)(a) of that regulation [GDPR] that no processing by a third country of personal data for the purposes of public security, defence and State security excludes the transfer at issue from the application of the regulation.” (¶87)
Interpretation of EU Law and the European Convention for the Protection of Human Rights and Fundamental Freedoms (‘the ECHR’):
- “[…] although, as Article 6(3) TEU confirms, the fundamental rights enshrined in the ECHR constitute general principles of EU law and although Article 52(3) of the Charter provides that the rights contained in the Charter which correspond to rights guaranteed by the ECHR are to have the same meaning and scope as those laid down by that convention, the latter does not constitute, as long as the European Union has not acceded to it, a legal instrument which has been formally incorporated into EU law” (¶94)
Interpretation of EU Law and Member State Constitutions:
- “ […] the Court has consistently held that the validity of provisions of EU law and, in the absence of an express reference to the national law of the Member States, their interpretation, cannot be construed in the light of national law, even national law of constitutional status, in particular fundamental rights as formulated in the national constitutions” (¶95)
Interpretation of EU Law and the EU Charter of Fundamental Rights:
- “the Court has held that the interpretation of EU law and examination of the legality of EU legislation must be undertaken in the light of the fundamental rights guaranteed by the Charter” (¶99)
Powers and responsibilities regarding data transfers (Supervisory Authorities v. European Commission):
- “the national supervisory authorities are responsible for monitoring compliance with the EU rules concerning the protection of natural persons with regard to the processing of personal data. Each of those authorities is therefore vested with the power to check whether a transfer of personal data from its own Member State to a third country complies with the requirements laid down in that regulation” / “The exercise of that responsibility is of particular importance where personal data is transferred to a third country since, as is clear from recital 116 of that regulation, ‘when personal data moves across borders outside the Union it may put at increased risk the ability of natural persons to exercise data protection rights in particular to protect themselves from the unlawful use or disclosure of that information’.” (¶107&108)
- “If a supervisory authority takes the view, following an investigation, that a data subject whose personal data have been transferred to a third country is not afforded an adequate level of protection in that country, it is required, under EU law, to take appropriate action in order to remedy any findings of inadequacy, irrespective of the reason for, or nature of, that inadequacy. […]” (¶111)
- “[…] the supervisory authority is required […] to suspend or prohibit a transfer of personal data to a third country if, in its view, in the light of all the circumstances of that transfer, the standard data protection clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law cannot be ensured by other means, where the controller or a processor has not itself suspended or put an end to the transfer.” (¶113)
- “Under the fourth paragraph of Article 288 TFEU, a Commission adequacy decision is, in its entirety, binding on all the Member States to which it is addressed and is therefore binding on all their organs in so far as it finds that the third country in question ensures an adequate level of protection and has the effect of authorising such transfers of personal data” / “until such time as a Commission adequacy decision is declared invalid by the Court, the Member States and their organs, which include their independent supervisory authorities, cannot adopt measures contrary to that decision, such as acts intended to determine with binding effect that the third country covered by it does not ensure an adequate level of protection” (¶117&118.)
- “[…] until the Court should declare that decision invalid, the competent supervisory authority cannot suspend or prohibit a transfer of personal data to an organisation that abides by that privacy shield on the ground that it considers, contrary to the finding made by the Commission in that decision, that the US legislation governing the access to personal data transferred under that privacy shield and the use of that data by the public authorities of that third country for national security, law enforcement and other public interest purposes does not ensure an adequate level of protection.” (¶156)
- “[…] unless there is a valid Commission adequacy decision, the competent supervisory authority is required to suspend or prohibit a transfer of data to a third country pursuant to standard data protection clauses adopted by the Commission, if, in the view of that supervisory authority and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law, in particular by Articles 45 and 46 of the GDPR and by the Charter, cannot be ensured by other means, where the controller or a processor has not itself suspended or put an end to the transfer.” (¶121)
- “[…] when a person lodges a complaint with the competent supervisory authority, that authority must examine, with complete independence, whether the transfer of personal data at issue complies with the requirements laid down by the GDPR and, if, in its view, the arguments put forward by that person with a view to challenging the validity of an adequacy decision are well founded, bring an action before the national courts in order for them to make a reference to the Court for a preliminary ruling for the purpose of examining the validity of that decision.” (¶157)
Right to effective judicial remedy:
- “Article 78(1) and (2) of the GDPR recognises the right of each person to an effective judicial remedy, in particular, where the supervisory authority fails to deal with his or her complaint. Recital 141 of that regulation also refers to that ‘right to an effective judicial remedy in accordance with Article 47 of the Charter’ in circumstances where that supervisory authority ‘does not act where such action is necessary to protect the rights of the data subject’.” (¶110)
Cross-border data transfers in general:
- “… in the absence of an adequacy decision under Article 45(3) of that regulation, a controller or processor may transfer personal data to a third country only if the controller or processor has provided ‘appropriate safeguards’, and on condition that ‘enforceable data subject rights and effective legal remedies for data subjects’ are available, such safeguards being able to be provided, inter alia, by the standard data protection clauses adopted by the Commission.” (¶91)
- “such appropriate guarantees must be capable of ensuring that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses are afforded, as in the context of a transfer based on an adequacy decision, a level of protection essentially equivalent to that which is guaranteed within the European Union.” (¶96)
- “ […] the appropriate safeguards, enforceable rights and effective legal remedies required […] must ensure that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses are afforded a level of protection essentially equivalent to that guaranteed within the European Union by that regulation, read in the light of the Charter. To that end, the assessment […] must, in particular, take into consideration both the contractual clauses […] and, as regards any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country, in particular those set out, in a non-exhaustive manner, in Article 45(2) of that regulation. [GDPR]” (¶105)
- “ a standard clauses decision differs from an adequacy decision adopted pursuant to Article 45(3) of the GDPR, which seeks, following an examination of the legislation of the third country concerned taking into account, inter alia, the relevant legislation on national security and public authorities’ access to personal data, to find with binding effect that a third country, a territory or one or more specified sectors within that third country ensures an adequate level of protection and that the access of that third country’s public authorities to such data does not therefore impede transfers of such personal data to the third country. Such an adequacy decision can therefore be adopted by the Commission only if it has found that the third country’s relevant legislation in that field does in fact provide all the necessary guarantees from which it can be concluded that that legislation ensures an adequate level of protection.” / “By contrast, in the case of a Commission decision adopting standard data protection clauses, such as the SCC Decision, in so far as such a decision does not refer to a third country, a territory or one or more specific sectors in a third country, it cannot be inferred from Article 46(1) and Article 46(2)(c of the GDPR that the Commission is required, before adopting such a decision, to assess the adequacy of the level of protection ensured by the third countries to which personal data could be transferred pursuant to such clauses.”(¶129&130)
Adequacy and Privacy Shield:
- “although not requiring a third country to ensure a level of protection identical to that guaranteed in the EU legal order, the term ‘adequate level of protection’ must […] be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of the regulation, read in the light of the Charter. (¶93)
- “[…] the Privacy Shield Decision also states, in paragraph I.5. of Annex II, under the heading ‘EU-U.S. Privacy Shield Framework Principles’, that adherence to those principles may be limited, inter alia, ‘to the extent necessary to meet national security, public interest, or law enforcement requirements’. Thus, that decision lays down, as did Decision 2000/520, that those requirements have primacy over those principles, primacy pursuant to which self-certified United States organisations receiving personal data from the European Union are bound to disregard the principles without limitation where they conflict with the requirements and therefore prove incompatible with them” / “In the light of its general nature, the derogation set out in paragraph I.5 of Annex II to the Privacy Shield Decision thus enables interference, based on national security and public interest requirements or on domestic legislation of the United States, with the fundamental rights of the persons whose personal data is or could be transferred from the European Union to the United States […] More particularly, as noted in the Privacy Shield Decision, such interference can arise from access to, and use of, personal data transferred from the European Union to the United States by US public authorities through the PRISM and UPSTREAM surveillance programmes under Section 702 of the FISA and E.O. 12333.” / “in recitals 67 to 135 of the Privacy Shield Decision, the Commission assessed the limitations and safeguards available in US law, inter alia under Section 702 of the FISA, E.O. 12333 and PPD‑28, as regards access to, and use of, personal data transferred under the EU-US Privacy Shield by US public authorities for national security, law enforcement and other public interest purposes.” (¶164–166)
- “The Court has held that the communication of personal data to a third party, such as a public authority, constitutes an interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter, whatever the subsequent use of the information communicated. The same is true of the retention of personal data and access to that data with a view to its use by public authorities, irrespective of whether the information in question relating to private life is sensitive or whether the persons concerned have been inconvenienced in any way on account of that interference” (¶171)
- “[…] in accordance with the first sentence of Article 52(1) of the Charter, any limitation on the exercise of the rights and freedoms recognised by the Charter must be provided for by law and respect the essence of those rights and freedoms. Under the second sentence of Article 52(1) of the Charter, subject to the principle of proportionality, limitations may be made to those rights and freedoms only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.” (¶174)
- “[…] it should be added that the requirement that any limitation on the exercise of fundamental rights must be provided for by law implies that the legal basis which permits the interference with those rights must itself define the scope of the limitation on the exercise of the right concerned (Opinion 1/15 (EU-Canada PNR Agreement) of 26 July 2017, EU:C:2017:592, paragraph 139 and the case-law cited).” (¶175)
- “[…] in order to satisfy the requirement of proportionality according to which derogations from and limitations on the protection of personal data must apply only in so far as is strictly necessary, the legislation in question which entails the interference must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards, so that the persons whose data has been transferred have sufficient guarantees to protect effectively their personal data against the risk of abuse. It must, in particular, indicate in what circumstances and under which conditions a measure providing for the processing of such data may be adopted, thereby ensuring that the interference is limited to what is strictly necessary. The need for such safeguards is all the greater where personal data is subject to automated processing (see, to that effect, Opinion 1/15 (EU-Canada PNR Agreement) of 26 July 2017, EU:C:2017:592, paragraphs 140 and 141 and the case-law cited).” / “To that effect, Article 45(2)(a) of the GDPR states that, in its assessment of the adequacy of the level of protection in a third country, the Commission is, in particular, to take account of ‘effective and enforceable data subject rights’ for data subjects whose personal data are transferred.” (¶176&177)
- “[…] as regards the surveillance programmes based on Section 702 of the FISA, the Commission found, in recital 109 of the Privacy Shield Decision, that, according to that article, ‘the FISC does not authorise individual surveillance measures; rather, it authorises surveillance programs (like PRISM, UPSTREAM) on the basis of annual certifications prepared by the Attorney General and the Director of National Intelligence (DNI)’. As is clear from that recital, the supervisory role of the FISC is thus designed to verify whether those surveillance programmes relate to the objective of acquiring foreign intelligence information, but it does not cover the issue of whether ‘individuals are properly targeted to acquire foreign intelligence information’.” / “It is thus apparent that Section 702 of the FISA does not indicate any limitations on the power it confers to implement surveillance programmes for the purposes of foreign intelligence or the existence of guarantees for non-US persons potentially targeted by those programmes. In those circumstances […], that article cannot ensure a level of protection essentially equivalent to that guaranteed by the Charter [..], according to which a legal basis which permits interference with fundamental rights must, in order to satisfy the requirements of the principle of proportionality, itself define the scope of the limitation on the exercise of the right concerned and lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards.” / “According to the findings in the Privacy Shield Decision, the implementation of the surveillance programmes based on Section 702 of the FISA is, indeed, subject to the requirements of PPD‑28. However, although […] such requirements are binding on the US intelligence authorities, the US Government has accepted, […] that PPD‑28 does not grant data subjects actionable rights before the courts against the US authorities. Therefore, the Privacy Shield Decision cannot ensure a level of protection essentially equivalent to that arising from the Charter, contrary to the requirement in Article 45(2)(a) of the GDPR that a finding of equivalence depends, inter alia, on whether data subjects whose personal data are being transferred to the third country in question have effective and enforceable rights.” / “As regards the monitoring programmes based on E.O. 12333, it is clear from the file before the Court that that order does not confer rights which are enforceable against the US authorities in the courts either.” (¶179-182)
- “[…] PPD‑28, with which the application of the programmes referred to in the previous two paragraphs must comply, allows for ‘“bulk” collection … of a relatively large volume of signals intelligence information or data under circumstances where the Intelligence Community cannot use an identifier associated with a specific target … to focus the collection’ […]. That possibility, which allows, in the context of the surveillance programmes based on E.O. 12333, access to data in transit to the United States without that access being subject to any judicial review, does not, in any event, delimit in a sufficiently clear and precise manner the scope of such bulk collection of personal data.” / “It follows therefore that neither Section 702 of the FISA, nor E.O. 12333, read in conjunction with PPD‑28, correlates to the minimum safeguards resulting, under EU law, from the principle of proportionality, with the consequence that the surveillance programmes based on those provisions cannot be regarded as limited to what is strictly necessary.” (¶183&184)
- “Article 47 of the Charter,[…] requires everyone whose rights and freedoms guaranteed by the law of the Union are violated to have the right to an effective remedy before a tribunal in compliance with the conditions laid down in that article. According to the second paragraph of that article, everyone is entitled to a hearing by an independent and impartial tribunal.” / “Thus, legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter” (¶185–186)
- “[…] legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter” / “The existence of such effective redress in the third country concerned is of particular importance in the context of the transfer of personal data to that third country,” (¶187&189)
- “the Commission found, […] that ‘while individuals, including EU data subjects, … have a number of avenues of redress when they have been the subject of unlawful (electronic) surveillance for national security purposes, it is equally clear that at least some legal bases that U.S. intelligence authorities may use (e.g. E.O. 12333) are not covered’. Thus, as regards E.O. 12333, the Commission emphasised, in recital 115, the lack of any redress mechanism.[…] [T]he existence of such a lacuna in judicial protection in respect of interferences with intelligence programmes based on that presidential decree makes it impossible to conclude, as the Commission did in the Privacy Shield Decision, that United States law ensures a level of protection essentially equivalent to that guaranteed by Article 47 of the Charter.” (¶191)
- “Furthermore, as regards both the surveillance programmes based on Section 702 of the FISA and those based on E.O. 12333, it has been noted in paragraphs 181 and 182 above that neither PPD‑28 nor E.O. 12333 grants data subjects rights actionable in the courts against the US authorities, from which it follows that data subjects have no right to an effective remedy.” / “The Commission found, however, […] that, as a result of the Ombudsperson Mechanism introduced by the US authorities, […] and of the nature of that Ombudsperson’s role, in the present instance, a ‘Senior Coordinator for International Information Technology Diplomacy’, the United States can be deemed to ensure a level of protection essentially equivalent to that guaranteed by Article 47 of the Charter.” / “An examination of whether the ombudsperson mechanism which is the subject of the Privacy Shield Decision is in fact capable of addressing the Commission’s finding of limitations on the right to judicial protection must, [..] start from the premiss that data subjects must have the possibility of bringing legal action before an independent and impartial court in order to have access to their personal data, or to obtain the rectification or erasure of such data.” (¶192–194)
- “[…] in addition to the fact that, […] the Ombudsperson is appointed by the Secretary of State and is an integral part of the US State Department, there is, […] nothing in that decision to indicate that the dismissal or revocation of the appointment of the Ombudsperson is accompanied by any particular guarantees, which is such as to undermine the Ombudsman’s independence from the executive” (¶195)
- “there is nothing in that [Privacy Shield] decision to indicate that that ombudsperson has the power to adopt decisions that are binding on those intelligence services and does not mention any legal safeguards that would accompany that political commitment on which data subjects could rely.” (¶196)
Appropriate safeguards ans SCCs:
- “Although Article 46 of the GDPR does not specify the nature of the requirements which flow from that reference to ‘appropriate safeguards’, ‘enforceable rights’ and ‘effective legal remedies’, it should be noted that that article appears in Chapter V of that regulation and, accordingly, must be read in the light of Article 44 of that regulation, entitled ‘General principle for transfers’, which lays down that ‘all provisions [in that chapter] shall be applied in order to ensure that the level of protection of natural persons guaranteed by [that regulation] is not undermined’. That level of protection must therefore be guaranteed irrespective of the provision of that chapter on the basis of which a transfer of personal data to a third country is carried out.” (¶91)
- “the appropriate safeguards to be taken by the controller or processor in accordance with Article 46(1) of the regulation must ‘compensate for the lack of data protection in a third country’ in order to ‘ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union’” (¶95)
- [Referring to SCCs] “[…] although those clauses are binding on a controller established in the European Union and the recipient of the transfer of personal data established in a third country where they have concluded a contract incorporating those clauses, it is common ground that those clauses are not capable of binding the authorities of that third country, since they are not party to the contract.” / “although there are situations in which, depending on the law and practices in force in the third country concerned, the recipient of such a transfer is in a position to guarantee the necessary protection of the data solely on the basis of standard data protection clauses, there are others in which the content of those standard clauses might not constitute a sufficient means of ensuring, in practice, the effective protection of personal data transferred to the third country concerned. That is the case, in particular, where the law of that third country allows its public authorities to interfere with the rights of the data subjects to which that data relates.” (¶125&126)
- “[…] the standard data protection clauses adopted by the Commission on the basis of Article 46(2)(c) of the GDPR are solely intended to provide contractual guarantees that apply uniformly in all third countries to controllers and processors established in the European Union and, consequently, independently of the level of protection guaranteed in each third country. In so far as those standard data protection clauses cannot, having regard to their very nature, provide guarantees beyond a contractual obligation to ensure compliance with the level of protection required under EU law, they may require, depending on the prevailing position in a particular third country, the adoption of supplementary measures by the controller in order to ensure compliance with that level of protection.” / “It is therefore, above all, for that controller or processor to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.”(¶133&134)
- “That validity depends, however, on whether, […], such a standard clauses decision incorporates effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law and that transfers of personal data pursuant to the clauses of such a decision are suspended or prohibited in the event of the breach of such clauses or it being impossible to honour them.” (¶137)
- “[…] the SCC Decision provides for effective mechanisms which, in practice, ensure that the transfer to a third country of personal data pursuant to the standard data protection clauses in the annex to that decision is suspended or prohibited where the recipient of the transfer does not comply with those clauses or is unable to comply with them.” (¶148)
Golden Data Articles
- What are the requirements for ‘cross-border data transfers’ under EU Data Protection Law?
- What is the Charter of Fundamental Rights of the European Union?
- What are Codes of Conduct?
- Original complaint filed by Schrems with the Irish Data Protection Authority in 2013.
- Amended complaint filed by Schrems with the Irish Data Protection Authority in 2015.
SCHREMS I CREU Decision: Maximillian Schrems v. Data Protection Commissioner (Case C-362/14) Case file
- Judgment (OJ) 13/11/2015
- Judgment ECLI:EU:C:2015:650 06/10/2015
- Judgment (Summary) ECLI:EU:C:2015:650 06/10/2015
- Opinion ECLI:EU:C:2015:627 23/09/2015
- Application (OJ) 19/09/2014
SCHREMS II CJEU Decision: Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems
- EDPB oral pleading before the Court of Justice of the EU Case C-311/18 (Facebook Ireland and Schrems) 9th July 2019, Luxembourg
- Judgement of the Court (Grand Chamber)
- CJEU Press release 91/20 (Luxembourg, 16 July 2020) on Judgment in Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems
Prof. Dr. Dr. von Danwitz (who was the judge-rapporteur in the CJEU for both Schrems cases) interview on January 28, 2021, at the conference organized by the German Federal Ministry of the Interior celebrating the 40th Data Protection Day.
- Recordings here: in German, English, and French [The intervention in German by Prof. Dr. Dr. von Danwitz on the exploration of the Article 49 derogations starts at 02h23m12s.
- FPF take on the interview
Relevant law and jurisprudence:
- Treaty of the European Union (a.k.a. “The Maastricht Treaty”)
- Decision 2000/520 (‘the Safe Harbor Decision’): Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbor privacy principles and related frequently asked questions issued by the US Department of Commerce (notified under document number C(2000) 2441) available here.
- Decision 2010/87 (‘the SCC Decision’): Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, as amended by Commission Implementing Decision (EU) 2016/2297 of 16 December 2016 (OJ 2016 L 344, p. 100) available here.
- Decision 2016/50 (‘the Privacy Shield Decision’): Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield (OJ 2016 L 207, p. 1) available here.
US Surveillance law
- Section 702 of the Foreign Intelligence Surveillance Act (FISA) (‘Section 702')
- Executive Order 12333 regarding United States intelligence activities (‘E.O. 12333’)
- Presidential Policy Directive 28 (PPD-28) on Signals Intelligence Activities
- Promoting Public Safety, Privacy, and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act White Paper by US DOJ
- LIBE Committee letters to the European Data Protection Supervisor and European Data Protection Board regarding legal assessment of the impact of the US Cloud Act on the European legal framework for personal data protection (July 10, 2019)
- Peter Swire testimony during the Irish High Court case
- Privacy and Civil Liberties 2014 report on US surveillance
- Paper from Peter Swire on this, for those who want to go deeper, is The System of Foreign Intelligence Surveillance Law (72 George Washington Law Review 1306 (2004), Ohio State Public Law Working Paper №18, Georgia Tech Scheller College of Business Research Paper №2015–18)
- The DNI has published a redacted 2016 transcript that provides a rare inside view of surveillance carried out under s702.
Case-law challenging surveillance programs
US case-law challenging surveillance:
From Max Schrems and Non of Your Business (NOYB)
- You can watch the interview of Max Schrems for 60 minutes here.
- What is NOYB?
- NOYB facts about the Schrems II decision
- In a letter to the Irish Data Protection Authority (the “DPC”) obtained by POLITICO, a lawyer for Mr. Schrems set a July 31 deadline for the DPC to clarify the legal basis relied on by Facebook for its EU-U.S. data transfers. In addition, the letter argues that the appropriate legal basis should be detailed within Facebook’s data processing inventory as required under Article 30 of the GDPR, and that this information should be made public as part of Facebook’s privacy notices as required by Articles 13 and 14 of the GDPR. The letter requests that the DPC issue a final decision on the matter of Facebook’s data transfers to the U.S. by October 1, 2020.
- NOYB files 101 complaints: NOYB announced in August 2020 that it had filed 101 complaints. The complaints related to Google Analytics and Facebook Connect integrations in webpages of EU controllers. Some complaints were filed with the (likely) relevant Lead Supervisory Authority (LSA) at the establishment of the controller directly. Others with the Austrian DPA, at the residence of the data subjects. These complaints will likely be forwarded to the relevant LSA under the “One Stop Shop” (OSS).
- In the wake of the CJEU’s judgement, NOYB sent emails to numerous companies that transfer the data of Europeans to the US requesting information (required under Article 12 to 15 of GDPR/SCCs/BCRs). The answers receive are published here.
- Irish High Court allows Judicial Review aiming to stop Facebook’s EU-US Data Transfers (NOYB blog post)
- Government transparency reports issued by the FISC, the Department of Justice and the Director of National Intelligence.
- Credo Mobile
- Deutsche Telekom
- Hong Kong Transparency Report
- Korea Internet Transparency Report
- University of California, Berkeley
- Wikimedia Foundation
Twitter does not currently publish transparency reports. In 2014, the government blocked Twitter’s publication of its draft transparency report on the basis it did not comply with the reporting framework and contained classified information. In response, Twitter took legal action seeking injunctive relief and alleged unlawful prior restraint on its First Amendment rights. Twitter’s claim was dismissed.
Reactions to Schrems I
- You can read A29WP statement on Shrems I here
- Because Privacy Shield faced similar challenges Article 29 WP issued an opinion stating that, if the concerns were not addressed within specified time frames, it may bring legal action to challenge the Privacy Shield’s validity.
Reactions to the CJEU Decision on Schrems II
Reactions from the US
- US Department of State / European Court of Justice Invalidates EU-U.S. Privacy Shield / Press Statement / Michael R. Pompeo, Secretary of State / (July 17, 2020)
- The US Department of Commerce issued new FAQs towards the end of July on the EU-U.S. Privacy Shield.
- Join US Industry letter on Schrems II (July 30, 2020)
- Committee on Energy and commerce letter to the Department of Commerce and the FTC (August 5, 2020)
- After Schrems II: A Proposal to Meet the Individual Redress Challenge / By Kenneth Propp, Peter Swire for Lawfare/ Thursday, August 13, 2020, 7:28 (see answer by Christopher Docksey under the EU section below.)
- Department of Commerce White Paper on transfers post-Schrems II (and Privacy Shield.)
- Microsoft published a post proposing to strengthen user rights in international data transfers (said it will challenge every government request for public sector or enterprise customer data) which was welcomed by the German watchdogs.
Reactions from the EU
- DPA Rhineland-Palatinate FAQs
- Berlin DPA Press Release
- German supervisory authorities (Datenschutzkonferenz, the “DSK”) statement reiterating the requirement for additional safeguards when organizations rely on Standard Contractual Clauses (“SCCs”) or Binding Corporate Rules (“BCRs”) for the transfer of personal data to third countries.
- European Data Protection Board: Statement from the EDPB
- European Data Protection Board: Frequently Asked Questions on the judgment of the Court of Justice of the European Union in Case C-311/18 — Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems
- Summary Baden-Württemberg (Gernany) Guidance on Data Transfers Following Schrems II — September 2, 2020 Hunton blog article (Similar article by Fox Rothchild)
- Federal Data Protection Authority Switzerland — FDPIC considers CH-US Privacy Shield does not provide adequate level of data protection (Press release 8/9/2020)
- English version of the French data protection authority (CNIL)’s observations to the highest French administrative court, the Conseil d’etat, on an application for interim relief against the Microsoft-hosted Health Data Hub, which led the French government on October 10, 2020 to make an emergency change to its Covid-19 decree.
- Schrems II and Individual Redress — Where There’s a Will, There’s a Way / By Christopher Docksey for Lawfare(Honorary Director General of the EDPS, a Member of the Guernsey Data Protection Authority, a Member of the Advisory Board of the Maastricht European Centre on Privacy and Cybersecurity) / Monday, October 12, 2020, 10:40 AM
- French Highest Court Rejects Temporary Suspension of France’s Health Data Hub; Calls for Additional Guarantees Following Schrems II / Hunton Blog / Oct. 19, 2020. See also analysis here.
- On November 11, 2020, the European Data Protection Board (the “EDPB”) published recommendations regarding suplemntary measures and on the European Essential Guarantees for surveillance. Both recommendations are subject to a public consultation, which closes on November 30, 2020.
- December 2, 2020: The European Commission made cooperation with the Biden administration on international data flows a priority in a policy document last week (see here).
- Joint Press Statement 10/8/2020 from European Commissioner for Justice Didier Reynders and U.S. Secretary of Commerce Wilbur Ross initiated discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework to comply with the 16 July judgement of the Court of Justice of the European Union in the Schrems II case.
UK and adequacy
- The New Economics Foundation and the UCL European Instute released a paper on the enconomic impact of inadequacy for the UK. Nov 2020.
- IAPP Webinar “The Schrems II decision: The day after” with Eduardo Usteran and Max Schrems post Schrems II (watch out for Max’s puzzled expression when Eduardo asserts employee data is somehow less likely to be subject to surveillance in the US right at the end of the video…)
- Anonos October 2020 Schrems II Webinar: Webinar Transcript & Replay (see also, Panelists Summary & FAQs)
- Schrems II Offers an Opportunity — If the U.S. Wants to Take It By Henry Farrell, Abraham L. Newman for Lawfair Tuesday, July 28, 2020
- CJEU Invalidates the EU-US Privacy Shield Framework but Leaves the Standard Contractual Clauses Intact, Subject to Major Caveats (SPB Blog)
- European Essential Guarantees Guide — A Global Look at Fundamental Rights to Privacy & Data Protection
- Ireland to Order Facebook to Stop Sending User Data to U.S. / WSJ / September 9, 2020.
- Privacy and Civil Liberties Oversight Board (PCLOB) long-awaited “capstone report” on Executive Order 12333 issued in 2021.
“Crazy takes” section
[Yes, unfortunately, we need one section for this…]
- Article whereby former General Counsel of the NSA, Stewart Baker, demonstrates he may not get what really happened but clearly is upset about it: How Can the U.S. Respond to Schrems II? Written for Lawfair and published July 21, 2020, 8:11 AM.
- White House executive order on TikTok [Issued by the Trump administration]
- White House executive order on WeChat [Issued by the Trump administration]