Case Summary and Outcome

The Grand Chamber of the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield and upheld the validity of the standard data protection clauses (an EU-approved standard contract to protect data transfers between EU and non-EU countries). In 2013, Schrems had brought a complaint before the Irish Data Protection Commission against Facebook Ireland Ltd. claiming mass surveillance of the data of EU citizens by US authorities. In a judgment delivered by CJEU in 2015, the Court invalidated the safe harbour privacy principles, subsequent to which Facebook used another legal tool to transfer data outside of the EU, called “standard contractual clauses” (SCCs). By an amended complaint dated December 1, 2015, Schrems challenged the validity of Facebook’s use of SCCs to transfer EU citizens’ data to the US, arguing that the use of such data for mass surveillance violated Art 7, 8 and 47 of the Charter of Fundamental Rights of the European Union (CFR). While declaring the EU-US Privacy Shield void for lack of ‘adequate protection’ under EU law, the Court held that CJEU’s assessment of U.S. law must be taken into account for any transfers of personal data to the U.S., irrespective of the transfer mechanism used. Even though the validity of standard data protection clauses was upheld by CJEU, the Court noted that companies and regulators are required conduct case-by-case analyses to determine whether foreign protections concerning government access to data transferred meet EU standards.

---

Facts

In 2013, Maximilian Schrems, an Austrian national and privacy rights campaigner, filed a complaint before the Irish Data Protection Commission (DPC) to prohibit Facebook Ireland from transferring his personal data to the United States. Mr. Schrems’ complaint was premised on the ground that a large amount of data concerning EU residents was being ‘transferred’ outside EU to US, and Facebook provided mass access of such data to the US National Security Agency (NSA) without any need for a probable cause.

Facebook’s parent entity, Facebook Inc., operates its international business outside of the United States and Canada via a separate company in Ireland called ‘Facebook Ireland Ltd’. The transfer of data outside EU (from Facebook Ireland to Facebook Inc.) was made possible through the Safe Harbour Agreement – an EU-US data flow arrangement between the US Department of Commerce and the European Union that regulated cross-Atlantic data transfers. Schrems claimed that US surveillance laws (like section 720 of the Foreign Intelligence Surveillance Act and Executive Order 12333) and US surveillance programs disclosed by Edward Snowden (like “PRISM” and “Upstream”) gave the US government a legal and factual right to access data from large US tech companies, such as Apple, Facebook or Microsoft. Given that Facebook Ireland was the controller or processor of data, the outsourcing of data to Facebook Inc. was, therefore, incompatible with the standards established by the Safe Harbour Agreement and the Irish law, and the law and practice in force in the US did not ensure ‘adequate protection’ of the personal data in its territory in line with these laws. Schrems also claimed that while the users consented to such transfers, it was not an ‘informed’ consent as Facebook did not convey to its users any information concerning potential mass surveillance and its cooperation with the US National Security Agency (NSA). He challenged both the Safe Harbour Agreement as well as the transfer of his personal data (and EU members’ personal data) by Facebook to servers based in the US.

Schrems’ complaint was first refused by the DPC on the ground that US ensured an ‘adequate level of protection’, but in a judicial review brought before the High Court of Ireland, the case was referred to the European Court of Justice (CJEU) for a preliminary ruling on the interpretation and validity of the Safe Harbour Agreement. Schrems subsequently succeeded before the CJEU, which overturned the Safe Harbor system in 2015 and ruled that the DPC must investigate the complaint.

Post the invalidation of Safe Harbor, Facebook used another legal tool to transfer data outside of the EU, called “Standard Contractual Clauses” (SCCs). SCCs were pre-approved by the European Commission to act as terms and conditions for extraterritorial data transfers offering safeguards on data protection for the data transferred internationally, under the Commission Decision 2010/87. The standard clauses allow European Data Protection Authorities (DPA) to evaluate the legal protections available in the receiving state and to ensure that their surveillance laws do not “go beyond ‘ what is necessary in a democratic society’ to safeguard national security.” While the receiving state is not subject to EU law, the DPAs can suspend data transfers if EU standards are not being upheld.  Facebook used such SCCs to transfer data between Facebook Ireland and Facebook Inc.

The transfer of data was also made possible by the EU-US Privacy Shield – a 2016 framework that regulated transatlantic data transfers, designed and adopted to ensure consistency with EU Laws when transferring data of EU citizens into the US. The Privacy Shield by established a set of mutually agreed upon principles subject to the “investigatory and enforcement powers” of the U.S. Federal Trade Commission, the Department of Transportation and other statutory bodies that could ensure compliance.

By an amended complaint dated December 1, 2015, Schrems challenged the validity of Facebook’s use of SCCs to transfer EU citizens’ data to the US, arguing that the access to such data for mass surveillance by U.S. intelligence agencies violated Art 7, 8 and 47 CFR. Given the above, Schrems asked the Commissioner to prohibit or suspend the transfer of his personal data to Facebook Inc.

In a draft decision dated May 24, 2016, the Irish Data Protection Commissioner summarised provisional findings of her investigation and took Schrems’ view that the SCCs cannot overcome fundamental problems under US surveillance laws, specifically agreeing that there was no proper legal redress in the United States in compliance with Article 7, 8 and 47 of the CFR.  While prohibiting Facebook’s EU-US data transfers under Article 4 of the SCCs, the Commissioner issued proceedings in the High Court on May 31, 2016, in order for the High Court to refer a question on the issue of the SCCs to the CJEU.

On October 3, 2017, the Irish High Court delivered the judgement, holding that US surveillance laws allow “mass processing” of personal data. The High Court also decided that a reference to the CJEU was necessary in order to determine the validity of SCCs. Accordingly, by a preliminary ruling dated May 4, 2018, a reference was made to CJEU on 11 questions which broadly questioned the legality of SCCs and the EU-US Privacy Shield as adequate means of ensuring compliant data transfers to the third countries, sought to ascertain the factors to determine whether data-transfers regulated by SCCs met the required level of protection and the obligations of the Supervisory Authorities in such circumstances of data transfers pursuant to SCCs.

In an opinion of Advocate General Saugmandsgaard Øe delivered on December 19, 2019, he noted that appropriate guarantees must be provided to EU citizens, capable of ensuring that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses are afforded a level of protection essentially equivalent to that which is guaranteed within the European Union. Accordingly, EU law applied to transfers of personal data in third countries, even though the transferred data might undergo processing by the public authorities of that third country for the purposes of national security.

The AG also examined the validity of the Commission Decision 2010/87 allowing standard contractual clauses.  He held that the decision and the standard contractual clauses which it sets out are not binding on the authorities of the third country of destination and therefore do not prevent them from imposing obligations that are contrary to the requirements of those clauses on the importer. However, this did not, by itself, make it illegal. While declaring that SCCs were valid, he, however, laid emphasis on ‘sufficiently sound mechanisms’ to ensure compatibility with CFR and to compensate for any deficiencies in the protection afforded by the third country of destination. In either case, data controllers were obligated to suspend/prohibit data transfers in cases of failure to meet adequacy requirements. It was also reiterated by the AG that the validity of the SCCs cannot be influenced by the findings relating to the validity of the Privacy Shield Decision, as the resolution of the dispute in the main proceedings does not require the Court to rule on the validity of the privacy shield decision in any way.

---

Decision Overview

The Grand Chamber of the Court delivered the judgment in the matter. The principal issue before the CJEU concerned whether the standard contractual clauses relied on in support of the transfers to which Schrems’ complaint related were valid, and whether or not they were in violation of Article 7, 8 and/or 47 of CFR.

Under the European Union’s (EU) Charter for Fundamental Rights (CFR), every EU citizen has the right to have their data processed fairly, for specified purposes, and with user consent. To that extent, an EU resident is required to conclude a contract with Facebook Ireland at the time of registration agreeing on the transfer of personal data outside EU to US. Article 7 of the CFR grants a fundamental right to life, whereas Article 8 guarantees every EU citizen a right to protection of personal data. Article 47, on the other hand, grants every EU citizen a right to an effective remedy and a fair trial.

Before the Irish High Court, Facebook had argued that the erstwhile decision in Schrems established clearly that it was only if there was no possibility of a remedy before a national court that the essence of the Article 47 right to an effective remedy was not respected. This was not the case in the US. It also contested that an ‘effective remedy’ under Article 13 of ECHR would mean a remedy that is as effective as it can be having regard to the restricted scope for recourse inherent in any system of secret surveillance. On other fronts, Facebook had reiterated the Commission’s findings in Schrems on the adequacy of the level of protection ensured by a third country, such as those set out in the Privacy Shield Decision and contested that they were binding on the supervisory authorities in US in the context of a transfer of personal data pursuant to standard data protection clauses as laid down in the SCC Decision.

By a judgment dated October 3, 2017, the Irish High Court concluded that there was mass indiscriminate processing of data by US agencies on account of evidence in relation to operation of the PRISM and Upstream programmes and in light of the definition of ‘processing’ under the erstwhile Data Protection Directive. More specifically, section 702 of FISA permitted the Attorney General and Director of National Intelligence to authorise the surveillance of individuals outside the United States in order to obtain ‘foreign intelligence information’ [p. 21]. It also held that EU citizens were deprived of the right to effective judicial remedy in the US – a fundamental right under Article 47 of the CFR. Notably, there were substantial obstacles in respect of the causes of action open to EU citizens, in particular that of locus standi, which were excessively difficult to satisfy in the opinion of the Court. On standard data protection clauses laid down in the SCC Decision, the Irish High Court took the view that those clauses were not binding on State authorities in the third country, and hence, were incapable of remedying desired adequacy levels of protection in that country.

Moving beyond the initial contest to inadmissibility of the request for a preliminary ruling, the CJEU discussed the initial question for review – concerning the application of regulations to the transfer of personal data for processing by an economic operator established in a Member State to another economic operator established in a third country. CJEU noted that the transfer of personal data from Facebook Ireland to Facebook Inc. was within the scope of Article 4(2) of GDPR (that defines ‘processing’), but did not fall within the exclusions listed in Article 2(2) thereof. As a result, the processing of personal data for the purposes of public security, defence or state security transferred between the two Facebook entities was subject to the application of GDPR.

The Court next considered the level of protection required by GDPR in respect of transfer of personal data to a third country on the basis of standard data protection clauses (second, third and sixth questions).  While recognising that Article 46 of GDPR (concerning ‘appropriate safeguards’) does not specify ‘what’ factors are to be taken into consideration for determining adequate level of protection, CJEU held that the term ‘adequate level of protection’ is to be understood as requiring the third country to ensure a level of protection essentially equivalent to that guaranteed within the European Union. In absence thereof, no transfer of data is valid unless the controller/processor undertakes appropriate safeguards to ‘compensate for the lack of data protection in a third country’ [p. 26]. On the question as to which law decides the level of protection equivalent to that guaranteed within the EU, CJEU expressly held that the validity of the provisions of the EU law cannot be construed in light of national law of member states, and it is only the fundamental rights guaranteed in the CFR that can validly examine and interpret legality of EU legislations. CJEU laid down a tripartite test to assess the adequacy of the level of protection to be observed in such data transfers, which required the contractual clauses agreed between the controller/processor in the EU and the third-country recipient to possess (a) appropriate safeguards, (ii) enforceable rights and (iii) effective legal remedies. For this purpose, the legal system in the third country should take into consideration the factors listed non-exhaustively in Article 45(2) of the GDPR.

The Irish High Court had also sought a decision from the CJEU on the validity of suspension or prohibition of data transfers outside EU in a circumstance where the standard data protection clauses did not comply with standards under the EU law. CJEU’s response to this was quite straightforward – the supervisory authority is entitled to suspend or prohibit a transfer if it fails to meet adequacy requirements under EU law. It must, however, be noted that under Art. 288 of the Treaty on the Functioning of the European Union (TFEU), a Commission adequacy decision can have the effect of authorising data transfers which ensure an adequate level of protection. In cases where the Commission adopts such a Commission adequacy decision, despite the fact that the decision is binding on Member states, the competent supervisory authority has the power to examine a complaint lodged by a person concerning his rights and determine, with complete independence, if the transfer is compliant with EU laws.

Next, CJEU considered the validity of the SCC Decision under Article 7, 8 and 47 of the CFR. The Irish High Court had requested a preliminary ruling on whether the SCC Decision was capable of ensuring an adequate level of protection on the transfer of data to third countries, given the standard data protection clauses (by virtue of their inherently contractual nature) under the SCC Decision did not bind the supervisory authorities of those third countries. CJEU noted that the standard data protection clauses were mere contractual guarantees, and the controller/processor was encouraged to provide ‘supplementary’ safeguards to cover obligations beyond the contract so as to ensure adequate protection on a case-by-case basis. Where this was not possible, a suspension or prohibition on data transfer was necessary to avoid breach of its obligations under clause 4(a) in the annex to the SCC Decision. To give effect to the above, both the controller established in the EU and the recipient in the third country were required to verify, prior to such transfer, ‘whether the level of protection required by EU law is respected in the third country concerned’ [p. 33] or to notify where the third country did not allow them to comply with standard data protection clauses. CJEU emphasized that a notification by the controller to data subjects in cases where adequate protection was not possible was necessary, so as to enable them to be in a position to bring legal action.

Given the above, the CJEU took the view that the SCC Decision provided for effective mechanisms to ensure transfer of data in compliance with EU laws, and there was nothing to invalidate the validity of that decision. Accordingly, it answered the 7^th and 11^th question in the negative. It must be noted that even though the court upheld the validity of Standard Contractual Clauses (SCC), it put forth important qualifications for data controllers to adhere to when using such SCCs.

Finally, the Irish High Court called into question the Commission’s finding in the Privacy Shield Decision (that the United States ensures an adequate level of protection for personal data essentially equivalent to that guaranteed in the European Union by the CFR and GDPR). Primarily, the validity of the EU-US Privacy Shield was contested on the ground of recent interferences arising from US Surveillance programmes under Section 702 of the FISA and E.O. 12333, which showed that these laws did not ensure the adequate level of protection as required. Considering that the US did not grant actionable rights to data subjects in the EU before the courts against US authorities, the CJEU held that the minimum safeguards under CFR were not met either by FISA or E.O. 12333. Effective administration and judicial redressal was the bedrock of GDPR, and even an introduction of a Privacy Shield ombudsmen under the EU-US Privacy Shield (to act as an additional redress avenue for all EU data subjects) was incapable of remedying the lack of that right. Effectively, CJEU declared the EU-US Privacy Shield invalid in its entirety.

---