CJEU - C-311/18 - Schrems II
|CJEU - C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems|
|Relevant Law:||Article 2(2) GDPR|
Article 45 GDPR
Article 46 GDPR
Article 58 GDPR
Charter of Fundamental Rights of the European Union
Decision (EU) 2016/1250
|Parties:||Data Protection Commission|
|Case Number/Name:||C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems|
|European Case Law Identifier:||ECLI:EU:C:2020:559|
|Reference from:||High Court (Ireland)|
|Language:||24 EU Languages|
|Initial Contributor:||Isabel Hahn|
The Court of Justice of the European Union (CJEU) invalidated Commission Decision 2016/1250 (the EU-US Privacy Shield), but affirmed the validity of standard contractual clauses (SCCs), providing that they include effective mechanisms to ensure compliance in practice with the “essentially equivalent” level of protection guaranteed by the GDPR to EU citizens.
English Summary[edit | edit source]
Facts[edit | edit source]
Maximillian Schrems, an Austrian citizen, had been a Facebook user since 2008. As is the case with users residing in the European Union, some of the data belonging to Mr. Schrems had been transferred by Facebook Ireland to its servers belonging to Facebook Inc., located in the United States. In 2013, Mr. Schrems complained to the Irish Data Protection Commissioner (DPC) seeking to prohibit these transfers. When this complaint was rejected, he brought an action against the decision before the Irish High Court, which in turn referred a number of questions to the CJEU, the most prominent of which was whether the EU-US adequacy decision, the so-called “Safe Harbor", was valid.
In its judgment on October 6th 2015 (Case C-362/14, “Schrems I”), the CJEU invalidated the Safe Harbor and stated that, in order to be "adequate", the level of data protection offered by the third country should be “essentially equivalent” to that being offered in the EU. As a result, the High Court annulled the decision rejecting Mr. Schrems’ complaint, and referred the case back to the DPC.
In the remittal “judgment” before the DPC, Facebook Ireland explained that the invalidated adequacy decision was not relevant as a large part of personal data was transferred to Facebook Inc. pursuant to Standard Contractual Clauses (SCCs). On this basis, the DPC asked Mr. Schrems to reformulate his complaint. In his reformulated complaint lodged on December 1st 2015, Mr. Schrems alleged that US law required Facebook Inc. to disclose his personal data to certain United States authorities in the context of various monitoring programs (in particular, the FISA 702 and the Executive Order 12.333). In Mr Schrems’ view, these programs contravened different data protection principles as well as Articles 7, 8, and 47 of the Charter. After investigating the allegations made by Mr. Schrems, the DPC argued that it could not adjudicate on them until the CJEU had examined the validity of the SCCs, and so it brought proceedings before the High Court. On May 4th 2018 the High Court made the reference for a (second) preliminary ruling to the CJEU.
In its reference to the CJEU, the High Court specified that Section 702 of the FISA permitted the Attorney General and the Director of National Intelligence to authorize jointly, following FISA approval, the surveillance of individuals who are not US citizens and who are located outside of the US in order to obtain foreign intelligence information. It was also affirmed that Section 702 of the FISA provided the basis for the PRISM and UPSTREAM surveillance programs. PRISM in particular, requires Internet Service Providers (ISPs) to supply the NSA with all communications to and from a ‘selector’. UPSTREAM on the other hand, permitted the NSA to copy and filter Internet traffic flows from the ‘backbone’ of the internet, granting it access to both the content of communications and their metadata. Furthermore, the High Court had found that Executive Order 12.333 (E.O. 12333) allowed the NSA to access data in transit by accessing underwater cables on the floor of the Atlantic. The High Court stated that the only limit on US surveillance activities was found in the Presidential Policy Directive (PPD-28), and even this only stated that intelligence activities should be ‘tailored as feasible’. On the basis of these findings, the High Court considered that the US carried out mass processing of personal data without ensuring a level of protection that was essentially equivalent to that which was guaranteed by Articles 7 and 8 of the Charter. The High Court also highlighted that EU citizens did not have the same remedies available to them as US citizens with regards to the processing of their personal data, since the Fourth Amendment to the Constitution of the United States did not apply to non-US citizens. This meant that it was particularly difficult for EU citizens to establish standing before a US court. Moreover, activities based on E.O. 12333 were not subject to judicial oversight and were not justiciable.
Given the considerable effects of US surveillance law on the rights of Europeans, the High Court raised the question of whether the SCCs are valid, given that they may not be binding on the State authority of the third country. If they did not bind the third country State authority, then they are not capable of remedying a possible lack of an adequate level of protection of personal data.
Dispute[edit | edit source]
The request for a preliminary ruling referred eleven questions to the Court of Justice. The topics covered in these questions were as follows:
- the applicability of EU law to data transfers made for commercial purposes, but further processed for national security and law enforcement purposes
- the relevant legislation for determining whether there has been a violation of individual rights
- how to assess the level of protection in a third country
- whether data transfers to the US violate the Charter
- whether the level of protection offered in the US respects or limits an individual’s right to a judicial remedy
- what level of protection is required to be afforded to personal data that is transferred under SCCs
- whether the SCCs can even be adequate as safeguards given they do not bind national authorities
- whether there is an obligation to suspend data flows if a data importer is subject to surveillance law
- what the relevance of the Privacy Shield decision is with regards to assessing safeguards
- whether the presence of an ombudsperson can ensure that the US provides an effective remedy to data subjects
- whether the SCCs violate the Charter
Holding[edit | edit source]
The Court began by clarifying that the GDPR applies to the transfer of personal data for commercial purposes by an economic operator established in a Member State, to another economic operator established in a third country, even if in that country the data would be processed by the national authorities for public security, defense, and state security purposes. In particular, the Court stressed that a transfer of data is not excluded from the scope of the GDPR for the reason that it may be processed by the national authorities of a third country.
Regarding the level of protection required in such an instance, the Court held that the requirements presented by the GDPR regarding safeguards, enforceable rights, and legal remedies must continue to be applied. In other words, when their data is transferred abroad, a data subject must be afforded a level of protection essentially equivalent to that which they would receive in EU. In such circumstances, in order to assess the level of protection, both existing contractual clauses between the data importer and exporter, and the potential access by public authorities in a third country must be taken into account, along with the relevant aspects of the legal system in the third country.
The Court then analyzed Decision 2016/1250 (the “Privacy Shield”), which was the self-certification scheme in place for controllers based in the US. Examining the decision in light of the provisions of the Charter, the Court held that the requirements of US national security, public interest, and law enforcement do in fact interfere with the fundamental rights of persons whose data is transferred there. These limitations on the protection of personal data were not circumscribed in a way that satisfied requirements that are essentially equivalent to those required under EU law. The principle of proportionality was also not satisfied, in so far as US surveillance programs are not limited to what is ‘strictly necessary’. It was noted that the provisions in the US surveillance programs neither limited the power they conferred onto national authorities, nor granted data subjects actionable rights before the courts against the US authorities. The Court proceeded to scrutinize the Ombudsperson mechanism that had been in place under the Privacy Shield, stating that it too did not provide data subjects with a cause of action before a body which was fully independent, and that this body was limited in so far as it could not impose rules that were binding on US intelligence services.
Taking all of this into account, the Court declared the Privacy Shield Decision to therefore be invalid.
The Court also clarified that in the absence of an adequacy decision, the competent supervisory authorities are required to suspend or prohibit a transfer of personal data to a third country where they consider that the standard data protection clauses are not or cannot be complied with in the third country, and that the protection of the data transferred cannot be ensured by other means.
Following this, the Court then examined the validity of the SCCs (Decision 2010/87). First, the Court held that the validity of the Decision was not called into question by the mere fact that the SCCs do not bind national authorities in a third country. After establishing this, the Court emphasized that the validity of the SCCs, however, did depend on whether there were effective mechanisms in place that make it possible to ensure compliance with the level of protection required by EU law. Important to note is that here the Court held that the SCCs in themselves did provide for such mechanisms. However, it went on to stress that where these mechanisms cannot be complied with, the transfers of personal data pursuant to these clauses is to be suspended or prohibited. Furthermore, there is an obligation on the data exporter and the recipient of the data to verify prior to a transfer, what the level of protection in a third country is, and whether it will be possible to comply with the requirements of the SCCs.
Comment[edit | edit source]
The CJEU also commented on the duty of authorities to handle complaints. See para 109 (emphasis added):
"In addition, under Article 57(1)(f) of the GDPR, each supervisory authority is required on its territory to handle complaints which, in accordance with Article 77(1) of that regulation, any data subject is entitled to lodge where that data subject considers that the processing of his or her personal data infringes the regulation, and is required to examine the nature of that complaint as necessary. The supervisory authority must handle such a complaint with all due diligence (see, by analogy, as regards Article 25(6) of Directive 95/46, judgment of 6 October 2015, Schrems, C‑362/14, EU:C:2015:650, paragraph 63)."
Further Resources[edit | edit source]
Share blogs or news articles here!