Schrems II and the Transfer of Personal Data: You Were Only Meant to Blow the Bloody Doors Off!

Lorna Woods, Professor of Internet Law, University of Essex

The European Court of Justice (ECJ) recently issued its highly anticipated decision regarding the legitimacy of standard contractual clauses (SCCs) for transferring personal data outside the European Union. This decision is part of a larger effort to challenge the “surveillance capitalism” model employed by many online businesses. While this case significantly impacts SCCs and Facebook’s operations, it also reveals the ECJ’s stance against mass surveillance, a recurring theme in European jurisprudence. This approach is particularly relevant to the UK, which, like the US, employs mass surveillance. With the UK’s exit from the EU, data controllers will need new mechanisms to transfer personal data to the UK, making the ECJ’s stance on mass surveillance in this case an indicator of its potential approach to the UK in the future.

Background

The General Data Protection Regulation (GDPR) permits personal data transfer only under specific conditions, such as an “adequacy decision” for countries ensuring adequate data protection comparable to the GDPR. The US-EU Safe Harbor agreement, an initial adequacy agreement, was invalidated because it failed to provide sufficient protection. This was partly due to the Safe Harbor system itself and partly due to US laws enabling mass surveillance. While the Privacy Shield replaced Safe Harbor and addressed some operational weaknesses, it did little to address surveillance concerns.

Another mechanism for transferring personal data outside the EU is SCCs, which are private agreements between data controllers and recipients. GDPR Article 46(1) stipulates that without an adequacy decision, data transfer to a third country requires “appropriate safeguards,” “enforceable data subject rights,” and “effective legal remedies” for data subjects. The European Commission provided a model for these agreements in SCC Decision 2010/87.

Following the Schrems I ruling, a complaint was lodged with the Irish Data Protection Commissioner (DPC) arguing that US law fails to offer sufficient data protection. This complaint centered around US authorities’ access to transferred data and its use in ways incompatible with privacy rights. The DPC’s view that this complaint questioned the validity of both the SCC and Privacy Shield Decisions led to the issue being brought before the courts. This resulted in the Irish High Court referring the question to the ECJ, ultimately leading to the current ruling.

The Judgment

The Advocate General, in his opinion, suggested that the SCC Decision was valid, but the context in which it operates was problematic. He argued that the Privacy Shield’s validity should be examined separately and that data controllers must ascertain the adequacy of protection in the destination state. The ECJ agreed that the SCC Decision was valid but overturned the Privacy Shield.

The ECJ made several significant findings. First, it asserted its jurisdiction over data transfers even if later used for national security purposes by the receiving country. It maintained that GDPR rules apply, even if data is subsequently processed for national security reasons. The ECJ also reiterated that adequate protection necessitates an “essentially equivalent” level of protection to that in the EU, considering both the SCCs’ terms and the legal environment of the destination state.

The ECJ emphasized the role of national supervisory authorities in ensuring compliance with GDPR regulations. These authorities possess investigative powers and can suspend or prohibit data transfers if SCCs aren’t met. Regarding adequacy decisions, the ECJ clarified that a valid decision is binding unless declared invalid, though individuals can still lodge complaints.

The ECJ acknowledged that SCCs, being binding only on the involved parties, might not always ensure adequate data protection. However, it deemed the SCC Decision valid because it provides mechanisms to address these situations. The decision mandates that data exporters and recipients verify the level of protection in the destination state before any transfer and requires recipients to inform data controllers of any inability to comply with SCCs.

Addressing the Privacy Shield Decision, the ECJ determined that it prioritizes US national security over EU data protection standards. The court found US authorities’ access to and use of personal data not “essentially equivalent” to EU law, lacking limitations and proportionality. It deemed the Ombudsperson mechanism, introduced as an improvement over Safe Harbor, insufficient. Therefore, the ECJ declared the Privacy Shield invalid.

Comment

The ruling raises questions about data transfer mechanisms to the US following the invalidation of the Privacy Shield and the limitations of SCCs. The ECJ highlighted the difficulty of individually assessing the adequacy of data protection, given the limitations of data controllers’ control over the legal environments in receiving countries.

The ruling emphasizes the ECJ’s interpretation of Chapter V GDPR, aiming to establish a common standard for data protection despite varying wordings in Articles 45 and 46. Article 45, pertaining to adequacy decisions, necessitates an “adequate level of protection” and lists factors like respect for the rule of law, human rights, and relevant legislation. Article 46(1), relevant to other transfer mechanisms like SCCs, requires “appropriate safeguards,” “enforceable data subject rights,” and “effective legal remedies” for data subjects. The ECJ harmonized these articles, ensuring data subjects’ rights aren’t undermined and extending the “essential equivalence” test to all transfer mechanisms outlined in Article 46(2).

The ECJ also highlighted that GDPR requirements must align with the EU Charter as interpreted by the court. This is significant considering the ECJ’s stance on fundamental rights, particularly the right to privacy. The court has previously found bulk data retention by telecommunications operators disproportionate and criticized the use of passenger name records (PNR) data and automated processing. In this case, the court identified a lack of “essential equivalence” with Articles 7 and 8 of the EU Charter, potentially impacting not just the adequacy agreement but also reliance on SCCs or other mechanisms under Article 46(2).

This brings Article 49 GDPR to the forefront, allowing for data transfer derogations in specific situations, like explicit data subject consent or if necessary for contract performance. While these might seem like viable options, caution is advised. “Explicit consent” is a stringent requirement under GDPR, and the “necessary for a contract” ground doesn’t cover all contract-related activities.

Finally, the ruling has implications for the UK, which also employs extensive surveillance. The ECJ’s stance on surveillance raises questions about the UK’s ability to secure an adequacy agreement. While the UK has oversight mechanisms and an independent tribunal, its Investigatory Powers Act permits bulk data collection, potentially conflicting with the ECJ’s stance on proportionality. Additionally, the UK’s data-sharing agreements with the US have caused concern within the EU. Previously benefiting from EU membership, the UK will now need to demonstrate the adequacy of its data protection safeguards. The ECJ’s perspective on surveillance could pose challenges for the UK in securing an adequacy agreement or utilizing other data transfer mechanisms.

Photo credit: Security Dive

Licensed under CC BY-NC-SA 4.0