Lorna Woods, Professor of Internet Law, University of Essex
Recently, a CJEU Advocate-General presented an opinion on the Schrems II case, which centers on the legality of US national security regulations regarding personal data transfers from the EU, specifically through Facebook. This case follows the impactful Schrems I ruling that invalidated the EU-US data transfer agreement due to insufficient protections against surveillance under US law. While companies shifted to alternative mechanisms, like Standard Contractual Clauses (SCCs), Schrems II (Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (Case C-311/18)) questions their effectiveness given the persistent influence of US law.
The Case Basics
Following the precedent set in Schrems I, Max Schrems sought to prevent his data transfer from the EU to the US under SCCs, citing inadequate protection of privacy rights in the face of mass surveillance. This led to legal action by the Irish Data Protection Commissioner (DPC), who questioned the validity of the SCC model established by the European Commission. The Irish court’s extensive judgment resulted in a referral to the ECJ to address eleven key questions, encompassing the applicability of EU law to data processed for national security in third countries, required protection levels, SCCs’ non-binding nature, EU Charter compliance of Decision 2010/87 (establishing the SCCs), and the assessment of the Privacy Shield decision, which replaced the invalidated Safe Harbour agreement.
The Opinion’s Findings
The Advocate General clarified that the core issue was the commercial nature of data transfer, not national security processing, thereby keeping it under the purview of EU data protection laws like the GDPR, regardless of potential subsequent use for national security in the recipient country. The Advocate General affirmed the “essentially equivalent” protection standard for data subjects under both SCCs and GDPR (Article 46), despite their different approaches. While adequacy decisions assess legal protections in the destination country, SCCs acknowledge potential shortcomings and aim to provide supplementary safeguards.
Scrutinizing Decision 2010/87
Addressing the validity of Decision 2010/87 in light of the EU Charter, the Advocate General acknowledged that SCCs’ non-binding nature on third countries presented a challenge. If data recipients are unable to consistently uphold data protection safeguards due to their national laws, the effectiveness of SCCs is undermined. The Advocate General proposed that SCC assessment should focus on the inherent strength of the safeguards they offer, acknowledging that third-country laws might weaken or negate these safeguards. Therefore, data exporters or national authorities must retain the ability to halt data transfers on a case-by-case basis if breaches or non-compliance occur. While not invalidating the decision, this highlighted the critical need for robust mechanisms to ensure the suspension or prohibition of transfers in cases of SCC breaches. The Advocate General underscored the GDPR’s requirement (Article 46(1)) for enforceable data subject rights and accessible remedies.
Responsibilities of Data Controllers
The SCCs obligate both data exporters and importers to adhere to the contractual terms. The Advocate General argued that under the GDPR, if exporters become aware of importers’ inability to uphold the SCC terms, they are obligated to suspend the transfer. Additionally, they suggested that parties should proactively assess whether third-country laws might lead to such breaches. Data subjects’ rights are protected against the exporter/controller under Decision 2010/87’s SCCs, and they can also seek recourse from national supervisory authorities.
Supervisory Authorities’ Obligations
The Advocate General contended that national authorities are obligated to suspend transfers when necessary. They emphasized that the right to suspend is not limited to exceptional circumstances (contrary to post-Schrems I amendments) and deemed recital 11 of Decision 2010/87 outdated. They asserted that suspending or prohibiting data transfers is no longer merely optional but an inherent duty of supervisory authorities, aligning with Articles 58(2) GDPR, 8(3) EUCFR, and 16(2) TFEU, which underscore the role of independent authorities in ensuring data protection law compliance. This, according to the Advocate General, translates into a due diligence requirement for authorities, coupled with an obligation to address infringements. Failure to fulfill these obligations could lead to legal action, reinforcing the strict, non-discretionary nature of their responsibility.
While acknowledging existing issues, the Advocate General disagreed with the DPC’s claim that this obligation inadequately addresses systemic issues of insufficient safeguards and leaves previously transferred data unprotected. They maintained that EU law does not necessitate a universal, preventive solution for all transfers to a particular third country that might present similar risks to fundamental rights. To address the lack of effective redress for those already affected, the Advocate General highlighted the role of supervisory authorities in implementing corrective measures and the rights granted under Article 82 GDPR.
The Privacy Shield’s Status
The Advocate General deemed it unnecessary to analyze the Privacy Shield decision, primarily because it presumes the recipient state’s general legal and protective framework provides sufficient protection for SCCs to be applicable—a premise the Advocate General had already dismissed. Nonetheless, they offered guidance if the Court were to consider the issue. Finding adequacy under the Privacy Shield wouldn’t preclude national supervisory authorities from exercising their powers. The Advocate General proposed that comparing the third country’s laws and safeguards with the Member States’ approach to national security within the framework of the European Convention on Human Rights (ECHR) would be appropriate, emphasizing the need for these standards to be transparent and predetermined.
The Advocate General then addressed the scope of the national security exception, generally defined as state or state authorities’ activities directly related to national security, excluding areas where individuals are active. However, uncertainties arise when private operators are involved. The Advocate General sought to reconcile this with existing jurisprudence, suggesting that in cases requiring operators to cooperate with data access requests, regardless of prior retention obligations, GDPR doesn’t apply once national authorities possess and process the data. Therefore, verification must occur first under the GDPR and Charter, and subsequently under the ECHR.
Regarding the continuity of protection, the Advocate General, interpreting Article 44 GDPR, favored a broader interpretation of “after transfer,” encompassing protection from the initiation of the transfer, not just upon arrival. This was deemed crucial to ensure data security during transit, such as through undersea cables.
Analyzing the Commission’s adequacy assessment, the Advocate General reviewed whether it justified the Privacy Shield decision. While acknowledging the need for flexibility to accommodate diverse legal and cultural traditions, the Advocate General emphasized the requirement for “essentially equivalent” minimum safeguards for fundamental rights, as per the Charter and the ECHR. This essential equivalence was a point of contention raised by the referring court. The Advocate General, referring to precedents from both Courts, recognized the inherent interference with rights posed by surveillance, irrespective of the data’s sensitivity. They stated that even the act of making data accessible to authorities, as it deviates from the principle of communication confidentiality, constitutes an interference, even if the data isn’t subsequently accessed or used by intelligence agencies.
Regarding lawful interference, the Advocate General, aligning the ECJ and ECtHR approaches, emphasized that regulations enabling such interference must establish unambiguous and specific rules governing the scope and application of the measure. These rules must impose minimum requirements, providing individuals with adequate guarantees to safeguard their data against misuse, unlawful access, or unauthorized use. The Advocate General expressed doubts about the US framework’s ability to meet this threshold. However, drawing on existing jurisprudence, they acknowledged that the fundamental essence of Article 7 or 8 wasn’t compromised. The Advocate General recognized national security as a legitimate justification for rights interferences but questioned the clarity and precision of measures under the “foreign intelligence information” category and whether they could withstand scrutiny. They acknowledged the lesser weight of such objectives in a proportionality analysis.
Nonetheless, the Advocate General examined the necessity and proportionality aspects, emphasizing the safeguards mandated by Article 23(2) GDPR. They expressed concerns about the clarity of selection criteria and the adequacy of safeguards against abuse, noting the distinction between “as tailored as feasible” and strictly necessary measures. They also highlighted the lack of prior review and expressed reservations about the US regime’s ability to meet the adequacy of protection standards.
Addressing the right to an effective remedy, the Advocate General analyzed the impact of the Ombudsperson Mechanism introduced to address deficiencies in the US system. They reiterated that Article 47’s right to a remedy is supplementary to the requirement for independent oversight/authorization of surveillance. Citing Schrems I, they asserted that the lack of legal recourse signifies a failure to respect the essence of this right. The Advocate General noted that the Ombudsperson Mechanism, lacking both legal establishment and independence, fails to meet the criteria for effectiveness and lacks judicial oversight.
Concluding Thoughts
A superficial reading of the Opinion’s conclusion might suggest that data transfer practices will remain unchanged and that this represents a setback for Schrems. However, this interpretation would misrepresent the Advocate General’s position. The Opinion primarily addresses two key issues: the legality of the SCC decision and the assessment of the Privacy Shield adequacy decision.
While the Advocate General suggests upholding the Decision underlying SCCs, this does not grant a free pass to those transferring data to the US, who must still address privacy concerns. The Advocate General, aiming to avoid dismantling the existing system, emphasizes a decentralized approach reliant on private enforcement by data controllers and national supervisory authorities. This obligation is articulated forcefully, compelling data exporters to proactively investigate and address potential issues by suspending transfers. A passive approach, if the Court adopts the Advocate General’s reasoning, will likely prove untenable. National supervisory authorities face even stricter obligations, potentially increasing their workload due to the need for case-by-case assessments. This approach heavily relies on the threat of legal action by data subjects, which, while empowering individuals, presents a problematic reliance on private enforcement of regulations.
It’s noteworthy that while the Advocate General frames the discussion on SCC acceptability within the context of the Charter, the analysis centers on the right to a remedy, potentially underemphasizing the impact of data transfers on privacy and data protection, particularly within the context of bulk surveillance. Furthermore, the Advocate General seems to assume that the option to pursue legal action within the EU under Article 80 sufficiently addresses the challenges of standing and limited remedies in the third country, and equates financial compensation with more effective behavioral remedies like halting data processing. This aspect contrasts sharply with the analysis presented in the Privacy Shield section.
While the Opinion’s stance on the impact of national security might not be surprising, it carries potential implications for the UK post-Brexit. Currently, as an EU member, UK security and intelligence activities largely fall outside the ECJ’s jurisdiction. However, as a third country, national security becomes a relevant factor. The Advocate General, addressing this distinction, argues that in assessing the “essentially equivalent” standard for third-country data protection, the ECHR’s standards should apply to interferences arising from national security, a domain outside EU law and the Charter’s reach.
However, this boundary remains somewhat ambiguous, raising questions about the consistency with previous rulings like Schrems I. The Advocate General’s approach appears to deviate from the PNR judgment, which relied on a provision’s purpose to determine its inclusion in the national security exception. Future cases might provide clearer guidelines on this issue.
Regarding the second aspect, despite aiming to avoid directly commenting on the Privacy Shield, the Advocate General’s remarks highlight significant concerns. The Opinion underscores the applicability of law to “automated” surveillance and emphasizes the requirement of legality. The Advocate General, however, expressed reservations about the US framework’s ability to satisfy the necessity and proportionality tests, raising multiple areas for improvement.
Should the Court decide to address the Privacy Shield question, data flows face potential disruptions. Whether this stance will hold is uncertain, given the pressure on the ECJ to reconsider its position on bulk data collection and automated data processing. Several upcoming cases, including Privacy International, La Quadrature du Net & Ors v Commission, La Quadrature du Net & Ors and French Data Network & Ors, and Ordre des barreaux francophones et germanophone, Académie Fiscale ASBL, UA, Liga voor Mensenrechten ASBL, Ligue des Droits de l’Homme ASBL, VZ, WY, XX v Conseil des ministres, will bring these surveillance issues back before the Court, with several Advocate-General opinions expected in January.
Barnard & Peers: chapter 9
Photo credit: Forbes