On Focus

Massimo Maggiore
Giulio Monga

Personal Data Protection

The EU Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield

On 16 July 2020, with an awaited judgment on the Schrems II Case, the Court of Justice of the European Union (“CJEU”) invalidated the Decision of EU Commission 2016/1250, assessing the adequacy of the “EU-US Privacy Shield” to transfer personal data from EU to US In the same ruling, the CJEU however confirmed the validity of EU Commission Decision 2010/87 on controller-to-processor standard contractual clauses for the same purpose of transfer of personal data to third countries.


The background

The ruling in comment is part of the judicial saga between Facebook and the Austrian data protection activist Max Schrems relating to transfers of personal data from EU to US which led to the well-know judgment of 2015 (C-362/14), where the CJEU invalidated the mechanism of “Safe Harbour”, later replaced by the “EU-US Privacy Shield”.

The EU and of the US have been trying over the past twenty years to make their respective data protection systems interoperable. As is known, the two legal systems have a conspicuously different approach to data protection issues. To put it simple, the EU looks at data protection as a fundamental right of individuals, which ranks equal with other fundamental principles, including that concerning the interest of sovereign States to ensure domestic security; on the other hand, in the US data protection is treated mostly (recently with the exception of California) as a sectorial issue and may be overridden by the interest of the State, as well as subservient to economic interests. The safeguards that on the other side of the Atlantic are afforded to protect personal data from undue invasion are thus limited. 

In this scenario, the EU and the US in 2000 agreed on the Safe Harbour Scheme that paved the way for the adequacy finding of the EU Commission (Decision 2000/520/EC), to allow the transfer of data from the EU to the US. Needless to say that the flow of data among the two geographic areas is massive, on account of the incumbent role played by tech US giants, that often base their business models on personal data harvesting and processing. Posting on social media, sending emails, on-line searches, storing photographs on cloud repositories and so-forth are all actions resulting in the exportation of data to the US. Such exportation happens by way of hosting data on servers physically located in America and as such subject to local laws, in particular as it concerns the right of law enforcement agencies to have access to such locally hosted personal data, with few if any at all legal firewalls, to protect individual privacy from disproportionate intrusion. In this connection, for example, the US legal framework, at least until 2014, seemed to allow substantially unchecked forms of so-called “signals intelligence”, i.e. preemptive investigative access to metadata and personal data, including personal communication, even short of any suspicion of involvement in terrorist activity of the target individuals, based solely on certain alert indicators, such as the ethnicity of the persons involved or words used. 

The resulting scarcely fettered surveillance on a large scale that the US system would allow, caused the CJEU judgment of 6 October 2015 which invalidated the Safe Harbour Scheme, essentially on grounds that: (i) limitations and derogations in relation to the protection of personal data provided for by US law through the mentioned massive surveillance programs were found as not limited to the strictly necessary; (ii) both the Safe Harbour and the US legislation did not provide for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, so compromising the essence of the fundamental right to effective judicial protection; (iii) the Safe Harbour denied the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals.

The Safe Harbour was one of the transfer mechanisms allowed under EC Directive 95/46, Article 25(6). After invalidation, the EU Commission and the US Government agreed on the successor scheme, permitting transfer of data across the ocean, which was incorporated in the Privacy Shield Decision 2016/1250, which the Commission again adopted pursuant to article 25(6) of the EC Directive, corresponding to art. 45 GDPR. The Privacy Shield decision was inter alia based on the overall positive assessment by the Commission of certain reforms enacted under the Obama administration, designed to reinforce the statutory bastions of protection of personal data, including the availability of a number of remedies to challenge unlawful electronic surveillance. These domestic remedies were however not considered sufficient by the Commission, hence the Privacy Shield accord between US and EU devised other protective measures and, in particular, the creation of an Ombudsperson Mechanism, as a contact point for foreign governments to raise concerns about US signals intelligence.


The new complaint

Following the invalidation of Safe Harbour, the Irish Supervisory Authority (the Data Protection Commissioner – “DPC”) asked Mr Schrems to reformulate his complaint concerning the transfer of the personal data relating to him by Facebook Ireland Ltd. to Facebook Inc., its parent company established in the US Once again, Mr. Schrems reiterated that the United States does not offer sufficient protection of data transferred to that country. In particular, Mr. Schrems claimed that the use of the controller-to-processor Standard Contractual Clauses approved by the EU Commission through Decision 2010/87, which were included in a data transfer processing agreement between Facebook Ireland and Facebook Inc., could not justify the transfer of his personal data to the US That’s because under US law Facebook Inc. is required to make the personal data of its users available to US authorities in the context of the aforementioned signals intelligence that impede the exercise of the rights guaranteed in Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union (the “Charter”). Mr. Schrems claimed that there is no remedy that would allow the data subjects to rely on their rights to respect for private life and to protection of personal data. Mr. Schrems therefore asked the DPC to suspend the transfer of its data in application of Article 4 of Decision 2010/87. 

The DPC, as well as the referring Irish High Court, noted that it was impossible to adjudicate on Mr. Schrems’ complaint unless the CJEU examined the validity of the Decision 2010/87. Furthermore, the referring High Court also asked CJEU to rule on the validity of the Decision 2016/1250 establishing “EU-US Privacy Shield”


The validity of Standard Contractual Clauses

As it did in Schrems I, the CJEU firstly considered that according to the relevant rules of GDPR, data subjects whose personal data are transferred to a third country pursuant to Standard Contractual Clauses must be afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR, read in the light of the Charter. The CJEU specified that the assessment of that level of protection must take into consideration both the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the data transferred, the relevant aspects of the legal system of that third country. 

Accordingly, the CJEU considered that the validity of Decision 2010/78 is not called into question by the mere fact that the SCC therein approved do not, given that they are contractual in nature, bind the authorities of the third country to which data may be transferred. However, that validity, the CJEU added, depends on whether the decision includes effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law and that transfers of personal data pursuant to such clauses are suspended or prohibited in the event of the breach of such clauses or it being impossible to honour them. 

The CJEU found that Decision 2010/87 establishes such mechanisms. Namely, the CJEU pointed out that the decision imposes an obligation on a data exporter and the recipient of the data to verify, prior to any transfer, whether that level of protection is respected in the third country concerned and that the decision requires the recipient to inform the data exporter of any inability to comply with the standard data protection clauses, the latter being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the former. The Court concluded that nothing affects the validity of Decision 2010/87 and therefore saved Standard Contractual Clauses therein approved.


The invalidity of the Privacy Shield

Lastly, disregarding the opinion of the Advocate General of last 11 December 2019, the CJEU examined the validity of Decision 2016/1250 establishing the EU-US Privacy Shield. 

In that regard, the CJEU noted that that the Decision enshrines the position, as did Decision 2000/520 on Safe Harbour, that the requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred under the Privacy Shield framework. In the view of the CJEU, the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country, which the Commission assessed in Decision 2016/1250, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law.

On the basis of the findings made in that decision, the CJEU pointed out that, in respect of certain surveillance programs conducted under US law, those provisions do not indicate any limitations on the power they confer to implement those programs, or the existence of guarantees for potentially targeted non-US persons. The CJEU added that, although those provisions lay down requirements with which the US authorities must comply when implementing the surveillance programs in question, the provisions do not grant data subjects actionable rights before the courts against the US authorities.

As regards the requirement of judicial protection, the CJEU held that, contrary to the view taken by the Commission in Decision 2016/1250, the Ombudsperson mechanism referred to in that decision does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law, such as to ensure both the independence of the Ombudsperson provided for by that mechanism and the existence of rules empowering the Ombudsperson to adopt decisions that are binding on the US intelligence services. 

On all those grounds, the CJEU declared Decision 2016/1250 invalid, putting an end to the Privacy Shield era.


Some preliminary remarks

This decision in comment is likely to have a huge impact on transfers of personal data to third countries as well as important political and economic consequences. The importance of such impacts will likely be clearer in the upcoming months.

Some professionals fear that the decision can create a legal vacuum on the transfers of personal data from EU to US, thus paralyzing important pieces of the economy relying on those extra-EU transfers of data. With regard to this fear, it should be noted that the CJEU explicitly stated that, in any event, in view of Article 49 of the GDPR, the annulment of an adequacy decision such as the Privacy Shield Decision is not liable to create a legal vacuum. According to CJEU, actually, Article 49 details the conditions under which transfers of personal data to third countries may take place in the absence of an adequacy decision under Article 45(3) of the GDPR or appropriate safeguards under Article 46 of the GDPR, such as the Standard Contractual Clauses (para 202 of the judgment). “The Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. Today’s decision does not relieve participating organizations of their Privacy Shield obligations” said Mr. Wilbur Ross.

We will keep you updated.