Following the judgement in Schrems of October 6, 2015, invalidating the Safe Harbor decision, the CJEU is now requested by the same party to rule on the validity of the decision 2010/87 instating the Standard Contractual Clauses (SCCs) and indirectly, on the validity of the Privacy Shield decision.
In this regard, the Advocate General has issued his position and considered:
– the decision 2010/87 as still valid; and
– though he does not consider the Court should rule on the validity of the Privacy Shield decision, he has provided his point of view and cast some doubts as to its validity.
Mr Maximillian Schrems, an Austrian Facebook user had challenged the Safe Harbor decision allowing the transfer of his personal data by Facebook to the United States of America (USA) following Edward Snowden revelations.
By a judgment of 6 October 2015, the CJEU considered that the Safe Harbor, (former Privacy Shield), was not a valid transfer mechanism because it did not offer sufficient protection against the mass surveillance carried by the US public authorities (in particular the National Security Agency), of the data transferred in that country as revealed by Edward Snowden.
Following this judgement, the European authorities negotiated with the US authorities and the Commission issued a new decision, the Privacy Shield, which is an upgraded version of the Safe Harbor.
However, Facebook informed Mr Schrems that the transfer of his data was based on the SCCs and, Mr Schrrems, called into question the validity of the decision 2010/87 instating the SCCs because there is no remedy that would allow the persons concerned to invoke, in the United States, their rights to respect for private life and to protection of personal data. In those circumstances, Mr Schrems also asked the supervisory authority to suspend the transfer of his data in application of Decision 2010/87.
As a result, the Irish supervisory authority sought to assess whether the USA provided an adequate level of protection and if not, whether the decision 2010/87/EU provided sufficient safeguards. In this regard, the Irish authority brought proceedings before the High Court so that the latter may refer questions to the CJUE for a preliminary ruling.
Such request also calling into question the validity of the assessment carried out by the Commission when adopting the Privacy Shield decision, the Advocate General has also provided his opinion on this matter.
1. The Advocate General considers the SCCs decision as valid
In his report, the Advocate General points out as preliminary points, to consider the SCCs as valid, the following:
- that EU law applies to transfers of personal data to a third country where those transfers form part of commercial activity, even though the public authorities of that third country may process the data for the purposes of national security
- the standard contractual clauses adopted by the Commission provide a general mechanism applicable to transfers irrespective of the third country of destination and the level of protection guaranteed there.
- The compatibility of Decision 2010/87 with the Charter depends on whether there are sufficiently sound mechanisms to ensure that transfers based on the standard contractual clauses are suspended or prohibited where those clauses are breached or impossible to honour.
According to him, such mechanisms are in place as there is an obligation placed on the data controllers and, where the latter fail to act, on the supervisory authorities — to suspend or prohibit a transfer where the obligations imposed by the law of the third country contradicts – is in conflict with the obligations provided in the SCCs.
The decision to suspend a transfer must be based on an analysis carried out on a case by case basis and we understand from the advocate general opinion that the mere fact that the United States may not provide an adequate level of protection does not call into question the validity of the mechanism provided for in the decision 2010/87 instating the SCCs. Indeed, the transfer should be simply prohibited or suspended if such measure is necessary.
2. The Court should not rule on the validity of the Privacy Shield decision
The Advocate General considers that challenging the validity of the decision establishing the SCCs indirectly calls into question the assessments made by the Commission in its decision of 2016 relating to the validity of the “Privacy Shield”. Indeed, the Commission found that the USA ensured an adequate level of protection under the privacy shield, having regard, to the safeguards surrounding the access to the data by the US intelligence authority and the judicial protection available to the persons whose data are transferred.
However, he advise the Court not to rule on the validity of the “Privacy Shield” as this is not the issue at stake in this matter.
3. The Advocate General sets out the reason that leads him to question the validity of Privacy Shield decision
Though it does not consider that the Court should rule on the validity of the privacy shield decision since the issue at stake is with regard to the SCCs, the Advocate General sets out the reasons that lead him to question the validity of the privacy shield decision in the light of the right to respect for private life and the right to an effective remedy.
According to him, the privacy shield decision may be challenged on the following points:
- Risk of lack of proportionality of the interferences because the objectives of the surveillance measures may not be defined sufficiently clearly and precisely: the surveillance measures based on section 702 of the FISA or EO 12333 (US laws) may not be defined sufficiently clearly and precisely to prevent the risk of abuse and to permit a review of the proportionality of the ensuing measure.
- Failure to provide effective judicial remedies to data subjects for the following reasons:
- the ‘privacy shield’ decision does not establish that the surveillance based on EO 12333 would be subject to prior review by an independent body or might be the subject of post factum judicial review
- the ‘privacy shield’ decision does not state that the surveillance measures based on EO 12333 would be notified to the individuals concerned or accompanied by judicial or independent administrative control mechanisms at any stage of their adoption or implementation.
- the Ombudsperson instated by the Privacy Shield decision does not provide a remedy before an independent body offering the data subject a possibility of relying on their right of access to the data or of contesting any infringements of the applicable rules by the intelligence services.
If we follow the reasoning of the Advocate General and we consider that the Privacy Shield decision may be called into question, it should be decided that any data transfer to the USA based on the SCCs be suspended on the ground that US laws contradict the content of the SCCs regardless of whether such transfer mechanism is valid or not.
However, before making such a decision, it remains to be seen what the Court will decide to cover in its decision and what the position of the Irish Court will be in its response to Mr.Shrem.
To be continued …