By a judgment of 16 July 2020 (Case C‑311/18 – Schrems 2), the Court of Justice of the European Union (CJEU) upholds the decision of the European Commission adequacy decision on the Standard Contractual Clauses (SCCs) but declares the Privacy Shield invalid.
This decision raises a lot of concerns as it is the second time the Commission fails to negotiate a bespoke transfer mechanism with the US that meets the European Data Protection standards.
Besides, the judgment casts some doubts on the lawfulness of data transfers to the US regardless of the transfer mechanisms on which organisations rely (e.g. BCR, SCCs, etc.).
Indeed, the Court only validates the SCCs on the basis that they provide for effective mechanisms enabling the suspension or the prohibition of personal data transfer to a third country whose laws/legal system would render impossible for the parties to honour them.
Given the Court considers that US surveillance laws interfere disproportionately with the EU citizen human rights enshrined in the Charter and do not provide for an effective remedy, we believe that data transfers to the US should be suspended or prohibited until the authorities address the issues. In this regad, the EDPB released a statement to inform stakeholders that it was working on guidance.
Following the CJEU judgment of 6 October 2015, Schrems (C‑362/14, EU:C:2015:650) whereby the Court invalidated the Safe Harbor (i.e. former Privacy Shield), Facebook Ireland explained that a large part of personal data was transferred to Facebook Inc. based on the SCCs.
On that basis, Mr Schrems lodged a reformulated complaint with the Irish Commissioner on 1 December 2015, in which he claimed that United States law requires Facebook Inc. to make his personal data available to certain United States authorities, such as the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI).
Considering that the practice of the NSA and the FBI was not compatible with the Charter, Mr Schrems asked the Commissioner to prohibit or suspend the transfer of his personal data to Facebook Inc.
On 24 May 2016, the Irish Commissioner published a ‘draft decision’ stating that:
- The US authorities likely consulted and processed the personal data transferred to the United States in a manner incompatible with Articles 7 and 8 of the Charter;
- US law did not provide EU citizens with legal remedies compatible with Article 47 of the Charter.
The Commissioner found that the SCCs do not remedy that defect, since they confer only contractual rights on data subjects against the data exporter and importer, without, however, binding the United States authorities.
Based on these findings, the Commissioner brought an action before the Irish High Court, which referred a question on that issue to the Court of Justice of the European Union on 4 May 2018.
1.2. The legal framework of the US authorities’ intelligence activities
According to the findings of the Commission and the Irish High Court, the US authorities’ intelligence activities concerning the personal data transferred to the United States are based on Section 702 of the FISA and E.O. 12333.
A wide scope of surveillance
Under Section 702 of the FISA, the Attorney General and the Director of National Intelligence may authorise jointly, following FISC approval, the surveillance of non-US citizens located outside the United States to obtain ‘foreign intelligence information’, and provides a basis for the PRISM and UPSTREAM surveillance programmes:
- under the PRISM programme, Internet service providers supply the NSA with all communications to and from a ‘selector’. Some of these communications may be transmitted to the FBI and the Central Intelligence Agency (CIA);
- Under the UPSTREAM programme, the NSA may copy and filter Internet traffic flows from networks of cables, switches, and routers, to acquire communications from, to or about a non-US national associated with a ‘selector’. Under that programme, the NSA has access both to the metadata and to the content of the communications concerned.
Under E.O. 12333, the NSA access data ‘in transit’ to the United States, collected directly from underwater cables on the floor of the Atlantic before arriving in the United States, and being subject there to the FISA. These activities are not governed by statute.
The PPD-28, a legal provision applicable to these surveillance activities, merely states that intelligence activities should be as tailored as feasible.
Limited judicial protection of EU citizens
EU citizens do not have the same remedies as US citizens as the Fourth Amendment to the Constitution of the United States, which is the most important cause of action available to challenge unlawful surveillance by public authorities, does not apply to EU citizens.
Besides, there are substantial obstacles in respect of the causes of action open to EU citizens, and the NSA’s activities based on E.O. 12333 are not subject to judicial oversight and are not justiciable.
2. The CJEU declares the Privacy Shields decision invalid but upholds the SSCs decision
2.1. Why did the Court rule on the Privacy Shield?
Mr Schrems’s complaint targeted only the validity of the SCCs, and therefore, the Court was not required to rule on the validity of the Privacy Shield decision.
However, amongst the questions referred to the CJEU, the Irish High Court asked:
- whether the transfer of personal data based on SCCs breaches the rights enshrined in the Charter; and
- whether the introduction of the ombudsperson referred to in the Privacy Shield Decision is compatible with the Charter.
These questions calling into question the Commission’s finding and the validity of its decision regarding the Privacy Shield, the Court decided, despite the Advocate General’s advice no to do so, to rule on the validity of the Privacy Shield decision.
2.2. The CJEU invalidates the Privacy Shield because of a lack of safeguards and effective remedies
US surveillance programmes are disproportionate
Based on the referring court findings, the CJEU considers that neither Section 702 of the FISA, nor E.O. 12333, read in conjunction with PPD‑28, provides the minimum safeguards resulting from the principle of proportionality, as the surveillance programmes based on those provisions are not limited to what is strictly necessary.
US law fails to provide for an effective remedy
The CJEU found that these surveillance programmes do not grant data subjects rights actionable in the courts against the US authorities.
While it acknowledges that EU Data subjects have several avenues of redress under US law, it notices that some legal bases on which some surveillance programme relies on (e.g. E.O. 12333) are not covered.
Therefore it considers that data subjects have no right to an effective remedy under US law.
The Privacy Shield decision does not address the issue of the effective remedy
The Privacy Shield provides for the Ombudsperson Mechanism, which is a ‘Senior Coordinator for International Information Technology Diplomacy’.
However, the CJEU considered that the Privacy Shield Ombudsperson was not independent as it is appointed by and reports directly to the Secretary of State and is an integral part of the US State Department.
Besides, nothing in the decision indicates that the ombudsperson has the power to adopt decisions that are binding on the US intelligence services and does not mention any legal safeguards on which data subjects could rely.
Therefore, the ombudsperson mechanism does not provide any cause of action before a body offering guarantees essentially equivalent to those required by Article 47 of the Charter.
2.3. The CJEU upholds the validity of the SCC decision because it provides for an effective mechanism to suspend data transfers if the law of a third country contradicts the provisions thereof
For the CJEU, it is for the controller or processor established in the European Union to verify, on a case-by-case basis whether the law of the third country ensures adequate protection of personal data transferred based on the SCCs, by providing, where necessary, additional safeguards to those offered by those clauses.
As a result, where the controller or a processor cannot take adequate additional measures to guarantee such protection, the controller or processor or, failing that, the competent supervisory authority must suspend or end the transfer of personal data to the concerned third country.
As the clause 5(b) of the SCCs and Article 58 (2) GDPR provide for such mechanism when the data recipient cannot comply with the SCCs, the European jurisdiction ruled that the SCCs Decision provides for effective mechanisms to suspend or prohibit transfer.
3. Did the CJEU prohibit data transfers to the US and any third country with similar surveillance laws?
Given the position of the CJEU, we understand that organisations relying on SCCs or the Privacy Shield should suspend their data transfers to the US until the authorities address the issues of the proportionality of the US massive surveillance practices and the data subjects’ right to an effective remedy.
This position should also apply to transfers based on BCR. Indeed, the Court considers that US law prevents the parties from complying with the SCCs, therefore, there is no reason to believe that transfers to the US, based on the BCR, are lawful as it contains similar clauses to the ones in the SCCs (i.e. suspension of transfer).
Given the above, we may also wonder whether organisations should suspend their transfers to other third countries with similar surveillance practices such as China, Russia, etc..
The EDPB guidances are, therefore, eagerly awaited to clarify their position and help organisations transferring data to the US address the issue.