The World Between Principle and Practice

The much anticipated judgment in case C?311/18, also known as: "Schrems II" of the Court of Justice of the European Union (EUCJ) last Thursday, has triggered a lot of debate and questions, and fake news.

In this post I will not summarise the debates and the various positions of the various parties involved. For a selection of valuable insights and statements, see my earlier post.

The purpose of this post, is to grasp, in plain language, what the significance is of the EUJC ruling, and what it means in a practical sense. For this I gratefully follow the analysis by Eduardo Ustaran, co-head of Hogan Lovells global privacy and cybersecurity practice, as stated in the IAPP session: The Schrems II Decision: The Day After.

1. Free flow of personal data between Member States.

The General Data Protection Regulation (EU GDPR) 'facilitates on the protection of natural persons with regard to the processing of personal data and on the free movement of such data', and specifies in recital 3: 'to ensure the free flow of personal data between Member States'.

2. Transfers to third countries and international organisations may only be carried out in full compliance with the GDPR.

The GDPR recognises the necessity of cross border data transfers, 'for the expansion of international trade and international cooperation'. In any event, transfers to third countries and international organisations may only be carried out in full compliance with the GDPR. So, EU data protection does not stop at the EU borders.

Some countries, however, offer guarantees ensuring an adequate level of protection, in particular where personal data are processed, 'essentially equivalent' (reiteration of: GDPR Recital 104) to that ensured within the European Union. For such a country, the European Commission declares a so called 'adequacy decision' - in others words, transfers to the country in question will be assimilated to intra-EU transmissions of data.

If a country is neither part of the EU nor has received an adequacy decision, the GDPR describes a lawful mechanism to legitimise cross border data transfers. The mechanism relevant for the 'Schrems 2' ruling, is the mechanism of the so called Standard Contractual Clauses.

In these Standard Contractual Clauses (SCC), for instance for EU controllers transferring personal data to processors established in third countries which do not ensure an adequate level of data protection, both organisations (the personal data exporting organisation and the importing organisation) create, by signing the SCC, a legal obligation to comply with the clauses which, by the European Commission, are considered as offering adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights. The SCC as a legal mechanism is only valid if both parties comply with the defined set of legal obligations.

Part of the SCC is the understanding that national Data Protection Authorities (DPA) in the EU have the right to exercise their powers, to prohibit or suspend data flows to a third country, in which the importing organisation is established, when it is established that the law to which the data importer is subject, imposes upon him requirements to derogate from the obligations in the SCC.

3. The DPA is required to prohibit or suspend data flows to a third country, when a data importer derogates from the legal obligations in the SCC.

This is where the EUJC ruled: not only has a DPA the right to prohibit a dataflow as mentioned above; it is required to do so.

4. SCC as a legal mechanism still valid, not if the importing organisation can not be expected to comply to the legal obligations in the SCC, because the public authorities in that country have non proportional access (mass surveillance) to the transferred data, not ensuring data protection essentially equivalent to the GDPR.

Furthermore, the SCC as a legal mechanism is not valid for the third country 'USA', because the public authorities of that third country, by law, can require via surveillance programmes based on Section 702 of the Foreign Intelligence Surveillance Act (FISA) and on E.O. 12333, non proportional access to and use of personal data of EU citizens, not ensuring a level of protection essentially equivalent to that guaranteed within the European Union by the GDPR.

Meaning that the importing organisation in the USA, because of mass surveillance programmes like PRISM and UPSTREAM, with a legal basis in US law (FISA) can not be expected to comply with the legal requirements of the SCC; therefor the SCC mechanism is not valid and the data transfer not legal. The SCC as a legal mechanism, however, is still valid.

5. The EUJC concludes that the EU-US Privacy Shield Decision by the European Commission is invalid, because the EU-US Privacy Shield as a whole cannot ensure a level of protection essentially equivalent to that arising from the Charter of Fundamental Rights of the European Union, contrary to the requirement in the GDPR.

The EU-US Privacy Shield cannot ensure a level of protection essentially equivalent to that arising from the Charter of Fundamental Rights of the European Union, contrary to the requirement in the GDPR, that a finding of equivalence depends, inter alia, on whether data subjects whose personal data are being transferred to the third country in question have effective and enforceable rights. The Court has held that the communication of personal data to a third party, such as a public authority, constitutes an interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union:

Article 7

Respect for private and family life Everyone has the right to respect for his or her private and family life, home and communications.

Article 8

Protection of personal data

1. Everyone has the right to the protection of personal data concerning him or her.

2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.

3. Compliance with these rules shall be subject to control by an independent authority.

Finally, the EUCJ rules that the Privacy Shield Ombudsperson is not to be regarded as a tribunal within the meaning of Article 47 of the Charter (Right to an effective remedy and to a fair trial). Such a tribunal would ensure, as required by the GDPR, effective and enforceable rights for data subjects whose personal data is transferred to the United States, an obligation in the SCC.

As a result, the EUCJ rules that the United States of America is a third country, which does not ensure an adequate level of data protection, as required by the GDPR, which can not rely, for EU-US cross border data transfers of personal data, on the lawful mechanism of SCC, to legitimise these data transfers, for those importing organisations that are subject to Section 702 of the Foreign Intelligence Surveillance Act (Procedures for Targeting Certain Persons Outside the United States Other Than United States Persons.) and on E.O. 12333.

Aftermath

While the SCC mechanism works in principle, it only works in practice, when both parties comply to the legal obligations in the SCC. The European Commission decided that standard contractual clauses offer sufficient safeguards on data protection for the data to be transferred internationally, yet not merely by signing the document. These sufficient safeguards on data protection have to be implemented and reviewed by the exporting and importing organisation.

The new aspect in the EUCJ verdict is the explicit mentioning of articles 7 and 8 of the Charter of Fundamental Rights of the European Union and the fact that, aside from the obligations of which the data importing organisation is in control, the data importing organisation also has to assess the level to which he is, by law, obligated to provide access to the transferred EU personal data to a public authority in any third country, that should be seen as not proportional (mass surveillance), and whether data subjects whose personal data are being transferred to this third country in question, have effective and enforceable rights, as required in the GDPR.

In my next post I will address the practical implications and make some suggestions.

Credit: picture Prof. dr. Koen Lenaerts, President of the Court of Justice from: 16.07.2020 - Urteil Schrems gegen Facebook - EuGH / Datentransfers in Drittstaaten, Youtube.

Thanks to my colleague DPO Artan Jacquet for sharing the video!