On the 16th of July we finally got a long-awaited judgment of the Court of Justice in the interesting case C-311/18 Data Protection Commissioner v. Facebook Ireland Ltd (Facebook Ireland) and Maximillian Schrems. There were many questions referred, and we will in this blog post go through the most important parts of the judgment. If you are interested in reading our previous blog posts about this case, you can find them here and here. We will however start this blog post with a short recap of what has happened so far, in order to refresh our memories.
Published July 30 2020
Recap of previous events
Maximillian Schrems filed a complaint with the Irish Data Protection Officer (the Commissioner) in 2013, requesting that his personal data should not be transferred by Facebook Ireland to the US, as it was not ensured adequate protection there because of the US surveillance activities. His request was rejected because of the Commission Decision 2000/520, where it was stated that the US provide for adequate protection, and he therefore took the case to court. The High Court in Ireland made a request for preliminary ruling on the matter, and in case C-362/14 the Court of Justice declared decision 2000/520 invalid (paras 52, 53 of the present judgment).
Following this judgment, the referring court annulled the rejection of Mr. Schrems complaint, and the case was referred back to the Commissioner. Facebook Ireland stated that they transfer a large part of the personal data from the EU to the US based on Standard Contractual Clauses (SCC). Because of this, Mr. Schrems was asked to modify his complaint, which he did. He stated that the transfer of data could not be justified based on SCC, as the personal data transferred had to be made available to US authorities such as FBI and NSA. This type of surveillance was according to him incompatible with Article 7, 8 and 47 of the Charter of Fundamental Rights of the European Union (the Charter). The Commissioner took the view that the reformulated claim of Mr. Schrems raised the issue of the validity of the SCC. The Commissioner, therefore, made a new action before the High Court, which also made a new request for preliminary ruling to the Court of Justice (paras 54 – 57).
The ruling of the Court of Justice
The applicability of the GDPR
In some cases, transfer of personal data does not fall under the GDPR. However, the Court of Justice come to the conclusion that in a situation as the one in the present case; namely that the transfer (from the EU to a third country) is between two economic operators for commercial purposes, and that there is a possibility that the personal data transferred either at the time of the transfer or thereafter is processed for the purpose of public security, defense and state security of the authorities of the third country, the transfer cannot be excepted from the scope of the GDPR (para 86).
The supervisory authority decides what actions are appropriate to take, after taking in all necessary circumstances regarding the transfer of personal data in question. However, the Court of Justice points out the need for supervisory authorities to act with all due diligence when they get a complaint from a data subject. The exercise of the responsibility to monitor the application and enforcement of GDPR is, as the Court of Justice states, of particular importance when the personal data is being transferred to a third country (paras 108, 109, 112).
When there is an adequacy decision (like the Privacy Shield Decision) and data subjects complain of the transfer of their data, the supervisory authority must still be able to examine independently if that transfer of personal data complies with the requirements laid down in the GDPR. If not, they have to bring the case in front of their national court, which can make a reference for preliminary ruling regarding the validity of the adequacy decision (para 120). Thus, the Court of Justice points out the importance of the supervisory authorities to act on complaints from data subjects!
Standard Contractual Clauses
The Court of Justice come to the conclusion that the SCC Decision is valid. However, companies like Facebook cannot just simply rely on a SCC when transferring personal data to third countries. The Court points out the fact that in recital 109 of the GDPR it is clearly stated that the controller should be encouraged to provide additional safeguards as supplements, when relying on a SCC. It is, therefore, foremost the responsibility of the controller or the processor to analyze on a case-by-case basis if the law of the third country ensures adequate protection of the personal data transferred, and to otherwise ensure such adequate protection by providing additional safeguards. In a case like the present one, where the law of the third country allow for public authorities to interfere with the rights of the EU citizen, to only have a SCC is not enough. When the controller or the processor fail to provide adequate additional measures, it is instead the responsibility of the competent supervisory authority, and if they are failing, the transfer of personal data to the third country should be terminated (paras 126, 132, 134, 135 and 149).
Invalidation of Privacy shield
The Court finally comes to the conclusion that the Privacy Shield Decision is invalid as the Commission disregarded the requirement set out in Article 45(1) GDPR read in the light of Article 7, 8 and 47 of the Charter, when deciding that the US provide for adequate protection of personal data being transferred from the EU to organizations in the US (under the EU-US privacy shield). US surveillance programs are, based on the Privacy Shield Decision, not given any limitations to their power in relation to foreign intelligence or non-US citizen targeted by those programs. The principle of proportionality is therefore not fulfilled (see paras 163, 180, 198 and 201).
Another thing not sufficiently provided for was efficient judicial protection under Article 47 of the Charter. The ombudsperson mechanism in force under the Privacy Shield Decision cannot be equalized to a tribunal, as they are for example not proven to be independent. The Court argues that the ombudsperson is appointed by the secretary of state and is an integral part of the US State Department. Moreover, there is nothing indicating that the ombudsperson can actually adopt decisions that are binding to the previously mentioned surveillance services and, thus, cannot be seen as providing for any legal safeguards for the data subjects (paras 195-197).
What are the effects of this judgment?
The Court of Justice points out that there is no risk of creating a legal vacuum when making the Privacy Shield Decision invalid, as Article 49 GDPR details the conditions for transfer of necessary personal data to third countries when no adequacy decision or appropriate safeguards is in place (para 202). Thus, there will be no problem transferring personal data from the EU to the US as it can, for example, be based on consent from the data subject or be allowed if it is necessary to fulfill a contract. It will therefore be like transferring personal data to most other third countries.
The European Data Protection Board (EDPB) reacted to this case in a statement. The EDPB welcomed the judgment as it emphasizes the fundamental right to privacy. Following, they stated the importance of creating a new agreement between the EU and US to ensure an adequate level of protection of personal data being transferred to the US. The EDPB further informed that they will continue to analyze the case and come with more clarification for stakeholders and guidance on how to transfer personal data to third countries. As a starting point, the EDPB have created a FAQ, which can be found here.
It will be interesting to see if any other adequacy decision of the Commission will emerge in relation to the transfer of personal data to the US. However, such a decision can first come into place when the US provides further safeguards for the personal data of Europeans! A limitation of their surveillance measures would, in that regard, be necessary.
We hope you liked this blog post! If you have any further questions regarding GDPR you are more than welcome to contact us at GDPR Hero via email email@example.com or phone 046 – 273 17 17.
You can book a demonstration of GDPR Hero here.