In this interesting case, previously covered in this blog post, Advocate General (AG) Henrik Saugmandsgaard Øe gave his opinion on the 19 of December 2019. In this blog post we will cover the most important aspects of the opinion, which might give some guidance in how the Court will judge as well. As mentioned in the previous blog post, the opinion of AG is not binding for the court but can be very useful as guidance both for the court and us.
Within the scope of EU law?
The AG starts with pointing out that he finds the present case falling within the scope of EU law. Schrems and the Irish Data Protection Commissioner (DPC) argued for this conclusion (para 103), contrary to the view of Facebook Ireland who thinks the case falls outside the scope.
Data Protection Authorities have a duty to act
The AG also clarifies that the Data Protection Authorities have a duty to act, which of course is an important part of the enforcement procedure based on GDPR. They can therefore not decide not to act, e.g. when it comes to a big influential and important company for their country’s economy.
So, basically, the AG is telling the DPC that they cannot choose when to act, and when not to: they must always act when Fundamental Rights are being violated! That statement is based on the duties within GDPR conferred upon the supervisory authorities, see Article 58(2) GDPR. The DPC argued for that the mentioned provision left some discretion for the supervisory authorities, but AG is of the same opinion as Schrems: namely that there is an obligation for the supervisory authorities to act to ensure a proper application of GDPR, see also Article 57(1)(a) GDPR in this regard (paragraphs 144, 145 of the Opinion).
In Article 52 GDPR it is also clearly stated that the supervisory authority must be independent from any external influence when exercising its powers granted under GDPR. This is of course an important aspect since it has to monitor all companies under its jurisdiction and should in no way be influenced by them when doing so.
The AG states certain doubts about the conformity of Privacy Shield with Article 7, 8 and 47 CFR as well as Article 8 ECHR since it might not provide an adequate level of protection. This is an interesting opinion as Privacy Shield is a way for US companies to certify themselves into having an adequate protection of personal data. Based on a decision by the Commission, data controllers in the EU are allowed to transfer data to companies in the US having Privacy Shield protection.
The validity of Privacy Shield is based on the “essential equivalence” standard, meaning that the US must have essentially equivalent protection of data subject’s personal data when being transferred from the EU to the US. This standard is supposed to be essentially equivalent to the protection under GDPR, CFR and when EU law is not applicable; ECHR (see paragraph 247 of the Opinion).
The AG for example poses some specific questions regarding if the basis for the US surveillance measures are defined clear and precise enough not to pose any risk of abuse (paragraph 289). The AG is also questioning how efficient the role of the Ombudsperson Mechanism is. The Ombudsperson is appointed by, and reporting to, the Secretary of State and is therefore a part of the US State Department. European data subjects have the possibility to lodge a complaint with the Ombudsperson, when their data is being transferred from the EU to the US. AG is however questioning if this mechanism is sufficient to cover for the lack of judicial protection of the persons whose data is being transferred to the US (see paragraph 335 of the Opinion). It can for example be questioned how independent the role of the Ombudsperson actually is.
If the Court were to follow the argumentation by the AG there might be some interesting change in what kind of protection is needed, when transferring data to a third country.
European Charter of Human Rights in regard to US surveillance
The AG is relying on cases based on the European Charter of Human Rights (ECHR), not ones based on the Charter of Fundamental rights (CFR) in this regard. CFR is one of the primary sources of EU law. According to Schrems this is a much more surveillance friendly approach, and he believe that the Court will have a much more privacy friendly approach which he means they’ve had in previous cases. It will be interesting to see if that will be the case!
Standard Contractual Clauses
The AG also states that the Decision 2010/87/EU on SCC (Standard Contractual Clauses) is not shown to be invalid, even though the DPC had that view. If there in a specific case would be any problem with US law, then the DPC would have the opportunity, based on Article 4 SCC, to suspend data flow to the US. The DPC could in that way protect data subject’s personal data and there is therefore no need to invalidate the entire system of SCC.
It will be interesting to see if the court decides to follow the opinion of AG or not. It will also be interesting to see if this judgment will affect US legislation in any way. Making it more concerned with data subjects and the protection of their personal data. If that would be the case, would the US then get rid of the system of Privacy Shield completely, or would they find a way to improve it?