09 July 2020 - Post by:David Smith
Thursday 16 July promises to be a red letter day in the data protection world, at least for those of us with an interest in international transfers of personal data. This is when the Court of Justice of the European Union (CJEU) has said that it will announce its long awaited decision in the Schrems II case. Although many outcomes are possible the Court could potentially strike down the European Commission’s Standard Contractual Clauses (SCCs) as a valid basis for international data transfers from the EU as well as impacting on other transfer mechanisms, most notably the US Privacy Shield. Here we outline the background to the case, recap on what the Advocate General has said and consider the possible implications of the CJEU’s decision.
The case starts with Max Schrems, an Austrian privacy activist, who was, and still is, concerned about transfers of his personal data to the US by Facebook. His concerns stemmed from the revelations by Edward Snowden in 2013 of the mass surveillance of the communications of non-US persons by US public authorities. At that time Facebook was relying on the European Commission’s adequacy finding for the US Safe Harbor as the basis for its transfers of personal data to the US. Schrems’s complaint to the Irish Data Protection Commission (DPC) led to the European Commission’s adequacy finding being struck down by the CJEU in 2015, the demise of the Safe Harbor as a valid transfer mechanism and its eventual replacement by the US Privacy Shield. In the meantime, Facebook moved from relying on the Safe Harbor to using the SCCs as the basis for the relevant transfers of personal data to the US.
Schrems therefore reformulated his complaint to the Irish DPC on the basis that Facebook’s reliance on the SCCs did not provide adequate protection for his transferred personal data, or sufficiently safeguard his rights, because of the surveillance activities of the US public authorities. The DPC considered that it was not possible to adjudicate on this complaint unless the CJEU first examined the validity of the European Commission’s decision approving the SCCs. It therefore referred the matter to the Irish High Court. After considering the case the Irish Court referred 11 questions to the CJEU on which the CJEU is expected to pass judgment on 16 July. The questions are extensive. The answers potentially impact any international transfers that are reliant on the SCCs, not only those from the EU to the US. The questions also extend to the validity of the new EU-US Privacy Shield. Thus, they go well beyond Schrems’s original complaint which was confined to Facebook’s reliance on the SCCs for transfers of his personal data to the US. The CJEU is not obliged to answer all the questions put to it by the Irish High Court. It remains to be seen how far it will choose to do so.
The Advocate General’s Opinion
Around this time last year the CJEU held an oral hearing of the case. This was followed by the publication of an opinion by the Court’s Advocate General (AG) in December 2019. The AG’s opinion is not binding on the CJEU but will have been influential on the verdict that it is due to deliver. An AG’s opinion often gives a good indication of the direction that the CJEU will ultimately follow. It did so in relation to the original Schrems case striking down the Safe Harbor decision but has not always done so with other significant data protection cases, most notably the Google Spain case.
The AG’s opinion came as a relief to many in that he did not advocate invalidating the SCCs as a basis for international transfers. What the AG did say, however, was that there needs to be sound mechanisms to ensure that transfers based on the SCCs are suspended or prohibited where the terms of the SCCs are breached or are impossible to honour due to the surveillance activities of the public authorities in the destination country. There must be an obligation placed on data controllers and, where they fail to act, on data protection authorities to suspend or prohibit a transfer when, because of a conflict arising between the obligations arising under the SCCs and those imposed on the importer by the law of the destination country, the SCCs cannot be complied with. Essentially, for each specific transfer the exporter and importer must carry out an examination to determine whether the national legislation applicable to the importer prevents it from fulfilling the instructions it receives from the exporter and its obligations under the SCCs. The AG went on to discuss the nature of this examination which he suggested entails a consideration of all the circumstances characterising each transfer, including the nature of the data and whether they are sensitive, the mechanisms employed by the exporter and/or the importer to ensure their security, the nature and the purpose of the processing by the public authorities of the third country which the data will undergo, the details of such processing and the limitations and safeguards ensured by that third country.
The AG also went onto consider the validity of EU-US Privacy Shield although he pointed out that resolution of the underlying dispute arising from the Schrems complaint does not require the CJEU to examine this and he suggested that it should refrain from doing so. Nevertheless, in his Opinion the AG expressed considerable doubts as to the conformity of the Privacy Shield decision with the requirements of the GDPR. In particular, he expressed doubts as to whether the right of those whose personal data are transferred from the EU to the US to complain to the US Ombudsperson established under the Privacy Shield amounts to access to effective judicial redress.
What Might We Expect?
In a worst case scenario the CJEU could immediately invalidate the current SCCs as a basis for international transfers. This would leave businesses scrabbling to find an alternative. The European Commission is already working on new SCCs and this process could no doubt be accelerated. However, if the obstacle to the current SCCs is the surveillance capabilities of public authorities in third countries it is hard to see how these can be controlled through a contract between a data exporter in the EU and a data importer in the third country, even if the terms of that contract are revised. As the AG has pointed out the activities of a public authority cannot be limited by a contract to which it is not a party. Indeed, it is hard to see how any of the transfer mechanisms currently available, with the possible exception of an adequacy finding by the European Commission, can really address this issue.
However, the surveillance capabilities of public authorities and any safeguards associated with them vary considerably from country to country. In some cases they might well meet the standard necessary if transfers based on the SCCs are to comply with the requirements of EU law. It would indeed be a sweeping step if the CJEU were to prevent transfers on the basis of the SCCs being made to any country in the world regardless of that country’s surveillance regime. One possibility could be for the Court to confine itself to considering transfers to the US, given that this was the basis of the original complaint from Schrems. However, even if it does this any judgment is likely to have wide reaching implications for the legality of transfers elsewhere.
Given this there is, perhaps not surprisingly, a certain logic behind the AG’s Opinion that the SCCs are not in themselves a problem, or at least not a problem that couldn’t be put right through the updated SCCs that are currently under development. Rather, it is that the SCCs cannot be relied on without an accompanying evaluation of whether, given the surveillance regime in operation, the parties can meet their obligations under the both the SCCs and the GDPR. A data exporter using the SCCs as a basis for transfer has to assess whether, in all the circumstances, the risks to the rights and freedoms of EU data subjects posed by the surveillance regime in the destination country could prevent it from providing appropriate safeguards for the data subjects. This is though likely to be a challenging proposition not just for EU data exporters but also for the data protection authorities who the AG says should have an active supervisory role here. How might a data exporter understand just what the risks to the rights and freedoms of the data subjects are particularly if the surveillance regime in the destination country is one that, as will often be the case, is much less transparent than the regime in place in the US.? A data exporter is likely to find it even more challenging if any surveillance takes place indirectly through the interception of communications on their way to or from the data importer in the third country rather than, as is the case of the Facebook transfers complained about by Schrems, directly through orders placed on the data importer by that country’s public authorities.
If the CJEU does follow the AG’s opinion we can only hope that any additional obligations that the Court places on data exporters in connection with surveillance are ones that data controllers will be able fulfil in practice without disproportionate effort and expense. Experience suggests that it may be too much to expect that the Court will itself provide much in the way of guidance to assist businesses in making the necessary assessments but there will certainly be an expectation on the European Commission and the EDPB to do so as a matter of priority. This will not be an easy task for them. Any outcome that preserves the SCCs as a basis for international transfers will almost certainly be more palatable though, even if it is accompanied by additional obligations, than an outcome that renders the SCCs obsolete.
We will return to this topic with an update and further comment following the publication of the CJEU decision itself next week.