US legal system does not provide effective judicial protection

On 16 July 2020, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield agreement which had been in application since 2016 and had replaced the former Safe Harbuor Privacy Principles, also overturned by the Court in 2015.

 

Context and facts:

The judicial saga started seven years ago when Austrian Facebook user Max Schrems filed a complaint to prohibit the transfer of his personal data from Facebook Ireland to Facebook Inc. in the United States. His complaint was based on the ground that the law and practice in force in that country did not ensure adequate protection of the personal data, due to the US surveillance programme which requires the transfer of some of the data to the US public authorities for State security purposes. 

Further to the Directive 95/46/EC on data protection* and the General Data Protection Regulation, a transfer of personal data from a member State to a third country is possible only to the extent that the third country ensures an adequate level of protection.

At the time, in the United States, the Safe Harbour Privacy Principles - established in 2000 and applying to US companies through a voluntary self-certification mechanism - were applying and considered by the European Commission as providing an adequate level of protection. However, in its first ‘Schrems’ decision (6 October 2015), the CJEU declared the Safe Harbour Privacy agreement inadequate and invalidated the Commission’s decision.

• In response, Facebook argued to nevertheless comply with the Standard Contractual Clauses (SCCs), two sets of contractual clauses issued by the European Commission and providing safeguards for data transfers from the EU to countries outside the European Economic Area (EEA).

• More generally, after the CJEU decision, the EU-US Privacy Shield agreement was established to replace the Safe Harbour Principles, providing a new legal framework for data transfer flows and also applying to US companies through a self-certification mechanism. According to this agreement validated by the European Commission, data transfer to US companies which joined the Privacy Shield programme was considered compliant with the EU regulation as providing an adequate level of protection.

Back in court, the issue was now to judge the validity of the SCCs and the Privacy Shield.

The new CJEU’s ruling:

• Scope of the GDPR: The European regulation applies to the transfer of personal data for commercial purposes to a third country, irrespective of whether, ‘that data is liable to be processed […] for the purposes of public security, defence and State security’.

• Assessment of the level of protection in the third country:

-  Validity of the SCCs: they remain valid as they provide effective mechanisms which, in practice, ensure that transfer is suspended or prohibited where the recipient cannot comply with these clauses.

- Limits of the SCCs: however, these standard clauses alone do not allow to determine the adequacy of the level of protection: both the contractual clauses agreed and the relevant aspects of the legal system applying in the country must be taken into account and interpreted in the light of the Charter of Fundamental Rights in the European Union.

- As a result, unless there is a Commission adequacy decision validated by the CJEU, the competent supervisory authority is required to suspend or prohibit any transfer of data pursuant to the SCC if an adequate level of protection cannot be ensured.

- Validity of the Privacy Shield agreement: the US legal system does not comply with the fundamental right to an effective remedy and to a fair trial (Article 47 of the Charter). Indeed, the Court held that the current legal framework does not grant data subjects actionable rights before the courts against US authorities and does not therefore provide an effective judicial protection. Moreover, the Ombudsperson provided by the Privacy Shield has no power to adopt binding decisions and its appointment and revocation process undermine his/her independence from the executive. The Privacy Shield agreement does not secure an adequate level of protection and is therefore not valid.

With the end of this self-certification mechanism, data controllers and processors will have to carefully adapt the contractual basis of their transatlantic data transfer to be sure to comply with the General Data Protection Regulation. 

It is interesting to note in that context that on July 5 2018, the European Parliament had passed a non-binding resolution asking the European Commission to suspend the Privacy Shield framework. Following the Facebook-Cambridge Analytica data breach, MEPs had emphasized the need for better monitoring of the agreement, given that both companies were certified under the Privacy Shield.

• Judgment C311/18 of the Court (Grand Chamber) of 16 July 2020: Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems

Source: CJEU Curia Website

*applying at the time of the request and now replaced by the GDPR

---

Timeline:

• 25 June 2013: Complaint from Max Schrems to the Commissioner (rejected)
• Complaint to Ireland Courts and request for preliminary ruling from the High Court (Ireland) to the ECJ
• 6 October 2015: First ECJ’s ruling – Schrems I – Safe Harbour Privacy invalidated
• 1 December 2015: Reformulated complaint to the Commissioner raising the question of the validity of the SCC Decision
• 31 May 2016: Action brought to the High Court of Ireland by the Commissioner
• 4 May 2018: request for preliminary ruling from the High Court to the ECJ
• 16 July 2020: Second ECJ’s ruling: Privacy Shield invalidated