The CJEU will be asked to consider the validity of the adequacy Decisions underpinning the use of standard contractual clauses as a lawful basis for EU-US personal data transfers.
What’s the issue?
After the first Schrems v Facebook complaint resulted in the CJEU striking down Safe Harbor as a data transfer mechanism between the EU and the US, it became clear that much of the CJEU’s reasoning might also be applied to other EU-US data transfer mechanisms.
What’s the development?
The Irish High Court has decided to make references to the CJEU around the validity of adequacy decisions which allow the use of EC standard contractual clauses (the SCC Decisions) as a lawful basis for personal data transfers between the EU and the USA. This puts standard contractual clauses (SCCs) at risk of ceasing to be a lawful data transfer tool for EU-US data flows.
What does this mean for you?
If you rely on standard contractual clauses to transfer personal data between the EU and the USA, the outcome of this reference may be highly significant and it’s true that the CJEU has form in taking bold action in this area. Having said that, question marks around data transfers to the USA are not new and, for now, we need to keep a watching brief on developments, not only in terms of the exact questions referred to the CJEU on model clauses, but also the upcoming report on the first annual review of the Privacy Shield.
What is particularly concerning in the judgment of the Irish High Court, is the rejection of the Ombudsperson mechanism as a way of remedying inadequacies in the redress available to EU citizens for misuse of their personal data by US national security agencies. Under Annex A to the Privacy Shield Decision, the Ombudsperson mechanism is “to facilitate the processing of requests relating to national security access to data transmitted from the EU to the United States pursuant to the Privacy Shield, standard contractual clauses, binding corporate rules, Derogations, or Possible Future Derogations“. The Irish High Court accepts the Irish Data Protection Commissioner’s (IDPC) submissions that this does not amount to judicial protection as the Ombudsperson is neither a judge, nor independent of the executive.
We are conceivably looking at a situation in which the Ombudsperson mechanism is a stumbling block to the effective operation, not only of SCCs, but also the Privacy Shield and, by extension, Binding Corporate Rules.
We now have to wait to find out the exact wording of the references to the CJEU (which will be decided following further submissions) and, presumably, for the results of the Privacy Shield review. The Commission may act to forestall any controversial ruling by the CJEU but it is difficult to know how they are going to address the concerns raised around judicial redress, something which is certainly beyond the scope of businesses to deal with in their data transfer contracts. We also need to wait and see whether the CJEU will consider this on an expedited basis given the significance of the issues. While this reference will deal with the law under the current regime, it is unlikely that anything in the incoming General Data Protection Regulation will make much of a difference to the ultimate conclusions.
The reference is being made to the CJEU in response to an application brought by the IDPC as the plaintiff, and Facebook Ireland and Max Schrems as defendants (with other parties including the US government as amicae curiae). After the Safe Harbor ruling, Schrems submitted a reformulated complaint to the IDPC. His main issue is with the contract between Facebook and Facebook Inc. regarding the transfer of EU personal data to the USA. His alternative position, however, is that if he is wrong about Article 4 of the SCC Decisions securing the validity of the SCCs, then he does challenge their overall validity.
The IDPC came to the view while investigating the reformulated complaint, that it raises issues as to the validity of the SCC Decisions, so she instituted proceedings in order to determine that point, either in the Irish High Court, or by reference to the CJEU. The Irish High Court was tasked with deciding whether or not the IDPC had good grounds for her concerns. Not being able to decide on the validity of Commission Decisions, the Court was then obliged to make a reference to the CJEU if it agreed with the IDPC.
The specific concern cited by the IDPC in relation to the revised complaint, is that there is an absence of an effective remedy in US law compatible with Article 47 of the Charter of Fundamental Rights of the European Union (right to an effective remedy), for an EU citizen whose data is transferred to the US and accessed by US state agencies in a manner incompatible with Articles 7 and 8 of the Charter. She contended that safeguards in the SCC Decisions do not address this.
The Irish High Court held that the Data Protection Commissioner raises well-founded concerns which it shares and that there is no obligation to reject the application by reason of the adoption of the EU-US Privacy Shield Decision. The Court requires the CJEU to determine whether the exceptional discretionary power conferred on the Data Protection Commissioner by Article 28 of the Data Protection Directive to suspend or ban the transfer of data to a data importer in a third country on the basis of that country’s legal regime, is sufficient to secure the validity of the SCC Decisions.
The original Safe Harbor CJEU decision focused on two areas, namely whether the activities of the US security agencies relating to EU personal data were assessable under necessity and proportionality requirements; and whether EU citizens had access to judicial redress in accordance with their rights under Article 47 of the Charter. This reference is likely to focus on the second of these issues although it may raise the necessity and proportionality issue by way of alternative. The judgment contains a lengthy and well set out analysis of the rules applying to the processing of personal data by law enforcement agencies in the USA, and of remedies available to US citizens where abuse or misuse is suspected, as compared to those available to EU citizens outside the USA. These are then also analysed against the Article 47 rights.
Crucially, the judge agrees with the IDPC, that there are inadequacies in US law which mean that the essence of the right guaranteed by Article 47 is not respected.
In addition to analysing the role of the Ombudsperson under the Privacy Shield adequacy decision, the Irish High Court decision also looks at the impact of the amendments to Article 4 of the SCC Decisions. Here the arguments become slightly more opaque. The issue considered is whether Article 4 of the SCC Decisions preserves their validity irrespective of the laws and practices of the third country to which data is being transferred. The argument presented by some of the parties was that Article 4 effectively puts the issue of redress into the hands of the relevant regulator. The IDPC has the power to suspend or prohibit transfers of data by Facebook to Facebook Inc. pursuant to Article 4 of the SCC decisions. Even if she decides not to, the mere existence of this power would save the SCC Decisions from invalidity.
The Irish High Court concludes, however, that the revised Article 4 no longer confers a power on a supervisory authority so cannot operate as a saver provision. The power to suspend data transfers now comes from Article 28 of the Data Protection Directive itself. The Court looks at recital 11 of the Directive and concludes that invoking Article 28(3) is to be used in exceptional cases of particular rather than systemic circumstances. The Court also looks at the Safe Harbor CJEU decision which warns against the creation of a regime in which certain transfers to the US would be allowed by some Member States but not by others. In addition, the power to suspend data transfers under Article 28(3) is a discretionary power. The Court identifies the potential issues with transfers to the USA taking place under the SCC Decisions as systemic rather than particular. It says if the IDPC were to use her Article 28(3) powers to suspend data flows based on systemic factors, it could result in a lack of EU harmonisation in the area. Moreover, the Article 28(3) power is a discretionary one. If, however, it were to be used in relation to a systemic issue, there would be no real option to exercise discretion. The power to suspend data flows can only validate the SCC Decisions if there is an obligation to suspend data transfers in certain circumstances which, in this case, there is not. The mere fact that there is a power to suspend data flows cannot, therefore, save the SCC Decisions from invalidity based on the perceived inadequacies of the law in the third country.
The Court concludes that it is appropriate and legitimate for both it and the IDPC to identify the true controversy raised in the reformulated Schrems complaint. The Court agrees with the IDPC that this is the validity of the SCC Decisions which can only be resolved by the CJEU. It agrees there is a strong argument that Article 4 does not provide an answer to the concerns raised by the IDPC. “That being so”, the reformulated complaint does raise the validity of the SCC Decisions and it is legitimate for the IDPC to seek a reference to the CJEU. The Court agrees with the IDPC both that there are well-founded grounds for believing that the SCC Decisions are invalid and also that there must be uniformity in the application of the Directive throughout the Union and that, therefore, a reference is necessary and appropriate: “Neither the introduction of the Privacy Shield Ombudsperson mechanism nor the provisions of Article 4 of the SCC decisions eliminate the well-founded concerns raised by the [I]DPC in relation to the adequacy of the protection afforded to EU data subjects whose personal data is wrongfully interfered with by the intelligence services of the United States once their personal data has been transferred for processing to the United States”.