The CJEU is considering the validity of the standard contractual clauses, whether transfers of personal data to the US breach the EU Charter and the impact of the Privacy Shield. The decision will be given in early 2020, but the significance of the matters being considered means that many organisations are keen to understand more about what was discussed at the hearing. We’ve summarised key points discussed below – courtesy of dispatches from a lawyer from Bird & Bird’s Brussels office.
1.Validity of the Standard Contractual Clauses
The validity of the standard contractual clauses ("SCCs") was widely discussed. Many of the parties, including the industry associations, the European Commission, the governments of Ireland, Germany, France, etc. - and even Mr Schrems - argued that SCCs should not be invalidated and defended the overall validity of the transfer mechanism.
'We agree with the DPC [on U.S. surveillance], but not on the radical solution. The solution is not for the court to invalidate standard contractual clauses but for the DPC to enforce them,' Mr Schrems' lawyer said.
The arguments put forward mainly related to the fact that, even if the laws of third countries do not provide adequate protection to the personal data, SCCs should provide for appropriate safeguards. The rationale behind the SCC regime is that the data exporter and the data importer take responsibility to provide the appropriate safeguards; therefore the protection of the personal data is independent from the laws of the third countries.
It was reiterated that invalidation of the SCCs would totally disrupt data transfers from the EU with very serious negative impacts on the competitiveness and the daily functioning of EU companies. Some parties suggested that it was for the DPC to use its powers and suspend or prohibit the transfer, which could have resolved this case.
There were various views expressed concerning whether adequate protection, or appropriate safeguards, must be provided where "data is in transit" (i.e. travelling through third countries other than the third country of destination).
The particularities of US surveillance laws and the available judicial remedies in the US, one of the main concerns of the DPC, were meticulously discussed. Case law of the European Court of Human Rights ("ECHR") concerning government surveillance was considered.
As to how this applies to Facebook itself, Facebook’s lawyer told the CJEU that 'there is no evidence that Facebook’s transfers are under any particular risks' and a representative of the US government argued that Facebook does not comply with all data access requests made by the U.S. government: 'The level of request [by government agencies] is very small compared to the data Facebook has, and Facebook carefully scrutinises those requests for legal validity.'
Both Facebook and the U.S. government argued that the CJEU is not competent to rule on a foreign surveillance regime. The GDPR does not give the EU the mandate to "conduct a worldwide enquiry" of surveillance regimes across the world, a representative for the U.S. government said.
3.Validity of the Privacy Shield
One of the looming questions in this case is whether DPC needs to only consider SCCs or see it alongside other data transfer mechanisms, such as the EU-US Privacy Shield. Should the DPC take a holistic approach, or should each mechanism stand or fall on its own?
For the hearing, the CJEU also asked a series of questions about the legality of the Commission Implementing Decision (EU) 2016/1250 on the adequacy of the protection provided by the EU-U.S. Privacy Shield (challenged in General Court Case T-738/16 - La Quadrature du Net and Others v Commission). The CJEU insisted the two cases are linked.A separate hearing in this case has been postponed pending a judgment in this case.
'This Court should find that Privacy Shield is invalid', Schrems' lawyer said during the hearing.
The EDPB also expressed some known concerns about effective remedies for European citizens in the U.S. The EDPB 'cannot state that the Ombudsperson constitutes an effective remedy,' Andra Jelinek, chairman of the EDPB, told the CJEU, referring to the person in charge of handling complaints by European citizens.
4.Position of the DPC
EU institutions, national governments and industry groups joined Mr Schrems and even the Irish government in criticising the DPC, which had deferred the matter to the Irish High Court (which then referred the preliminary questions to the CJEU) instead of handling the case itself.
'It is to the supervisory authority to assess, based on a complaint, whether data are protected under SCCs. If not, they may suspend transfers', said Andrea Jelinek.
A representative of the Irish government said that 'the DPC has the necessary power to suspend or prohibit data flows', thereby referring to Facebook’s data transfers to the U.S., which were the subject of a complaint brought by Mr Schrems in 2013. 'We acknowledge the difficulty of the task, but it should not mean all standard contractual clauses should be deemed invalid.' Instead of deciding on the case, the DPC asked its country’s national courts to determine whether SCCs were valid.
5.Questions from the court and the advocate general
The CJEU and the Advocate General ("AG") directed questions mainly to the EC. The EC seemed to be caught off-guard concerning several of those questions and did not provide a clear or well-reasoned answer.
The CJEU had several questions concerning the relationship between SCC regime and adequacy decision regime for transfers to third countries. The CJEU asked:
- whether companies can rely on SCCs even though an adequacy decision (i.e. the EU-US Privacy Shield) is available for the third country, especially, considering the wording of Article 46(1)GDPR ("in absence of a decision pursuant to Article 45(3)");
- whether a company may choose per each transfer (to the same third country) whether it relies on SCCs or an adequacy decision;
- what the relevance of an adequacy decision is in case a company decided to rely on SCC for its transfers, and the supervisory authority has to determine whether to suspend or prohibit the transfer on the basis of the SCCs.
The CJEU was concerned that even if it sustains the validity of the SCCs, the DPC may not be able to suspend or prohibit the transfer to the US, because the existing adequacy decision, the EU-US Privacy Shield, has been adopted on the premise that the third country provides an adequate level of protection. Since the DPC is bound by this decision (as was ascertained in Schrems I case) it cannot conclude that the transfer should be suspended or prohibited. As a consequence, it was suggested that the CJEU should consider the validity of the Privacy Shield. The CJEU stated that it does not wish to adjudicate on the validity of the Privacy Shield, but will do so, if it considers it legally necessary to resolve the case.
The EC took the position that the validity of the EU-US Privacy Shield should not be subject to the present case and that companies are free to choose between the adequacy decision or SCCs with regards to each transfer they pursue. Furthermore, the two regimes should be kept separate.
In this regard the AG asked the DPC whether it would need to consider the Privacy Shield when deciding on the suspension or prohibition of transfers on the basis of SCCs. The DPC answered that it did not think that the Privacy Shield would apply to the transfer where the company relied on SCCs.
The CJEU also asked for the views of the EC on whether US surveillance techniques, namely, access to electronic communication data after filtering it via "selectors" constitute processing and to what extent the US intelligence community has access to the content of electronic communications. The EC argued that the "selector" system is regulated, therefore it cannot be considered that the US intelligence community has access to all electronic communication data and according to CJEU case law, this is not considered as "access" and processing.
The CJEU seemed rather doubtful whether the EC correctly assessed the adequate protection that US law provides for personal data when adopting the Privacy Shield decision, in light of the intrusive nature of the US surveillance laws. The EC pointed out that the consideration of surveillance laws of a third country is normally not necessary to adopt an adequacy decision, and the case of the US was specific due to the public concerns raised in the Schrems I case.
Finally the CJEU inquired whether the EC considers that the Ombudsperson system would constitute an effective judicial remedy within the meaning of Article 47 of the Charter. The CJEU seemed to interpret Article 46(1) GDPR in the sense that it specifically requires that effective judicial remedies are available in case the SCC regime is relied on, on top of the obligations of the companies to provide appropriate safeguards for the transfer.
The EC replied that in order to decide whether there is an available judicial remedy, the whole legal system should be considered, not just only one element, in line with ECHR case law concerning government surveillance.
In his last question, the AG inquired whether EU law is applicable to government surveillance activities or whether it falls within the remit of "national security" where neither EU law nor the Charter are applicable. Particularly, the AG was concerned that the EU would apply standards to the US surveillance law which would not be applicable to the surveillance laws of EU Member State. It seemed that this outcome would not be desirable.
The EC answered that concerning electronic communication data, E-Privacy Directive would be applicable, but otherwise the EC did not provide clear answer on this point.
Parties present at the hearing
Facebook, Mr Schrems, the Irish Data Protection Commissioner ("DPC"), the US Government, the European Privacy Information Centre, the Business Software Alliance, DigitalEurope, Ireland, Germany, France, the Netherlands, Austria, the United Kingdom, the European Parliament, the European Commission ("EC") and the European Data Protection Board ("EDPB").
Following the judgment in C-362/14 (Schrems I), Mr Maximilian Schrems amended his initial complaint against the DPC. This amended complaint now concerns the fact that his personal data is transferred from Facebook Ireland to Facebook Inc. in the US by means of standard contractual clauses ("SCCs"). Mr Schrems argues that Facebook Inc. is obliged to make his personal data available to the US authorities, such as the NSA and the FBI, and that he does not have any legal means to enable him, as a data subject, to take the necessary action to protect his rights with regard to his personal data. Mr Schrems states that the data protection authorities may suspend data flows in certain situations and requests the DPC to apply applicable Irish law to suspend all data flows from Facebook Ireland to Facebook Inc.
The main question referred to the CJEU reads as follows:
"In circumstances in which personal data is transferred by a private company from a European Union (EU) member state to a private company in a third country for a commercial purpose pursuant to Decision 2010/87/EU1 as amended by Commission Decision 2016/22972 (“the SCC Decision”) and may be further processed in the third country by its authorities for purposes of national security but also for purposes of law enforcement and the conduct of the foreign affairs of the third country, does EU law (including the Charter of Fundamental Rights of the European Union (“the Charter”)) apply to the transfer of the data notwithstanding the provisions of Article 4(2) of TEU in relation to national security and the provisions of the first indent of Article 3(2) of Directive 95/46/EC3 (“the Directive”) in relation to public security, defence and State security?"