CJEU rulings have always played a big role in international data transfer. Over the years, the ECJ’s preliminary rulings and annulment cases have influenced how international data transfer is done in a way that concerns many companies and organizations. The Court always aims to protect the principle of ‘protection travels with the data no matter where the data is’.[1]
I. Procedural history of the Schrems II Case
Examining the procedural history of the Schrems II Case also means tracing the development of this ‘standard of essential equivalence’ in the case law of the CJEU. The standard of essential equivalence was firstly pronounced in Schrems I Case[2] In the context of international data transfers to the United States. Maximillian Schrems, a data protection activist, challenged the transfer of his personal data from Facebook Ireland to Facebook US under EU data protection law in Schrems I. The CJEU has dealt with international data transfer regulations in three landmark decisions: Schrems I, Opinion 1/15, and Schrems II. The CJEU introduced the term “essential equivalence” to express the adequate level of protection in these rulings. [3]
“European personal data protection laws have set the electronic communication privacy standards for more than two decades. Among these standards, the Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament (The Safe Harbour Adequacy Decision) stood out as a cornerstone of the transatlantic data protection regime.”[4] The Safe Harbour decision required that the US companies undertake to observe the “Safe Harbour Principles” (a commitment to comply with the EU data protection standards) and register on a “safe harbour list” held by the US Trade Department. However, there were a number of problems with the Safe Harbor Agreement. First of all, numerous concerned data protection authorities have raised serious concerns about the Safe Harbour Principles’ actual accordance with EU privacy protection standards. Another flaw in the Safe Harbor framework was the unclear language used to explain the concepts. There were a lot of leeways, and even a simple privacy policy program might be enough to comply with the Safe Harbor rules.[5]
Max Schrems filed a complaint with the Irish Data Protection Commission in 2013, seeking that Facebook Ireland stop transferring user data to Facebook Inc., which resulted in legal action before Irish courts and the European Court of Justice.[6] Mr Schrems’ complaint questioned the efficacy of the legal and practical protection of personal data collected by Facebook and stored and analyzed in the United States, especially against surveillance by the public authorities of the United States.[7] “Mr Schrems lodged the complaint with the Irish data protection authority, taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency), the law and practices of the US offer no real protection against surveillance by the US of the data transferred to that country.”[8] The complaint was dismissed by the Irish Data Protection Commissioner (DPC) on the basis of a European Commission decision that established the Safe Harbor framework between the EU and the US. Schrems appealed the decision of the DPC before the Irish High Court. The Court decided to stay the proceedings and requested a preliminary ruling from the CJEU. The Irish High Court asked that may/must the national data protection supervisory authority conduct its own investigation into the adequacy of data protection in a third country or is the Commissioner absolutely bound by the Commission’s decision? Advocate General Yves Bot submitted his opinion on the case on September 23, 2015.[9] According to the Advocate General’s opinion, the Safe Harbor agreement must be declared invalid because it failed to provide the necessary legal protection under EU law. On October 6, 2015, the CJEU announced its decision, agreeing with the Advocate and invalidating the Safe Harbor adequacy decision. The Court decided that national data protection authorities have the right to investigate the adequacy of data transfers under any adequacy decision and that the Safe Harbor agreement should be invalid due to the lack of adequacy. [10]
On July 12, 2016, the EU-US Privacy Shield adequacy decision was adopted, allowing for the free flow of data between the EU and the US as a replacement for the invalidated Safe Harbour principles.[11] The Privacy Shield was based on four main pillars. (1) There is a requirement that companies engaged in such transfers are transparent. (2) There are more significant limitations on companies and the development of more adequate supervision mechanisms. (3) There are more opportunities for legal redress for individuals and more effective legal mechanisms for alternative dispute resolution. (4) There is an annual joint review mechanism that will monitor the functioning of the Privacy Shield.
II. Schrems II Case
Following the Schrems I judgment, Facebook Ireland stated that they transferred much of the data to their US parent company based on SCCs. On 1 December 2015, Max Schrems reformulated his complaint to the Irish Data Protection Authority (DPA), arguing that personal data had not been lawfully transferred to the US by the SCC mechanism because US surveillance programs interfered with his fundamental rights to privacy, data protection and effective judicial protection. In a draft decision, the DPA shared Schrems’ concerns and brought an action before the Irish High Court, which then referred to the Court for a preliminary hearing. Meanwhile, another adequacy decision, the Privacy Shield Decision, became pertinent to the case, prompting the CJEU to rule on this instrument’s validity as well.[12]
“Schrems II is a continuation of the CJEU’s case law in Schrems I and both cases are based on the same facts.”[13] While Schrems I questioned whether the Safe Harbour adequacy decision was compatible with EU Law, Schrems II mainly focused on whether SCCs provided ‘appropriate protection’ under Article 46 GDPR. Schrems claimed that The Privacy Shield is a Soft Update of the Safe Harbor and it does not provide appropriate safeguards despite the revisions. Several analyses prior to Schrems II raised serious concerns about the Privacy Shield’s compatibility with the standard of essential equivalence. In fact, it is difficult to find an academic opinion that claims the Privacy Shield meets the standard of essential equivalence. In contrast, the Commission continued to find the Privacy Shield system to work well in their annual reviews.[14]
The DPA and Schrems expressed similar concerns that US law does not provide effective remedies in accordance with Article 47 of the EU Charter of Fundamental Rights (CFR), and that personal data of EU citizens is processed by US agencies for national security purposes in a manner that is incompatible with Articles 7 and 8 CFR. The SCC will not be binding on the US authorities and will only grant data subjects contractual rights against the data exporter/importer. The Irish Supreme Court also held that the surveillance activities had violated Articles 7 and 8 of the CFR and that the limitations imposed by US law on the freedom of non-US citizens were incompatible with Article 47 of the CFR.
In May 2018, the Irish High Court stayed the proceedings and referred several questions to the ECJ for a preliminary ruling. The main question to be discussed in the preliminary ruling was whether the SCCs were valid. For this preliminary ruling, the ECJ asked Advocate General Henrik Saugmandsgaard Øe for his opinion. Advocate Generals are responsible for giving legal opinions on cases assigned to them. Their opinions foreshadow what the ECJ’s final judgment might look like and what the consequences of that final judgment might be. AG Saugmandsgaard Øe gave his opinion on December 19, 2019.[15] According to the advocate general, the SCC should not be invalidated, but reliance on the SCC requires companies to take additional steps to ensure compliance.
On July 16, 2020, the Court of Justice of the European Union (CJEU) published its decision. The CJEU announced the European Commission’s Privacy Shield Decision is invalid while affirming the validity of the SCC Decision and imposing stricter requirements for SCC-based transfers.[16]
As a result of this proceeding, the CJEU made a number of very important rulings that will completely change the international data transfer method. The CJEU considers, in the first place, CJEU decided that The CJEU claims that the GDPR applies to the transfer of personal data for commercial purposes by an economic operator established in a Member State to another economic operator established in a third country, even if that data may be processed by the authorities of the third country in question at the time of the transfer or thereafter for the purposes of public security, defence, and State security. Furthermore, such data processing by third-country authorities cannot exempt such a transfer from the GDPR’s scope.[17] By issuing this decision, the court reaffirmed the principle that “protection travels with the data no matter where the data is” by this judgement. [18]
In a second place, CJEU pointed out that all transfer mechanisms must provide a level of protection “essentially equivalent” to GDPR. Paragraph 96 emphasises that claim clearly:
“It follows, as the Advocate General stated in point 115 of his Opinion, that such appropriate guarantees must be capable of ensuring that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses are afforded, as in the context of a transfer based on an adequacy decision, a level of protection essentially equivalent to that which is guaranteed within the European Union.”
In a third place, As regards the supervisory authorities’ obligations, the Court rules that the competent supervisory authority must suspend or prohibit data transfers to third countries if standard data protection provisions (particularly Articles 45 and 46) cannot be met in the third country and the controller or processor has not suspended or terminated the transfer unless there is a valid Commission adequacy decision.[19]
In the fourth place, CJEU decided that the Privacy Shield decision is invalid. The main reason held by the CJEU was the limitations on the protection of personal data arising from the United States domestic law[20] on the access and use by US public authorities of such data transferred from the EU to the US. From the standpoint of proportionality, the Commission assessed that the Privacy Shield decision does not correspond to the minimum safeguards required by EU law.
In 2013, American whistleblower Edward Snowden leaked a series of NSA slides about the mass surveillance activities of the US intelligence services, revealing the existence of two government surveillance programs: PRISM and UPSTREAM. The CJEU also stated that these monitoring programs violate the data protection rights of non-US citizens in breach of the EU Charter of Fundamental Rights (CFR).
The Court obligated a “case-by-case” analysis of the SCCs’ application. Controllers and processors exporting data must determine whether the third country’s law and practice undermine the effectiveness of the appropriate safeguards established in Art. 46 GDPR. Data exporters must implement “supplementary measures” to fill gaps and bring them up to the level required by EU law. Unfortunately, the Court of Justice of the European Union did not define or specify what these “supplementary measures” are. This resulted in heated debates and a flood of guidelines and recommendations for additional safeguards.[21]
III. Implementations After Schrems II
In Schrems II, the CJEU ruled that SCCs are still a valid cross-border transfer mechanism if the parties involved in the transfer take the necessary “supplementary measures”. SCCs are currently the primary mechanism for commercial entities to transfer personal data across borders. On June 4th, 2021, the European Commission issued the long-awaited new SCCs for the transfer of personal data to third countries.[22] The new SCCs are a useful tool for facilitating cross-border data transfers in a variety of situations. These updated SCCs allow businesses to account for a wider range of complex data transfers while also providing secure exchange of personal data, adding uniformity and legal predictability to business transactions. However, questions remain in situations where an importer is subject to FISA 702 or similar public surveillance.
On March 25, Commission President Ursula von der Leyen and Vice President Joe Biden announced a “in principle agreement” on a new EU-US data sharing framework. According to the White House Fact Sheet, the US is demonstrating a commitment to deploy enhanced protections under Privacy Shield 2.0 to “ensure that signals intelligence activities are required and appropriate in pursuit of identified national security objectives.” While adopting several aspects of Privacy Shield 1.0, the new version will go further to limit intelligence collection to areas where it is “necessary to advance legitimate national security objectives” and will provide additional oversight for US intelligence agencies to protect privacy and civil liberties. Max Schrems made the following statement about this issue in his article published on the website called NOYB (None of your business):[23]
“We understand that, while the US may adopt these words, it has not agreed to limiting surveillance of non-US data subjects in any material way. Specifically, the US has not announced any intention to limit or revise surveillance practices conducted under the laws and programs (FISA 702, EO 12,333, “PRISM” and “Upstream”) specifically mentioned by the CJEU in its ruling.” Although the Schrems II case focused on EU-US personal data transfers, the CJEU’s decision has implications for all transfers outside of the EU due to the proliferation of countries enacting intrusive surveillance laws. “An assessment of the level of protection provided by some third countries can lead to the identification of even higher risks to the rights and freedoms of data subjects than those identified by the CJEU concerning the US.[24]
[1] European Commission, ‘A European strategy for data’ (19 February 2020), p. 23
[2] Case C-362/14 Schrems I, 2015.
[3] Drechsler, Laura and Kamara, Irene, Essential Equivalence as a Benchmark for International Data Transfers After Schrems II (July 7, 2021). “Research Handbook on EU data protection” Page 10.
[4] Tihomir Katulić, Goran Vojković, From Safe Harbour to European Data Protection Reform, 2016, Page 1694.
[5] Weber, R. H. 2013. “Transborder Data Transfers: Concepts, Regulatory Approaches And New Legislative Initiatives”. International Data Privacy Law 3 (2): 125-127.
[6] Irish High Court, No. 2013 765JR.
[7] Tihomir Katulić, Goran Vojković, From Safe Harbour to European Data Protection Reform, 2016, Page 1696.
[8] The Electronic Privacy Information Center (EPIC) website, Data Protection Commissioner v Facebook and Max Schrems (Standard Contractual Clauses).
[9] Advocate General’s Opinion on Case C-362/14 Maximillian Schrems v Data Protection Commissioner, 23 September 2015, ECLI:EU:C:2015:627.
[10] ECJ Case C-362/14 Maximillian Schrems v Data Protection Commisioner, 6 October 2015, ECLI:EU:C:2015:650.
[11] Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield, C/2016/4176.
[12] Hendrik Mildebrath, The CJEU judgment in the Schrems II case, EPRS | European Parliamentary Research Service, September 2020 Page 1.
[13] Drechsler, Laura and Kamara, Irene, July 7 2021, “Research Handbook on EU data protection” Edward Elgar Publishing Ltd., Essential Equivalence as a Benchmark for International Data Transfers After Schrems II, Forthcoming, Page 13.
[14] European Commission, ‘Report on the first annual review of the functioning of the EU – U.S. Privacy Shield’ (18.10.2017); ‘Report on the second annual review of the functioning of the EU-U.S. Privacy Shield’ (19.12.2018); ‘Report on the third annual review of the functioning of the EU-U.S. Privacy Shield’ (23 October 2019).
[15] Opınıon Of Advocate General Saugmandsgaard Øe delivered on 19 December 2019, Case C-311/18.
[16] C-311/18 – Facebook Ireland and Schrems (Schrems II), ECLI:EU:C:2020:559.
[17] C-311/18 – Facebook Ireland and Schrems (Schrems II), ECLI:EU:C:2020:559 (paras. 82,83,85-89).
[18] V. Emanuel Lobato Cervantes, “The Schrems II Judgment of the Court of Justice Invalidates the EU – U.S. Privacy Shield and Requires ‘Case by Case’ Assessment on the Application of Standard Contractual Clauses (SCCS),” European Data Protection Law Review 6, no. 4 (2020): p. 604.
[19]C-311/18 – Facebook Ireland and Schrems (Schrems II), ECLI:EU:C:2020:559 (paras. 107, 108, 112-121).
[20] Section 702 FISA and EO 12333.
[21] Corrales Compagnucci, Marcelo and Aboy, Mateo and Minssen, Timo, Cross-Border Transfers of Personal Data after Schrems II: Supplementary Measures and New Standard Contractual Clauses (SCCs) (October 27, 2021).
[22] European Commission implementing decision of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
[23] Open Letter on the Future of EU-US Data Transfers, Max Schrems, NOYB official website.
[24] Virgilio Emanuel Lobato Cervantes, “The Schrems II Judgment of the Court of Justice Invalidates the EU – U.S. Privacy Shield and Requires ‘Case by Case’ Assessment on the Application of Standard Contractual Clauses (SCCs),” European Data Protection Law Review (EDPL) 6, no. 4 (2020), Page: 606.