Explanatory Memorandum on the Litigation concerning Standard Contractual Clauses ('SCCs')
Set out below is a detailed summary of the course of the Irish High Court proceedings commenced by the DPC on 31 May 2016 in which a reference was sought to the Court of Justice of the European Union (CJEU) concerning the validity of “standard contractual clauses” (SCCs), a mechanism, implemented by way of European Commission Decisions, under which personal data can be transferred from the EU to the US. The title of the High Court proceedings was “Data Protection Commissioner v. Facebook Ireland Limited & Maximilian Schrems” and the High Court Record Number was 2016/4809P. Ultimately, following a hearing before the High Court in February and March 2017, a preliminary reference was made to the CJEU (the CJEU case number was C-311/18). An oral hearing took place on 9 July 2019 and the CJEU delivered its judgment on 16 July 2020 thus bringing an end to the substantive aspects of the case.
The various stages of the proceedings are described in the memorandum under the following headings. Clicking on any of the headings below will take you to the relevant part of the memorandum.
- CJEU procedure on complaints concerning EU Commission decisions
- DPC’s draft decision
- The Proceedings and the Hearing
- Questions to be referred to the CJEU
- Appeal to the Supreme Court
- Hearing before the CJEU
- Opinion of the Advocate General
- Judgment of the CJEU
Litigation concerning Standard Contractual Clauses
Data Protection Commissioner v. Facebook Ireland Limited and Maximilian Schrems [Record No. 2016/ 4809 P]
On 31 May 2016, the DPC (then the Data Protection Commissioner) commenced proceedings in the Irish High Court seeking a reference to the Court of Justice of the European Union (CJEU) in relation to the validity of “standard contractual clauses” (SCCs). SCCs are a mechanism, established by a number of EU Commission decisions, under which, at present, personal data can be transferred from the EU to the US. The DPC took these proceedings in accordance with the procedure set out by the CJEU in its 6 October 2015 judgment (which also struck down the Safe Harbour EU to US personal data transfer regime). The CJEU ruled that this procedure (involving seeking a reference to the CJEU) must be followed by an EU data protection authority where a complaint which is made by a data subject concerning an EU instrument, such as an EU Commission decision, is considered by the EU data protection authority to be well founded.
The proceedings taken by the DPC have their roots in the original complaint made in June 2013 to the DPC about Facebook by Mr Maximillian Schrems concerning the transfer of personal data by Facebook Ireland to its parent company, Facebook Inc., in the US. Mr Schrems was concerned that, because his personal data was being transferred from Facebook Ireland to Facebook Inc., his personal data was then being accessed (or was at risk of being accessed) unlawfully by US state security agencies. Mr Schrems’ concerns arose in light of the disclosures by Edward Snowden regarding certain programmes said to be operated by the US National Security Agency, most notably a programme called “PRISM”. The DPC had declined to investigate that complaint on the grounds that it concerned an EU Commission decision (which established the Safe Harbour regime for transferring data from the EU to the US) and on that basis he was bound under existing national and EU law to apply that EU Commission decision. Mr Schrems brought a judicial review action against the decision not to investigate his complaint and that action resulted in the Irish High Court making a reference to the CJEU, which in turn delivered its decision on 6 October 2015.
The CJEU ruling of 6 October 2015 made it clear that where a complaint is made to an EU data protection authority which involves a claim that an EU Commission decision is incompatible with protection of privacy and fundamental rights and freedoms, the relevant data protection authority must examine that complaint even though the data protection authority cannot itself set aside or disapply that decision. The CJEU ruled that if the data protection authority considers the complaint to be well founded, then it must engage in legal proceedings before the national Court and, if the national Court shares those doubts as to the validity of the EU Commission decision, the national Court must then make a reference to the CJEU for a preliminary ruling on the validity of the EU Commission decision in question. As noted above, the CJEU in its judgment of 6 October 2015 also struck down the EU Commission decision which underpinned the Safe Harbour EU to US data transfer regime.
Following the striking down of the Safe Harbour personal data transfer regime, Mr Schrems reformulated and resubmitted his complaint to take account of this event and the DPC agreed to proceed on the basis of that reformulated complaint. The DPC then examined Mr Schrems’ complaint in light of certain articles of the EU Charter of Fundamental Rights (the Charter), including Article 47 (the right to an effective remedy where rights and freedoms guaranteed by EU law are violated). In the course of investigating Mr Schrems’ reformulated complaint, the DPC established that Facebook Ireland continued to transfer personal data to Facebook Inc. in the US in reliance in large part on the use of SCCs. Arising from her investigation of Mr Schrems’ reformulated complaint the DPC formed the preliminary view (as expressed in a draft decision of 24 May 2016 and subject to receipt of further submissions from the parties) that Mr Schrems’ complaint was well founded. This was based on the DPC’s draft finding that a legal remedy compatible with Article 47 of the Charter is not available in the US to EU citizens whose data is transferred to the US where it may be at risk of being accessed and processed by US State agencies for national security purposes in a manner incompatible with Articles 7 and 8 of the Charter. The DPC also formed the preliminary view that SCCs do not address this lack of an effective Article 47-compatible remedy and that SCCs themselves are therefore likely to offend against Article 47 insofar as they purport to legitimise the transfer of the personal data of EU citizens to the US.
The DPC therefore commenced legal proceedings in the Irish High Court seeking a declaration as to the validity of the EU Commission decisions concerning SCCs and a preliminary reference to the CJEU on this issue. The DPC did not seek any specific relief in the proceedings against either Facebook Ireland or Mr Schrems. However, both were named as parties to the proceedings in order to afford them an opportunity (but not an obligation) to fully participate because the outcome of the proceedings would impact on the DPC’s consideration of Mr Schrems’ complaint against Facebook Ireland. Both parties chose to participate fully in the proceedings. Ten interested third parties also applied to be joined as amicus curiae (“friends of the court”) to the proceedings and the Court ruled four of those ten parties (the US Government, BSA The Software Alliance, Digital Europe and EPIC (Electronic Privacy Information Centre)) should be joined as amici.
The hearing of the proceedings before Ms Justice Costello in the Irish High Court (Commercial Division) took place over 21 days in February and March 2017 with judgment being reserved at the conclusion of the hearing.
In the interim period between the conclusion of the trial and the delivery of the judgment on 3 October 2017 (see below), a number of updates on case law and other developments were provided by the parties to the Court.
Judgment was delivered by Ms Justice Costello on 3 October 2017 by way of a 152 page written judgment. An executive summary of the judgment was also provided by the Court.
In the judgment, Ms Justice Costello decided that the concerns expressed by the DPC in her draft decision of 24 May 2016 were well-founded, and that certain of the issues raised in these proceedings should be referred to the CJEU so that the CJEU could make a ruling as to the validity of the EU Commission decisions which established SCCs as a method of carrying out personal data transfers. In particular the Court held that the DPC’s draft findings as set out in her draft decision of 24 May 2016 that the laws and practices of the US did not respect the right of an EU citizen under Article 47 of the Charter to an effective remedy before an independent tribunal (which, the Court noted, applies to the data of all EU data subjects whose data has been transferred to the US) were well-founded.
In her judgment of 3 October 2017, Ms. Justice Costello also decided that, as the parties had indicated that they would like the opportunity to be heard in relation to the questions to be referred to the CJEU, she would list the matter for submissions from the parties and then determine the questions to be referred to the CJEU. The parties to the case, along with the amicus curiae made submissions to the Court, amongst other things, on the questions to be referred, on 1 December 2017 and on 16, 17 and 18 January 2018. During these hearings, submissions were also made on behalf of Facebook and the US Government as to “errors” which they alleged had been made in the judgment of 3 October 2017. The Court reserved its judgment on these matters.
On 12 April 2018, Ms. Justice Costello notified the parties of her Request for a Preliminary Ruling from the CJEU pursuant to Article 267 of the TFEU. This document sets out the 11 specific questions to be referred to the CJEU, along with a background to the proceedings.
On the same date, Ms Justice Costello also indicated that she had made some alterations to her judgment of 3 October 2017, specifically to paragraphs 175, 176, 191,192, 207, 213, 215, 216, 220, 221 and 239. During that hearing, Facebook indicated that it wished to consider whether it would appeal the decision of the High Court to make the reference to the CJEU and if so, seek a stay on the reference made by the High Court to the CJEU. On that basis, the High Court listed the matter for 30 April 2018.
When the proceedings came before the High Court on 30 April 2018, Facebook applied for a stay on the High Court’s reference to the CJEU pending an appeal by it against the making of the reference. Submissions were made by the parties in relation to Facebook’s application for a stay.
On 2 May 2018, Ms. Justice Costello delivered her judgment on the application by Facebook for a stay on the High Court’s reference to the CJEU. In her judgment, Ms Justice Costello refused the application by Facebook for a stay, holding that the least injustice would be caused by the High Court refusing any stay and delivering the reference immediately to the CJEU.
On 11 May 2018, Facebook lodged an appeal, and applied for leave to appeal to the Supreme Court, against the judgments of 3 October 2017, the revised judgment of 12 April 2018 and the judgment of 2 May 2018 refusing a stay. Facebook’s application for leave to appeal to the Supreme Court was heard on 17 July 2018. In a judgment delivered on 31 July 2018, the Supreme Court granted leave to Facebook allowing it to bring its appeal in the Supreme Court but leaving open the question as to what was the nature of the appeal which was allowed to be brought to the Supreme Court. During late 2018, there were several procedural hearings in the Supreme Court in preparation for the substantive hearing. The substantive hearing of the appeal took place over 21, 22 and 23 January 2018 before a 5 judge Supreme Court panel composed of the Chief Justice – Mr Justice Clarke, Mr Justice Charleton, Ms Justice Dunne, Ms Justice Finlay Geoghegan and Mr Justice O’Donnell. Oral arguments were made on behalf of Facebook, the DPC, the US Government and Mr Schrems. The central questions arising from the appeal related to whether, as a matter of law, the Supreme Court could revisit the facts found by the High Court relating to US law. This arose from allegations by Facebook and the US Government that the High Court judgment, which underpinned the reference made to the CJEU, contained various factual errors concerning US law.
On 31 May 2019 the Supreme Court delivered its main judgment, which ran to 77 pages. In summary, the Supreme Court dismissed Facebook’s appeal in full. In doing so, the Supreme Court decided that:
- It was not open to it as a matter of Irish and EU law to entertain any appeal against a decision of the High Court to make a reference to the CJEU. Neither was it open to the Supreme Court to entertain any appeal in relation to the terms of such a reference (i.e. the specific questions which the High Court had referred to the CJEU). The Supreme Court decided that the issue of whether to make a reference to the CJEU is a matter solely for the Irish High Court. Therefore it was not appropriate for the Supreme Court to consider, in the context of Facebook’s appeal, the High Court’s analysis which led to the decision that it shared the concerns of the DPC in relation to the validity of the SCC decision. This was because this issue was inextricably linked to the High Court’s decision to make a reference to the CJEU and it was not open to Facebook to pursue this as a point of appeal.
- However it was open to the Supreme Court to consider whether the facts found by the High Court (i.e. those facts which underpinned the reference made to the CJEU) were sustainable by reference to the evidence which had been placed before the High Court, or whether those facts should be overturned.
- Insofar as Facebook disputed certain key issues of fact which had been found by the High Court concerning US law, on the basis of the expert evidence before the High Court, the Supreme Court had not identified any findings of fact which were unsustainable. Accordingly, the Supreme Court did not overturn any of the facts found by the High Court. Instead the Supreme Court was of the view that the criticisms which Facebook had made of the High Court judgment concerned the proper characterisation of the underlying facts rather than the actual facts.
The CJEU (Grand Chamber) held an oral hearing in respect of the reference made to it by the Irish High Court on 9 July 2019. The CJEU sat with a composition of 15 judges, including the President of the CJEU, Judge Koen Lenaerts. The appointed Judge Rapporteur was Judge Thomas von Danwitz. The Advocate General assigned to the case was Henrik Saugmandsgaard Øe.
At the hearing, the DPC, Mr Schrems and Facebook made oral submissions before the CJEU. The 4 parties who were joined as amicus curiae (“friends of the court”) to the case before the Irish Court (the USA, EPIC, BSA Business Software Alliance Inc. and Digital Europe) were also permitted to make oral submissions. In addition, the European Parliament, the EU Commission and a number of Member States (Austria, France, Germany, Ireland, Netherlands, and the United Kingdom) who each intervened in the proceedings also made oral submissions at the hearing before the CJEU. Additionally, at the invitation of the CJEU, the European Data Protection Board (EDPB) addressed the CJEU on specific issues.
The Opinion of Advocate General Saugmandsgaard Øe (the AG) was delivered on 19 December 2019.
In this Opinion, as preliminary matters, the AG noted that the DPC had brought proceedings in relation to Mr Schrems’ complaint before the national referring Court in accordance with paragraph 65 of the CJEU’s judgment of 6 October 2015 (as described further above). The AG also found that the request for a preliminary ruling was admissible.
In relation to the questions referred to the CJEU by the Irish High Court, the AG expressly limited his consideration to the validity of the EU Commission Decision underlying the SCCs (SCCs Decision). At the outset, the Advocate General noted that his analysis in the Opinion was guided by the desire to strike a balance between the need to show a reasonable degree of pragmatism in order to allow interaction with other parts of the world and the need to assert the fundamental values recognised in the legal orders of the EU, its Member States and the Charter of Fundamental Rights. He was also of the view that the SCCs Decision must be examined with reference to the provisions of the GDPR (as opposed to the Data Protection Directive (Directive 95/46)) in line with Article 94(2) GDPR and the AG also noted that the relevant provisions of the GDPR essentially reproduce the corresponding provisions of the Data Protection Directive.
The AG considered that EU law applies to a transfer of personal data from a Member State to a third country where that transfer forms part of a commercial activity. In this regard, the AG’s view was that EU law applies to a transfer of this nature regardless of whether the personal data transferred may be processed by public authorities of that third country for the purpose of protecting national security of that country. As regards the nature of the SCCs, the AG opined that the SCCs represent a general mechanism applicable to transfers irrespective of the third country of destination and the level of protection guaranteed there.
As regards the test for the level of protection which is required in relation to the safeguards (which may be provided by SCCs) contemplated by Article 46 of the GDPR where personal data is being transferred out of the EU to a third country which does not have an adequacy finding, the AG’s opinion was that the level of protection as offered by such safeguards must be essentially equivalent to that offered to data subjects in the EU by the GDPR and the Charter of Fundamental Rights. As such, the requirements of protection of fundamental rights guaranteed by the Charter do not vary according to the legal basis for the data transfer.
Following a detailed examination of the nature and content of the SCCs, the AG concluded that the SCCs Decision was not invalid with reference to the Charter. In his view, because the purpose of the SCCs was to compensate for any deficiencies in the protection of personal data offered by the third country, the validity of the SCCs Decision could not be dependent on the level of protection in the third country. Rather the question of validity must be evaluated by reference to the soundness of the safeguards offered by the SCCs to remedy the deficiencies in protection in the third country. This evaluation must also take account of the safeguards consisting of the powers of supervisory authorities under the GDPR. As the SCCs place responsibility on the controller (the exporter), and in the alternative supervisory authorities, this meant that transfers must be assessed on a case by case basis by the controller, and in the alternative by the supervisory authority, to assess whether the laws in the third country were an obstacle to having an adequate level of protection for the transferred data, such that data transfers must be prohibited or suspended.
The AG then went on to consider the nature of the obligations on the controller carrying out the export of the personal data, which included, according to the AG, a mandatory obligation to suspend a data transfer or terminate a contract with the importer if the importer could not comply with the provisions of the SCCs. The AG also considered the obligations on the importer in this regard and made certain observations about the nature of the examination of the laws of the third country which should be carried out by the exporter and the importer.
The AG also referred to the rights of data subjects who believe there has been a breach of the SCC clauses to complain to supervisory authorities, and went on to consider what he considered the role of the supervisory authority was in this context. In essence, the AG considered that where, following an examination, a supervisory authority considers that data transferred to a third country does not benefit from appropriate protection because the SCCs are not complied with, adequate measures should be taken by the authority to remedy this illegality, if necessary by ordering suspension of the transfer. The AG noted the DPC’s submissions that the power to suspend transfers could only be exercised on a case by case basis and would not address systemic issues arising from an adequate lack of protection in a third country. On this point, the AG pointed to the practical difficulties linked to a legislative choice to make supervisory authorities responsible for ensuring data subjects’ rights are observed in the context of transfers or data flows to a specific recipient but said that those difficulties did not appear to him to render the SCC Decision invalid.
Although noting that the question as to the validity of the Privacy Shield was not explicitly referred to the CJEU by the Irish High Court, the AG considered that some of the questions raised by the Irish High Court indirectly raised the validity of the finding of adequacy which the EU Commission made in respect of the Privacy Shield. The AG considered that it would be premature for the Court to rule on the validity of the Privacy Shield in the context of this reference although he noted that answers to the questions raised by the Irish High Court in relation to the Privacy Shield could ultimately be helpful to the DPC later in determining whether the transfers in question should actually be suspended because of an alleged absence of appropriate safeguards. However the AG also referred to the possibility that the DPC could in the subsequent examination of Mr Schrems’ complaint, following the delivery of the Court’s judgment, decide that it could not determine the complaint unless the CJEU first ruled on whether the existence of the Privacy Shield itself was an obstacle to the DPC exercising the power to suspend the transfers in question. The AG noted that in such circumstances, if the DPC had doubts about the validity of the Privacy Shield, it would be open to the DPC to bring the matter before the Irish Court again in order to seek that another reference on this point be made to the CJEU.
However, despite the AG taking the position that the Court should, in the context of this reference, refrain from ruling on the validity of the Privacy Shield in its judgment, he went on to express, in the alternative, some “non-exhaustive observations” on the effects and validity of the Privacy Shield decision. These observations were set out over approximately 40 pages of detailed analysis, including an analysis of the scope of what the “essential equivalence” of protection in a third party state involved, the possible interferences with data subject rights in relation to data transferred to the US as posed by national intelligence agencies, the necessity and proportionality of such interferences and the laws and practices of the US, including those relating to the question of whether there is an effective judicial remedy in the US for persons whose data has been transferred to the US and whose data protection rights have been subject to interferences by the US intelligence agencies. Having carried out this analysis, the AG ultimately concluded by expressing doubts as to the conformity of the Privacy Shield with provisions of EU law.
The CJEU delivered its judgment on 16 July 2020.
- The judgment addressed a number of points applicable to transfers generally; amongst other things, the court affirmed, as a core principle of EU law, the proposition that, when an EU citizen’s personal data is transferred to a third country, he or she must be afforded a level of protection in respect of their personal data that is essentially equivalent to that guaranteed within the EU; importantly, the Court also clarified that that proposition holds true irrespective of the legal mechanism deployed to justify a given transfer.
- The CJEU upheld the validity of Commission Decision 2010/87/EU, being a decision by which the EU Commission adopted the SCCs. It follows that the SCCs remain available for use by controllers and processors in connection with transfers to third countries, subject to compliance with certain key points of principle articulated by the Court in the course of its judgment.
- In that regard, the CJEU clarified the nature and extent of the obligations to which data exporters - and national data protection supervisory authorities - are subject in any case where SCCs are relied on to justify data transfers to a third county.
- In particular, the Court outlined the steps to be taken by controllers, prior to engaging in data transfers under the SCCs, to verify, on a case-by-case basis and, where appropriate, in collaboration with the data importer, whether the law of the third country to which the data is to be transferred ensures adequate protection under EU law.
- Equally, the Court confirmed that, if, upon investigation, a national supervisory authority concludes that a data subject whose personal data have been transferred to a third county is not in fact afforded an adequate level of protection in that country, the national supervisory authority must, as a matter of EU law, take appropriate action to remedy any findings of inadequacy and, to that end, exercise one or more of the corrective measures identified in 58(2) of the GDPR.
- A good deal of the Court’s analysis was directed to an assessment of the protections afforded to EU citizens in the context of EU-US data transfers. In that regard, the Court found that, while the domestic law of the United States imposes certain limitations on US public authorities’ right of access to, and use of, transferred data in particular contexts, those limitations do not provide a level of protection essentially equivalent to that required by EU law.
- Against that backdrop, the Court held that the decision by which the EU Commission adopted the “Privacy Shield” arrangements for EU-US data transfers, was invalid. More generally, the judgment may also be read as sounding, at the very least, a strong note of caution in relation to the use of SCCs for data transfers to the US,
Points applicable to transfers generally
Public authority access to transferred data for public security, defence and State security purposes.
The first substantive issue addressed by the Court saw it rejecting the suggestion that public authority access to transferred data for the purposes of public security, defence and State security falls outside the scope of the GDPR. On that score, the Court was emphatic in terms of the confirmation given (at paragraph 89 of the judgment) that the GDPR “applies to the transfer of personal data for commercial purposes by an economic operator established in a Member State to another economic operator established in a third country, irrespective of whether, at the time of that transfer or thereafter, that data is liable to be processed by the authorities of the third country in question for the purposes of public security, defence and State security.”
The level of protection required
At paragraph 95 of the judgment, the Court noted that Recital 107 of the GDPR states that, where “a third country, a territory or a specified sector within a third country … no longer ensures an adequate level of data protection. … the transfer of personal data to that third country … should be prohibited unless the requirements [of the GDPR] relating to transfers subject to appropriate safeguards … are fulfilled”.
As regards the level of protection required by the GDPR in the context of transfers to third countries, the Court found, at paragraph 91 of the judgment, and by reference to Articles 46(1) and 46(2)(c) of the GDPR, that, in the absence of an adequacy decision, a controller or processor may transfer personal data to a third country if, and only if:
- the controller or processor has provided ‘appropriate safeguards’ (which may include the SCCs); and,
- on condition that enforceable data subject rights and effective legal remedies are available to data subjects.
Noting that Article 46 does not identify, with specificity, what is meant by the terms “appropriate safeguards”, “enforceable rights” and “effective legal remedies”, the Court held that, in circumstances where Article 44 provides that ‘all provisions [in that chapter] shall be applied in order to ensure that the level of protection of natural persons guaranteed by [that regulation] is not undermined’, it follows that the same level of protection must be maintained when personal data is transferred to a third country, irrespective of the legal mechanism under which that transfer takes place (paragraph 92 of the judgment).
Referencing Recital 108, the Court also noted (at paragraph 95 of the judgment), that, in the absence of an adequacy decision, the ‘appropriate safeguards’ to be put in place by the controller or processor in accordance with Article 46(1) must ‘compensate for the lack of data protection in [the] third country’ in order to “ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union”.
Accordingly, using the language it had previously deployed in its judgment in the earlier case of Schrems v. Data Protection Commissioner, (Case C-362/14, EU:C:2015:650, 6 October 2015), the Court noted, at paragraph 96, that, in circumstances where Chapter V of the GDPR is intended to ensure that the same high level of protection afforded to data subjects within the EU is maintained if and when their data is transferred to a third country, it follows that, in any case where personal data is being transferred to a third country, the level of protection required is one that is “essentially equivalent” to that which is guaranteed within the European Union”.
The Court’s treatment of the SCCs
Application of the SCCs in practice
At paragraph 126 of its judgment, the Court observed that, while the protections built into the SCCs may facilitate the achievement of a level of protection that meets the “essential equivalence” test in the case of transfers to some third countries, the laws and practices of other third countries may be such as to render the SCCs incapable of achieving that level of protection. The Court expressed this point in the following terms:
“Therefore, although there are situations in which, depending on the law and practices in force in the third country concerned, the recipient of such a transfer is in a position to guarantee the necessary protection of the data solely on the basis of standard data protection clauses, there are others in which the content of those standard clauses might not constitute a sufficient means of ensuring, in practice, the effective protection of personal data transferred to the third country concerned. That is the case, in particular, where the law of that third country allows its public authorities to interfere with the rights of the data subjects to which that data relates.”
Having pointed out at paragraph 128 of the judgment that the safeguards to be adduced by the controller are not required to have their origin in a particular decision adopted by the EU Commission, the Court went on to note, at paragraph 132, that, in any case where the SCCs cannot, in and of themselves, achieve the level of protection required as a matter of EU law, the controller may add other clauses or adduce additional safeguards to supplement the SCCs.
Taking this a step further, the Court noted, at paragraph 133, that the SCCs are, in essence, a baseline provision, comprising a set of contractual guarantees intended to apply uniformly in all third countries. If and to the extent the SCCs cannot achieve the level of protection required under EU law in the context of transfers to a particular third country, it follows that transfers to that third country may only proceed if supplementary measures are adopted by the controller.
The practical application of these points of principle was addressed in paragraphs 134, 135, 141 and 142 of the judgment. In summary terms, the Court pointed out that, in circumstances where the SCCs cannot be deployed as a “one size fits all” solution, capable of achieving the required standard of protection in the case of all transfers to all third countries, it necessarily follows that an assessment is required to determine (and verify) whether the laws of the third country of destination in fact ensure adequate protection to the standard required by EU law where personal data is transferred under the SCCs, and, if not, whether additional safeguards can be provided by the controller to compensate for any shortfall.
The Court clarified that, in the first instance, such an assessment must be carried out by the controller or processor, with the input of the data’s intended recipient, where appropriate. Importantly, the assessment referenced by the Court is one that must be carried out on a case-by-case basis, prior to the commencement of transfers by the controller/processor in question to that third country.
Given their centrality to the Court’s analysis, paragraphs 134 and 135 in particular bear setting out in full:
“134. In that regard, as the Advocate General stated in point 126 of his Opinion, the contractual mechanism provided for in Article 46(2)(c) of the GDPR is based on the responsibility of the controller or his or her subcontractor established in the European Union and, in the alternative, of the competent supervisory authority. It is therefore, above all, for that controller or processor to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.
135. Where the controller or a processor established in the European Union is not able to take adequate additional measures to guarantee such protection, the controller or processor or, failing that, the competent supervisory authority, are required to suspend or end the transfer of personal data to the third country concerned. That is the case, in particular, where the law of that third country imposes on the recipient of personal data from the European Union obligations which are contrary to those clauses and are, therefore, capable of impinging on the contractual guarantee of an adequate level of protection against access by the public authorities of that third country to that data.”
It will be noted that, at paragraph 135, the Court expressly cautioned that, in the case of some third countries, it may well be the case that no amount of supplemental or additional safeguards will be capable of addressing shortfalls in the level of protection available. In such a scenario, the Court’s position was very clear: such transfers are not permissible; if the controller/processor nonetheless proceeds, it will be a matter for the relevant data protection supervisory authority to intervene to suspend or otherwise end the transfer of personal data to such third country.
The role of data protection supervisory authorities
At paragraphs 111 to 113 of the judgment (and again at paragraph 146), the Court emphasised the central role to be played by national data protection supervisory authorities in connection with the regulation of data transfers to third countries conducted under the SCCs. In that regard, the Court noted that, whilst, in the first instance, it is a matter for the relevant controller/processor to perform the assessment described above, the national data protection supervisory authorities must intervene in any case where (i) the SCCs cannot be complied with in the third country in question, so that the level of protection required by EU law cannot be ensured; and (ii) the controller or processor has not itself suspended or put an end to the transfer.
The Court put the matter in the following terms:
“111. If a supervisory authority takes the view, following an investigation, that a data subject whose personal data have been transferred to a third country is not afforded an adequate level of protection in that country, it is required, under EU law, to take appropriate action in order to remedy any findings of inadequacy, irrespective of the reason for, or nature of, that inadequacy. To that effect, Article 58(2) of that regulation lists the various corrective powers which the supervisory authority may adopt.
112. Although the supervisory authority must determine which action is appropriate and necessary and take into consideration all the circumstances of the transfer of personal data in question in that determination, the supervisory authority is nevertheless required to execute its responsibility for ensuring that the GDPR is fully enforced with all due diligence.
113. In that regard, as the Advocate General also stated in point 148 of his Opinion, the supervisory authority is required, under Article 58(2)(f) and (j) of that regulation, to suspend or prohibit a transfer of personal data to a third country if, in its view, in the light of all the circumstances of that transfer, the standard data protection clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law cannot be ensured by other means, where the controller or a processor has not itself suspended or put an end to the transfer.”
Conclusion re: validity of the SCCs
Having completed its analysis of the SCCs and their application in practice, and having noted that, in principle, they may be utilised (with additional safeguards, where necessary), to achieve the level of protection required by EU law (with appropriate mechanisms available for the suspension of transfers in any case where such protections are compromised), the Court concluded as follows:
“It follows that the SCC Decision provides for effective mechanisms which, in practice, ensure that the transfer to a third country of personal data pursuant to the standard data protection clauses in the annex to that decision is suspended or prohibited where the recipient of the transfer does not comply with those clauses or is unable to comply with them” (paragraph 148).
Accordingly, on the basis of the analysis set out in its judgment, the Court was satisfied to confirm that the SCC Decision was valid.
Privacy Shield and the position in relation to the US
The Court commenced its analysis by recalling that, in principle, public authority access to an individual’s personal data with a view to its retention or use constitutes an interference with the fundamental rights enshrined at Articles 7 and 8 of the Charter (see paragraphs 170 and 171 of the judgment).
Whilst noting that such rights are not absolute, the CJEU went on to revisit (at paragraph 174 and subsequent paragraphs) existing principles pursuant to which any limitation on the exercise of the rights and freedoms recognised by the Charter must be provided for by law and respect the essence of those rights and freedoms. Reference was also made in this context to the following matters:
- the fact that, subject to the principle of proportionality, limitations may be made to those rights and freedoms only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others;
- the fact that the legal basis which permits the interference with those rights must itself define the scope of the limitation on the exercise of the right concerned (paragraph 175); and,
- the fact that, in order to satisfy the requirement of proportionality, the legislation making provision for such interference must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards, so that (in the context of data transfers) the persons whose data has been transferred have sufficient guarantees to protect effectively their personal data against the risk of abuse (paragraph 176).
From there, the Court went on to identify certain specific failings associated with a number of identified US law measures, including Section 702 FISA, EO 12333 and PPD-28, before concluding (at paragraph 185) that,
“ … the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to the United States, which the Commission assessed in the Privacy Shield Decision, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required, under EU law, by the second sentence of Article 52(1) of the Charter.”
Separately, the Court noted that the EU Commission’s finding in the Privacy Shield Decision - that the United States ensures a level of protection essentially equivalent to that guaranteed in Article 47 of the Charter - had been called into question on the grounds, inter alia, that the Privacy Shield Ombudsperson cannot remedy the deficiencies which the EU Commission itself had found in connection with the judicial protection of persons whose personal data is transferred to the US. Having analysed relevant elements of the Ombudsperson arrangements by reference to applicable EU law principles, the Court ultimately concluded (at paragraph 197) that “the ombudsperson mechanism … does not provide any cause of action before a body which offers the persons whose data is transferred to the United States guarantees essentially equivalent to those required by Article 47 of the Charter.”
Relatedly, the Court noted (at paragraph 191 of its judgment) that in recital 115 of the Privacy Shield Decision, the EU Commission had itself found that “while individuals, including EU data subjects, … have a number of avenues of redress when they have been the subject of unlawful (electronic) surveillance for national security purposes, it is equally clear that at least some legal bases that U.S. intelligence authorities may use (e.g. E.O. 12333) are not covered”. The Court considered that the existence of such a “lacuna” in judicial protection in respect of interferences with intelligence programmes based on [PPD-28] “makes it impossible to conclude, as the Commission did in the Privacy Shield Decision, that United States law ensures a level of protection essentially equivalent to that guaranteed by Article 47 of the Charter.”
The Court also noted (at paragraph 192) that “neither PPD-28 nor E.O. 12333 grants data subjects rights actionable in the courts against the US authorities from which it follows that data subjects have no right to an effective remedy.”
Against that backdrop, the Court held (at paragraph 198) that, in reaching its finding in Article 1(1) of the Privacy Shield Decision, that the United States ensures an adequate level of protection for personal data transferred from the Union to organisations in that third country under the EU-US Privacy Shield, the EU Commission had “disregarded the requirements of Article 45(1) of the GDPR, read in the light of Articles 7, 8 and 47 of the Charter.” From there, the Court concluded (at paragraph 199) that “[i]t follows that Article 1 of the Privacy Shield Decision is incompatible with Article 45(1) of the GDPR, read in the light of Articles 7, 8 and 47 of the Charter, and is therefore invalid.”
On the basis that Article 1 of the Privacy Shield Decision was “inseparable from Articles 2 and 6 of, and the annexes to, that decision”, the Court took the view that the invalidity of Article 1 “affects the validity of the decision in its entirety.” Accordingly, the Court concluded (at paragraph 201) that the Privacy Shield Decision as a whole was invalid.