Editor's Note:
Thomas Shaw is the author of the forthcoming IAPP book: DPO Handbook – Data Protection Officers under the GDPR.
The so-called 'Schrems II' case for possible referral to the Court of Justice of the European Union makes for fascinating reading. This unintended attack on the standard contractual clauses mechanism may turn out to be a legally moot, as it addresses decisions made under the expiring Data Protection Directive and the General Data Protection Regulation allows data protection authorities and the European Commission to fashion such model clauses. However, it does have the potential to impact the credibility of this second of three often-used mechanisms for transferring personal data from the EU to the U.S. In reading though this lengthy opinion, two questions started to resonate again. Specifically, why does the personal data of any EU resident ever need to leave the European Economic Area? And why does the EC keep supporting relatively weak data protection mechanisms such as the Safe Harbor, the Privacy Shield and SCCs?
Before discussing the case, it is important to understand what it analyzes and what it does not analyze. It does analyze the ability of EU data subjects to seek judicial recourse against the U.S. government in case of abuses by U.S. intelligence agencies. What it does not analyze is the totality of U.S. privacy law protections, which encompass more than just federal statutes and regulations. State law privacy statutes and the common law are very significant sources of privacy protections, as is case law, especially class-action litigation. This is not well understood in the EU, which is more familiar with being protected by a comprehensive data protection statute and having to parse reams of case law, and many sectoral statutes is not a common experience.
In a 153-page decision (U.K. and Irish judges write some very long opinions), the High Court of Ireland went through an exhaustive look at applicable EU and national laws that protected the rights of Irish data subjects (although Schrems is Austrian, he filed suit in Ireland, the EU headquarters for Facebook, the ultimate target of his requests to the data protection commissioner). The court then undertook an even more exhaustive analysis of U.S. privacy law, focusing specifically on those laws allowing the intelligence agencies to parse the personal data of EU data subjects. It looked to the protections that those EU data subjects would have in the case of U.S. intelligence agency overreach. Given that the U.S. government was one of four amicus curiae invited by the court, it can only be assumed its positions were well represented.
The court’s review of EU data protection focused on Article 47 of the EU Charter of Fundamental Rights. This provides the right to an effective remedy when those rights have been violated, in a fair, timely, and public hearing before an independent and impartial tribunal. The data protection and privacy rights of EU citizens are declared in the Charter, the Council of Europe’s Convention on Human Rights, and the Treaty on the Functioning of the EU, as well as the DPD. But these only go so far, as both the Treaty on the EU and the DPD make it clear that matters of national security are for the individual member states, and processing of personal data for national security does not fall under the DPD.
The complaint to the DPC, which had to be reformulated after the Schrems I CJEU judgment invalidated the Safe Harbor decision, requested the DPC to suspend data flows from Facebook in Ireland to Facebook in the U.S., primarily due to deficiencies in the SCCs used and secondarily because of mass surveillance by intelligence agencies of Facebook-held data. The DPC reformulated this to be a review of the adequacy of U.S. privacy law for EU data subjects and the ability of SCCs like Facebook’s to offer adequate protections. The DPC investigation found remedies for EU data subjects to be fragmentary and the standing requirement before U.S. federal courts a major impediment in obtaining relief for intelligence agency activities. Because SCCs only provide a cause of action against the data exporter and importer but not the U.S. government, they do not remedy this deficiency.
Facebook argued that as this processing was for purposes of national security, it was outside the scope of the DPD and processing of EU member states for national security should be compared against processing in the U.S. for national security. The court disagreed for many reasons, including that as all transfers to third countries could subsequently be subject to processing by intelligence agencies, the DPD (or GDPR) would never apply to such transfers, and recent CJEU case law stated that all personal data transfers to intelligence agencies are done under the DPD. Facebook also contended that the Privacy Shield decision was an adequacy decision by the EC, and any referral to the CJEU on SCCs would be a collateral attack on the Privacy Shield. The court disagreed, noting that the Privacy Shield was not an adequacy decision on the U.S. privacy regime but instead a unique mechanism allowing personal data transfers by organizations meeting the specific requirements of the Privacy Shield.
The court then analyzed the SCCs, focusing just on the controller-processor SCCs used by Facebook. It noted that the third-party beneficiary clause, which allows a data subject to bring suit against the two parties (data exporter and importer) to the contract for violations of their respective obligations, excludes suit against the EU-based data exporter for not complying with EU data protection law. The DPC asserted that the SCCs do not provide the high level of protection for the personal data of EU data subjects that they would receive within the EU. The court agreed that SCCs by themselves do not provide a high level of protection, and that while it was within the existing powers of DPAs to prevent data flows to countries it determined to not be providing sufficient protections, doing so without coordination among all EU member state DPAs might prove problematic.
The court then analyzed U.S. privacy law in regards to processing by intelligence agencies. The DPC had only looked at whether an EU citizen had an Article 47 right, while the U.S. government and Facebook insisted U.S. laws and practices must be reviewed holistically. After looking at Foreign Intelligence Surveillance Act orders, the Patriot Act, and Executive Order 13233, the court focused primarily on programs operating under FISA's 702 program, PRISM and Upstream, and found that there was “mass indiscriminate processing of data” by the surveillance agencies. The court also found that the Fourth Amendment protections against government surveillance were not available to most EU citizens. The court reviewed the Electronic Communications Privacy Act, the Privacy Act/Judicial Redress Act (which the U.S. National Security Agency is exempted from), and the Administrative Procedure Act for possible remedies without being reassured due to various restrictions but was most concerned about the federal court (Article III) standing requirement.
Due to the lack of notification when subject to surveillance, the court did not believe an EU plaintiff could plead sufficient injury for standing purposes. While it noted there were various procedures to prevent misuse of data, this was “not the same as of providing a remedy where the rules are broken and data is unlawfully collected.” The DPC also asserted that the Privacy Shield Ombudsman role, which oversees all personal data transferred from the EU to the U.S. under any of the available mechanisms, was not independent of the executive, was not a permanent position established in law and had no judicial oversight. The Article 29 Working Party largely echoed these same concerns in its more recent review of the Privacy Shield. The high court sided with the DPC on the need to refer the question of the adequacy of SCCs to the CJEU and would formulate the questions to submit.
So why does the personal data of any EU resident ever need to leave the EEA?
Previously, all processing for a global organization might need to be done centrally at its main data center in the U.S., but that is no longer the case with significant data center and distributed processing capabilities available across the EU. Any U.S. company wanting to transfer personal data from the EU to the U.S. should, therefore, be required to meet a significant necessity threshold before being allowed to undertake such transfers. Typical corporate reasons such as economic efficiency, marketing plans, or data analytics would not meet this necessity threshold to transfer personal data outside the EEA.
Why does the EC keep supporting relatively weak privacy mechanisms such as Safe Harbor, Privacy Shield and SCCs? There are ample rigorous certification mechanisms available in information security, privacy and data protection, so U.S. companies who meet the necessary threshold should then be required to be independently certified in data protection/security and annually recertified. The GDPR’s new certification mechanism may be of use here. Data transferred only when necessary and under independent certification would minimize the amount of EU personal data available to U.S. intelligence agencies and would be a significant improvement in assurance over the Privacy Shield and SCCs.
photo credit: Yu Diving Yu Diving at Knutsford Leisure Centre via photopin (license)