Editor's Note:
Thomas Shaw is the author of the IAPP book: DPO Handbook — Data Protection Officers Under the GDPR.
The lengthy Schrems II case decided by the Irish High Court in October 2017 left open which questions would be referred to the Court of Justice of the European Union. Those 11 questions have now been published by the court, with a slight possibility of revision after reviewing further submissions by defendant Facebook. In general, the questions stay true to the October decision, where the court agreed with the Irish Office of the Data Protection Commissioner in questioning the transfer mechanisms used by Facebook to move the personal data of EU residents from the European Economic Area to the U.S. for processing. This means that the standard contractual clauses, and possibly the new Privacy Shield agreement, will become subject to review by the CJEU.
Just as the original decision by the Irish court was very lengthy and a tough read, the 11 questions are themselves very legalistic, drawing on arguments from the case. Instead of quoting the actual text of the proposed questions, they are rewritten below in plainer English, each followed by a brief explanation. The reference to SCC decisions setting up model contractual clauses for personal data transfers outside the EEA focuses only on one of those decisions, although there are three of them, all of which may or may not be impacted.
There are two important caveats in considering the possible impact of these questions. One is the CJEU, based on its rulings in prior cases, which will likely combine some of these questions and reorder them in the way best suited to answer the most important questions first and also may find some questions unnecessary to answer. Second, even if it overturns the validity of SCCs, the European Commission and data protection authorities have powers under the EU General Data Protection Regulation to fashion new SCCs, so the court case will not be the final word on the matter any more than the invalidation of the Safe Harbor in Schrems I stopped the use of self-certification mechanisms to transfer personal data from the EU to the U.S.
1. When personal data is transferred from the EEA under SCCs, knowing it may be further processed by the security services of the receiving country, do the rights in the Charter apply, despite derogations allowed in the Treaty of the EU and the Data Protection Directive limiting data protection rights for reasons of national security, defense, public safety, and national economic interests?
In this case, Facebook had raised that these derogations are reasons that personal data transfer to the U.S. should be allowed, as these exceptions that are allowed in EU should also be allowed when reviewing U.S. law. The court found that the Facebook transfers were primarily for economic reasons, as their potential use under any of these derogations, including national security, was uncertain. The CJEU had previously ruled that the Charter applied to any personal data transferred to the U.S.
2. When analyzing transfers of personal data outside the EEA, should violations be measured against the rights in the Charter, the TEU, the Treaty on the Function of the EU, the DPD, the Convention on Human Rights, or some other EU or member state law?
Facebook had argued that the comparator to use for this analysis should be based on national security, as that was the reason the DPC raised its concerns about processing by U.S. security services. Therefore, the proper comparison should be with EU member state national security laws (the EU itself does not handle national security). As the processing of the personal data of EU residents by U.S. security services was for national security purposes, it should therefore also be exempt from data protection rules under the DPD and the Charter, as EU security services in EU member states would be.
3. When personal data is transferred outside the EEA under SCCs, is the adequacy of the measures in the recipient country determined only on that country’s laws and compliance practices or must it also include “administrative, regulatory and compliance practices and policy safeguards, procedures, protocols, oversight mechanisms, and non-judicial remedies?”
The DPC had argued that a proper assessment was based only on the laws and compliance with the laws, while Facebook argued that a proper assessment of the adequacy of U.S. or any country’s law requires looking at the totality of its laws and practices. Because the DPC had not performed a proportionality analysis on the restrictions to data protection rights within the U.S. for EU data subjects, Facebook asserted its analysis was incorrect.
4. If personal data is transferred from the EU to the U.S. under the SCCs, does it violate Article 7 (privacy) and Article 8 (data protection) rights under the Charter, based on the findings of the court?
The High Court had found that there was mass indiscriminate processing of data by U.S. security services, that the Fourth Amendment as the basic protection against unlawful government surveillance was not available to most EU citizens, that U.S. statutory remedies were difficult for EU citizens to engage, and that the Article III standing threshold for bringing suit in federal court was hard for data subjects to meet in surveillance cases. In summary, that, “There are a variety of very significant barriers to individual EU citizens obtaining any remedy for unlawful processing of their personal data by U.S. intelligence agencies.”
5. If personal data is transferred from the EU to the U.S. under the SCCs, does it violate the Article 47 right under the Charter to an effective judicial remedy, based on the findings of the court, and if not, are the U.S. law restrictions on data protection rights for national security proportionate and necessary?
The test for necessity is a legal test typically imposed by European courts on any legal limitations upon fundamental rights and freedoms. Facebook argued that for Article 47 to be violated, there had to first be a violation of Articles 7 or 8 and that the DPC had not found one. Further, Facebook argued that Article 47 only applied to rights under EU law, and as national security is handled by EU member states, Article 47 was not engaged. The DPC argued that the lack of notification to data subjects and an effective remedy eviscerated Article 47 while Facebook countered that this was only true if there was no possibility at all of a remedy. Facebook also asserted that the effectiveness of the remedy should be viewed considering remedies available within the EU in the national security context.
6. What level of protection is required for personal data transferred outside the EEA under SCCs, in respect to both the Charter and the DPD?
The amicus parties took the viewpoint that the SCCs were merely contractual and did not address the level of data protection in the receiving country, while the DPC said that the data subjects must always receive the level of protection as required by the Charter and the DPD. The court found a middle ground where data subjects were required to be afforded a high level of protection, and SCCs could not be relied upon to make up for inadequate data protection regimes in receiving countries.
7. Do mandates by recipient country governments to make personal data available for inspection by its security services make it impossible for there to be adequate safeguards under the DPD for SCCs?
For example, does the NSA processing the personal data of EU residents by itself mean that there can never be the adequate safeguards as required for SCCs in transfers to the U.S.? Security services are not parties to the SCCs and therefore, there are no direct rights under SCCs for data subjects to legally proceed against such a government or its agencies. If there are no adequate safeguards as required by the DPD, no SCC could ever be a valid protection mechanism for EU personal data transfers to a country where security services process that data.
8. When a DPA finds that the surveillances laws in countries receiving EEA personal data conflict with the SCCs, is the DPA: required to suspend data flows, suspend data flows only in exceptional cases, or can the DPA use its discretion to not suspend the data flows?
The SCCs were amended after the Schrems I decision to take away the power from DPAs to suspend data flows to third countries. Instead, DPAs have a power to suspend data flows under the DPD Article 28(3) and is recommended to do so in exceptional cases involving SCCs. This raises the issue of the differential treatments by various DPAs creating an imbalance between different member states. The court was concerned that this could mean DPAs are obligated to suspend data flows when the receiving country surveillance laws conflict with the SCCs. This mandated response could interfere with DPAs' independence and right to decide not to suspend data flows for other reasons (e.g., the desirability to preserve data flows for economic reasons and not create imbalances among member states).
9. Is the Privacy Shield decision binding on member state courts and DPAs in that it means that the U.S. offers an adequate level of protection? But if it does not, what role does the Privacy Shield adequacy finding have on the adequacy evaluation for SCCs?
Facebook had argued that the Privacy Shield decision was binding as an adequacy decision on the data transfers to the U.S. under SCCs, and any reference to the CJEU was a collateral attack on the Privacy Shield decision. The court ruled that the Privacy Shield was not a national adequacy decision under Article 25(2) about the U.S., but was merely an agreement reached with the U.S. and the EC under Article 25(6) because national adequacy could not be found under Article 25(2). Further, this should not apply anyway, as Facebook was transferring data to the U.S. under SCCs, not the Privacy Shield.
10. Does the role of the Privacy Shield ombudsman in the context of the U.S. privacy regime ensure the Article 47 right to a judicial remedy for personal data transferred from the EEA?
Facebook argued that the EC believed this ombudsman role by itself provided for an effective remedy for EU data subjects. The ombudsman is merely required to acknowledge to an EU data subject that an investigation took place after they initiated a complaint and that processing by U.S. security services was according to designated standards or any violation found has been remedied (but not whether the data subject has been a target of surveillance). The DPC asserted that the ombudsman inter alia was not independent and not subject to judicial review, which the court agreed with.
11. Does the EC’s SCC decision itself violate the rights to privacy, data protection, and an effective judicial remedy under the Charter?
This summarizes all the previous questions and discussion and is the ultimate issue to be determined, whether the SCC decision is itself in violation of the rights guaranteed by the Charter.
photo credit: Visual Content via photopin