New challenges to transfers of personal data from the EU to the United States

On 16 July 2020, the Court of Justice of the European Union (CJEU) issued its judgment in a case that is widely referred as Schrems II (CJEU 2020a and 2020b), and the decision is a bombshell!

The US and the EU are the world’s largest trading partners, and the transfer of personal data constitutes an important component and enabler for that trade. Those transfers are important, not only to US digital firms, but also to EU consumers who use their services, and to many EU and US businesses.  The judgment eliminates or cripples two of the main mechanisms employed today to enable that data transfer. In the extreme case, this judgment could theoretically block those data transfers.

The judgment not only immediately invalidates Privacy Shield, but may also have the effect, once the dust has settled, of effectively blocking transfers of personal data to the USA using the popular mechanism of Standard Contractual Clauses (SCCs).[1]

This is the second time that transfers of personal data to the US were put at risk by a CJEU decision that sought to ensure respect for the privacy rights of EU persons. This time, as in 2016, we expect that workarounds will be found, and that the impact will be significant but will not prove to be extreme in the end.

Background of the case

The case is a continuation of the Schrems I case (see Marcus and Petropoulos, 2015), where an Austrian privacy advocate and Facebook user, Maximillian Schrems, lodged a complaint with the Data Protection Commission of Ireland claiming that the transfer of his personal data by Facebook Ireland to Facebook Inc. in the United States could not properly safeguard his privacy interests. Schrems alleged that Facebook could not and did not prevent US government surveillance greatly in excess of that permitted under European law.

In Schrems I, the CJEU ruled in favour of Mr. Schrems, and invalidated a Safe Harbour agreement between European Union and the United States that dated back to 26 July 2000. This verdict put at risk data transfer arrangements that had then been in place for fifteen years, and that had benefitted not only the large US digital platforms, but also European consumers who used US-based digital services, as well as a wide range of businesses large and small on both sides of the Atlantic. The CJEU allowed time, however, for authorities on both sides of the Atlantic to try to find work-arounds.

Some firms took steps to keep as much of their data as possible in Europe; some data, however, needed to be transferred to the USA.

The European Commission responded at the time by encouraging firms to resort instead to Standard Contractual Clauses (SCCs), which represent an alternative means of meeting EU privacy requirements when transferring personal data to third countries.

In Marcus and Petropoulos (2015), we predicted that this approach would run into trouble sooner or later. “The model clauses would appear to be at best a weak and temporary circumvention of the ECJ’s decision in the Schrems case, since US-based firms cannot and presumably will not avoid making the data available to US intelligence services, and will be prevented by US law from informing surveilled entities and individuals that they have done so. The decision in the Schrems case, after all, had nothing to do with commercial privacy practices – it was all about government surveillance for purposes of national security. This cannot be governed by private contract. Given that Safe Harbour has already been invalidated, it seems unlikely that the [CJEU] in a subsequent case would permit the model clauses to stand.”

The European Union succeeded in negotiating Privacy Shield arrangements with the Obama administration that attempted to deal with the problem. As we explained in Marcus (2017), the institutional framework of Privacy Shield was weak, and fully dependent on the good will of the US administration (which looks very different under Trump than it did under President Obama). Key portions of Privacy Shield are letters from one US department (for instance, the Office of the Director of National Intelligence (ODNI)) to another (the Department of Commerce). Those letters merely described existing US practice – they made no commitments going forward. It should have already been clear that US courts would not interpret those letters as binding commitments to a foreign government on the future conduct of the United States.

These obvious defects in Privacy Shield and in the use of SCCs turned out to be central to the CJEU’s 16 July 2020 judgment.

What are Standard Contractual Clauses (SCCs)?

For cases where no Adequacy Decision is in place, the GDPR provides for several alternative mechanisms, each of which enables transfers of personal data without requiring explicit informed consent from each user. SCCs represent one of these mechanisms.[2], [3]

The SCCs are defined in an annex to Commission Decision 2010/87/EU, as amended by Commission Implementing Decision (EU) 2016/2297. They represent clauses that seek to ensure that the data transferred to a firm in a third country that cannot be certified as protecting personal data to a degree comparable to that of the EU are nonetheless adequately protected.

It is important to note once again that the SCCs are a general mechanism that governs the relationship between the EU-based data exporting firm and the third country-based data importing firm. The third country government is not a party to the agreement, and is not constrained by it.

When the CJEU first issued the Schrems I Decision, the Commission encouraged firms to rely on SCCs since the Safe Harbour from 2000 had been invalidated. This created a bizarre, Alice in Wonderland situation, since the SCCs do nothing to constrain the actions of the third country government. Simply put, Commission’s initial response to Schrems I did nothing at all to address the excessive government surveillance that had been the grounds for the Schrems I decision.

The SCC Decision 2016/2297 speaks very briefly about the obligations of the exporting firm to consider legal institutions and practices in the data importing third country,[4] but this has not been enforced and in practice for the most part probably has not been done.

As far as the obligations of the supervisory authorities responsible for privacy enforcement at Member State level, the referral from the DPC (the privacy supervisory authority of Ireland) to the Irish High Court and from there to the CJEU makes clear that neither DPC nor High Court were certain that Irish authorities or courts had the authority to block transfers in a case where a Commission Adequacy Decision said that they were permissible.

What the CJEU decided

The direct result of the CJEU decision was that the Adequacy Decision for the Privacy Shield agreement, which the Commission enacted in 2016 and which was ratified by Parliament, has been invalidated, apparently with immediate effect. As of now, no Adequacy Decision is in effect for data transfers to the United States.

The validity of Standard Contractual Clauses as a mechanism was sustained. A number of press articles mistakenly assume that this means that little will change.

We note once again that the SCCs represent a general mechanism for two undertakings to agree to exchange data in a way that respects personal data. The Commission Decision that put SCCs in place established a general mechanism, independent of the country to which data is to be transferred.

As a practical matter, the CJEU imposed or clarified important obligations on the firms that transfer data from the EU to third countries.

• Data exporting companies (or more specifically in GDPR jargon, their data controllers or processors) are now required to “ensure that data subjects whose personal data are transferred to a third country pursuant to [SCCs] are afforded a level of protection essentially equivalent to that guaranteed within the European Union by that regulation ... To that end, the assessment of the level of protection afforded in the context of such a transfer must, in particular, take into consideration [not only the effect of the SCCs themselves, but also] as regards any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country, in particular those set out, in a non-exhaustive manner, in Article 45(2) of [the GDPR].
• Member State data privacy supervisory authorities now have both authority and responsibility to assess third country surveillance. If the SCCs cannot be complied with in a third country, taking all circumstances into account and in the absence of a valid European Commission Adequacy Decision, the competent supervisory authority is required to suspend or prohibit a transfer of data to a third country pursuant to SCCs. If complaints are brought to the supervisory authority, they are required to diligently react to them.

For the current case, the Adequacy Decision of 2016 has now been invalidated, so the Irish supervisory authority is now free to act and is presumably obliged and empowered to go further in addressing the complaint that Schrems raised.

The new CJEU decision also effectively establishes the formal rules for overturning Commission Adequacy Decisions, and they are exactly in line with what has haltingly happened in this case. The national supervisory authority is obliged to consider complaints that might be brought to it, even in cases where an Adequacy Decision is in place, and they are obliged to consider whether the Adequacy Decision is justified. Should the national supervisory authority find an Adequacy Decision to be unjustified, it cannot simply override the Adequacy Decision, but must instead bring its concerns to the CJEU for resolution.

Grounds for invalidating the Adequacy Decision for Privacy Shield

The General Data Protection Regulation (GDPR), which had not existed at the time that the case was first lodged, speaks of the need for transfers of personal to third countries to consider “the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data”, and to ensure that EU persons have “effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred”.[5]

The CJEU expands on this somewhat by stating that, for intrusion on the protection of personal data to be viewed as being proportionality, the corresponding law “must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards, so that the persons whose data has been transferred have sufficient guarantees to protect effectively their personal data against the risk of abuse. It must, in particular, indicate in what circumstances and under which conditions a measure providing for the processing of such data may be adopted, thereby ensuring that the interference is limited to what is strictly necessary.”

The CJEU concludes that the relevant surveillance programmes in the United States fall well short of this standard. The High Court of Ireland had already noted that the Fourth Amendment to the Constitution of the United States (the most important cause of action available to challenge unlawful surveillance) does not apply to EU citizens; for an EU person to establish standing can be exceedingly difficult; and the NSA’s activities under Executive Order 12333 are not subject to judicial oversight and are not justiciable. The CJEU further notes that the relevant statute for foreign intelligence[6] provides no meaningful limitations on surveillance, and that the court that provides oversight[7] authorises whole programmes, not individual surveillance. CJEU appears to have been particularly concerned that the various elements of US law and presidential executive orders permit indiscriminate bulk collection of data.

Equally important, the CJEU judgment notes that the GDPR “requires everyone whose rights and freedoms guaranteed by the law of the Union are violated to have the right to an effective remedy before a tribunal”. The judgment notes that not all US surveillance measures are subject to judicial review, and there are multiple indications throughout the judgment that European persons face challenges in achieving redress.[8]

The main mechanism that the Commission relied on in its Adequacy Decision is that of the Privacy Shield Ombudsperson. The CJEU was not impressed. The Ombudsperson may be able to mediate, but it does not provide a tribunal for redress. The Ombudsperson is “an integral part of the US State Department”, and thus cannot be assumed to be independent from the executive. Moreover, there is nothing in Privacy Shield “to indicate that that ombudsperson has the power to adopt decisions that are binding on those intelligence services”.

In fact, the US government neglected to appoint an Ombudsperson for the first two years of the Trump administration. Until 20 June 2019, the position was unoccupied.[9] The CJEU did not mention this, but the European Parliament has repeatedly expressed concern.

It is also important to note what has not changed as a result of the CJEU judgment. It is the Adequacy Decision enabling unrestricted transfers of personal data to the USA that has been invalidated. Privacy Shield per se presumably remains in force for now, including the commitments that US firms made to the US Department of Commerce, which are enforceable by the US Federal Trade Commission. These commercial arrangements have been unproblematic, but they are largely irrelevant to both the Schrems I and Schrems II decisions.

Since Privacy Shield never included an actual agreement with the US Government to limit its surveillance activities in any meaningful way (Marcus, 2017)), there is nothing to invalidate as regards surveillance by the US Government.

Again, what has changed is that Privacy Shield is no longer sufficient to justify an Adequacy Decision.

Near term implications

The CJEU ruling is clear enough, but the timing and effects might take some time to play out.

Data exporting companies are now obliged to promptly examine the laws and practices under which data that they send to firms in data importing countries oblige the importing firms to make the data available to public authorities. Specifically, Facebook Ireland is obliged to consider whether Facebook, Inc. in the USA is obliged to turn data over to the US NSA and FBI, and whether US protections for EU persons who are injured by the transfer are adequate (or can be made adequate) when that happens.

Given that the CJEU has already stated at length its reasons for considering current US practice to be inadequate, it would be perverse (but not inconceivable) for data exporting firms like Facebook Ireland to conclude otherwise unless some positive change is introduced. Firms like Facebook are not in a position to force the US Government to change its data surveillance practices; however, US authorities might well choose to do so in order to protect the free flow of data across the Atlantic, which clearly benefits both US internet firms and EU consumers.

In 2016, the Obama administration agreed to Privacy Shield. Privacy Shield did not fully address the issues raised in Schrems I, but with PPD 28 the US government at least recognised (to its credit) that Europeans have legitimate privacy interests in the United States. Privacy Shield also provided an Ombudsperson mechanism to create at least the possibility of friendly resolution.

Even though US firms benefit greatly from the free flow of data, a Trump administration is unlikely to demonstrate this kind of flexibility. Nothing good will happen before November – an “America first”, EU-bashing political response seems much more likely. If Trump is voted out of office in November, it should be possible to have a calm discussion with a Biden administration, but any positive resolution by US and EU authorities will probably not be quick or easy. There are too many distinct deficiencies in US law and practice.

The Irish DPC, the supervisory authority, likewise now has an obligation to act. It seems likely that they will offer Facebook a little time to respond. If absolutely nothing were done, it seems clear that they have both authority and responsibility to block further data transfers from the EU to the USA. That would be an extreme and unfortunate course of action, but it is highly unlikely in practice.

The CJEU ruling does not establish a timetable for companies or supervisory authorities to reach decisions, but it is quite possible that companies will feel the need to change their business practices in order to mitigate the risk of being forced to abruptly halt transatlantic data flows.

Some of the firms impacted by the ruling might simply find ways to stop exporting data from the EU to the United States altogether. The personal data of EU persons would remain within the EU, either in data centres operated by the firms in question, or else perhaps in cloud services that contractually commit that the data will never leave the EU. This probably implies cost and time for the firms involved – process re-engineering, software engineering, and expansion of data centre capacity are likely to be in the cards. How practical this will be depends greatly on the business model of each firm, on the manner in which it manages its data, on the extent it depends on combining EU data sources with US data sources, and perhaps critically on the size of the firm and the scale economies available to it.

Article 49 of the GDPR already clearly specifies what legal options are available to companies when neither an Adequacy Decision nor the SCCs provide a basis for the transfer. The two options that are most relevant here are that the user can provide informed consent, or the data can be sent if it constitutes an integral component of the provision of a service that the user has explicitly requested.[10]

Would conforming to these Article 49 provisions be the end of the world? Probably not!

When one accepts a software licence today, one is generally obliged to check a box whereby one approves the licence. Firms that export data to the US might well conclude that their safest option is to require their users to check a box acknowledging that their data may under some fairly broad circumstances be handed over to US intelligence services, and that their options for judicial redress in the USA in that case are negligible. Irritating for all perhaps, but not a fundamental change. What exact phrasing would be suitable, and would not ruffle feathers with the US intelligence community, remains to be seen, but this seems to be the most likely course.

Even so, the risk of a legal challenge claiming that the checked box does not represent a truly informed consent might remain.

If this approach holds up, the disruption to business would likely be limited – most Europeans who want to use services from Facebook, Google, Amazon, Apple or the many smaller firms that likewise benefit from transatlantic transfer of personal data are likely to simply check the box.[11]

References

• CJEU (Court of Justice of the European Union) (2020a), Press Release No 91/20: Judgment in Case C-311/18: Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, Luxembourg, 16 July 2020.
• CJEU (Court of Justice of the European Union) (2020b), Judgment of the Court (Grand Chamber), 16 July 2020, in Case C‑311/18, Data Protection Commissioner (Ireland) v Facebook Ireland and Maximillian Schrems, http://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=9791227.
• Marcus, Scott and G. Petropoulos (2015) “Data transfers under the threat of terrorist attacks”, https://bruegel.org/2015/12/data-transfers-under-the-threat-of-terrorist-attacks/.
• Marcus, Scott (2017) “How good a shield is Privacy Shield?”, https://bruegel.org/2017/02/how-good-a-shield-is-privacy-shield/.
• Marcus, Scott (2018) “Post-Brexit transfers of personal data: The clock is ticking”, https://bruegel.org/2018/11/post-brexit-transfers-of-personal-data-the-clock-is-ticking/.

 

[1] Most press articles appear to have fundamentally misunderstood the ruling, focusing on the ruling permitting continued use of SCCs. The use of SCCs as a general mechanism continues to be permitted, but there are new obligations to consider whether transfer to public agencies in the countries that receive the data are respective of the privacy rights of EU persons. For the USA, the CJEU’s view on this is clear.

[2] Art. 46 GDPR: “The appropriate safeguards … may be provided for, without requiring any specific authorisation from a supervisory authority, by: (a) a legally binding and enforceable instrument between public authorities or bodies; (b) binding corporate rules in accordance with Article 47; (c) standard data protection clauses adopted by the Commission …”

[3] Binding corporate rules are another, suitable for interrelated entities within a group of enterprises. For purposes of this discussion, binding corporate rules are roughly equivalent to SCCs, and will not be discussed further. Art. 4(20) GDPR defines binding corporate rules as “personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity”.

[4] Footnote 1 of the Decision states that “Mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society on the basis [that] they constitute a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses. Some examples of such mandatory requirements which do not go beyond what is necessary in a democratic society are, inter alia, internationally recognised sanctions, tax-reporting requirements or anti-money-laundering reporting requirements.”

[5] Art. 44-46 GDPR: “Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country … shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country … to another third country … A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country … in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation. When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements: the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, [emphasis added] as well as the implementation of such legislation, data protection rules, professional rules and security measures, … case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred [emphasis added] ... The Commission, after assessing the adequacy of the level of protection, may decide, by means of implementing act, that a third country … ensures an adequate level of protection … In the absence of [such] a decision …, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.”

[6] The judgment references Section 702 of the FISA act.

[7] The United States Foreign Intelligence Surveillance Court (FISC).

[8] This author has served, and continues to serve, as an expert witness in multiple US court proceedings involving then-illegal government surveillance. I can say from personal experience that even for a US citizen, it is nearly impossible to achieve redress.

[9] EurActiv (2020), US to appoint permanent Privacy Shield Ombudsperson, as EU pressure tells, https://www.euractiv.com/section/data-protection/news/us-to-appoint-permanent-privacy-shield-ombudsperson-following-eu-pressure/.

[10] Art. 49 GDPR: “In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions: (a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards; (b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request; …”

[11] It is however possible that some services for which a licence is not required for casual use today might now be obliged to require the user to check a box.

Republishing and referencing

Bruegel considers itself a public good and takes no institutional standpoint. Anyone is free to republish and/or quote this post without prior consent. Please provide a full reference, clearly stating Bruegel and the relevant author as the source, and include a prominent hyperlink to the original post