The „Schrems II” CJEU Decision in summary
C-311/18, Facebook Ireland and Schrems („Schrems II”), Judgment of 16 July 2020
The dispute in the main proceedings. A summary
Mr Schrems, an Austrian national residing in Austria, has been a user of the Facebook social network (‘Facebook’) since 2008 (para. 50). Some or all of the personal data of Facebook Ireland’s users who reside in the European Union is transferred to servers belonging to Facebook Inc. that are located in the United States, where it undergoes processing. (para. 51).
On 25 June 2013, Mr Schrems filed a complaint with the Commissioner whereby he requested, in essence, that Facebook Ireland be prohibited from transferring his personal data to the United States, on the ground that the law and practice in force in that country did not ensure adequate protection of the personal data held in its territory against the surveillance activities in which the public authorities were engaged. That complaint was rejected on the ground, inter alia, that, in Decision 2000/520, the Commission had found that the United States ensured an adequate level of protection (para. 51).
The Commissioner had rejected the complaint and, consequently, Mr Schrems had brought judicial review proceedings against this rejection. The High Court (Ireland) made a request to the Court for a preliminary ruling on the interpretation and validity of Decision 2000/520. In a judgment of 6 October 2015, Schrems (C‑362/14, EU:C:2015:650), the Court declared that decision invalid (paras. 52-53). As a result of that judgment, the referring court annulled the rejection of Mr Schrems’s complaint and referred that decision back to the Commissioner.(paras. 53-54).
In the course of 2015, Mr. Schrems reformulated his complaint and claimed, inter alia, that United States law requires Facebook Inc. to make the personal data transferred to it available to certain United States authorities, such as the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI). He submitted that, since that data was used in the context of various monitoring programmes in a manner incompatible with Articles 7, 8 and 47 of the Charter, the SCC Decision cannot justify the transfer of that data to the United States. In those circumstances, Mr Schrems asked the Commissioner to prohibit or suspend the transfer of his personal data to Facebook Inc.(para. 55).
In the course of 2016, the Commissioner published a ‘draft decision’ summarizing the provisional findings of her investigation. The Commissioner found that the personal data of EU citizens transferred to the United States were likely to be consulted and processed by the US authorities in a manner incompatible with Articles 7 and 8 of the Charter and also found that US law did not provide those citizens with legal remedies compatible with Article 47 of the Charter (para. 56).
On 31 May 2016, the Commissioner brought an action before the High Court, in order for the High Court to refer a question on that issue to the Court (para. 57).
By order of 4 May 2018, the High Court made the present reference for a preliminary ruling to the Court and attached a document for reference in which it had set out the results of an examination of the evidence produced before it in the national proceedings, in which the US Government had participated (paras. 57-58). On the basis of those findings, the referring court considers that the United States carries out mass processing of personal data without ensuring a level of protection essentially equivalent to that guaranteed by Articles 7 and 8 of the Charter (paras. 64). At the same time, the referring court states that EU citizens do not have the same remedies as US citizens in respect of the processing of personal data by the US authorities (paras. 65). The referring court’s opinion is that the Privacy Shield Ombudsperson is not a tribunal within the meaning of Article 47 of the Charter, US law does not afford EU citizens a level of protection essentially equivalent to that guaranteed by the fundamental right enshrined in that article (para. 65).
Schrems II. The questions
The referring court decided to stay the proceedings and to refer eleven questions to the Court of Justice for a preliminary ruling. Through these questions, the High Court essentially requested the CJEU to interpret the validity of two Comsission’s decisions regarding Privacy Shield and Standard Contractual Clauses (SCC) in the light of data protection regulations and articles 7, 8 and 57 of the Charter. In concrete terms, the referring court asked CJEU if the two Comsission’s decisions ensures an adequate level of data protection in the context of a foreign government’s mass surveillance.
CJEU’s ruling in Schrems II. A summary
CJEU considered that the questions referred for a preliminary ruling must therefore be answered in the light of the provisions of the GDPR rather than those of Directive 95/46. (para. 79).
CJEU answered to the first question in the sense that GDPR applies to an international transfer of personal data even if the personal data transferred is liable to be processed by the authorities of the third country in question for the purposes of public security, defense and State security (para. 89).
By the second, third and sixth questions, CJEU considered that the referring court essentially wanted to find out which factors need to be taken into consideration for the purpose of determining whether that level of protection is ensured in the context of a transfer based on SCC (para. 90).
SCC are regulated in article 46 GDPR, but CJEU draws attention to the fact that article 46 GDPR must be seen in the light of article 44 GDPR. Art. 44 GDPR stipulates that every instrument utilized for international data transfers must respect a high level of protection. The Court concludes: „that level of protection must therefore be guaranteed irrespective of the provision of that chapter on the basis of which a transfer of personal data to a third country is carried out” (para. 92).
Further (paras. 93-101), CJEU explains the concept of „high level of protection” in the context of CSS. Firstly, CJEU recalls that the third country is required to ensure a level of protection essentially equivalent to that guaranteed within the European Union by virtue of the regulation, read in the light of the Charter (paras. 94 and 99).
Secondly, CJEU indicates in Schrems II that the factors which should be taken into consideration for the purposes of determining the adequacy of the level of protection should be seen in the light of Article 46(1) GDPR which states that ”data subjects must be afforded appropriate safeguards, enforceable rights and effective legal remedies” (paras. 102-103).
Finally, in CJEU’s opinion in Schrems II, the use of SCC is not enough if the third country doesn’t ensure an adequate level of protection. Therefore, CJEU indicates the necessity of an assessment prior to the transfer in order to determinate if the third country ensures an adequate level of protection (para. 104). CJEU states that ”the assessment required for that purpose in the context of such a transfer must, in particular, take into consideration both the contractual clauses agreed between the controller or processor established in the European Union and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country” (para 104.)
By the eighth question, CJEU appreciates that the referring court wants to find out if a competent supervisory authority is required to suspend or prohibit a transfer of personal data based on SCC to a third country where those clauses are not or cannot be complied with and the protection of the data transferred that is required by EU law, in particular by Articles 45 and 46 of the GDPR and by the Charter, cannot be ensured (para. 106). CJEU answers positively to this question, concluding that „even if the Commission has adopted a Commission adequacy decision, the competent national supervisory authority, when a complaint is lodged by a person concerning the protection of his or her rights and freedoms in regard to the processing of personal data relating to him or her, must be able to examine, with complete independence, whether the transfer of that data complies with the requirements laid down by the GDPR and, where relevant, to bring an action before the national courts in order for them” (para. 120). In order to reach this conclusion, CJEU states that, even if SCC are utilized, ”the supervisory authority is nevertheless required to execute its responsibility for ensuring that the GDPR is fully enforced with all due diligence” (para. 112), „including the power to suspend or ban a transfer of personal data” (para. 115). However, in CJEU’s view, ”a Commission adequacy decision adopted pursuant to Article 45(3) of the GDPR cannot prevent persons whose personal data has been or could be transferred to a third country from lodging a complaint, within the meaning of Article 77(1) of the GDPR” (para. 119).
By its 7th and 11th questions, the referring court seeks clarification from the Court, in essence, on the validity of the SCC Decision in the light of Articles 7, 8 and 47 of the Charter (para. 122). CJEU answers that ”examination of the SCC Decision in the light of Articles 7, 8 and 47 of the Charter has disclosed nothing to affect the validity of that decision” (para.149). However, CJEU recalls that SCC are not enough in the absence of a high level of protection in the third country (paras. 131-132) and the parties to the transfer (controllers or processors) are required to check ”in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses” (para. 134).
Further, CJEU indicates that if SCC are utilized with no level of high protection, controller or processor or ”failing that, the competent supervisory authority, are required to suspend or end the transfer of personal data to the third country concerned. That is the case, in particular, where the law of that third country imposes on the recipient of personal data from the European Union obligations which are contrary to those clauses and are, therefore, capable of impinging on the contractual guarantee of an adequate level of protection against access by the public authorities of that third country to that data” (para 135).
In the last section of its ruling in Schrems II, CJEU invalidates the Privacy Shield Decision. In concrete terms, CJEU considers that Privacy Shield is unable to ensure a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order (para. 162). In order to reach this conclusion, CJEU took into account a series of relevant factors. Specifically, CJEU recalls that ”access to a natural person’s personal data with a view to its retention or use affects the fundamental right to respect for private life guaranteed in Article 7 of the Charter” (para. 170) and ”such interference can arise from access to, and use of, personal data transferred from the European Union to the United States by US public authorities through the PRISM and UPSTREAM surveillance programmes under Section 702 of the FISA and E.O. 12333” (para. 165). Furthermore, ”in accordance with the first sentence of Article 52(1) of the Charter, any limitation on the exercise of the rights and freedoms recognised by the Charter must be provided for by law and respect the essence of those rights and freedoms” (para. 174). Further CJEU brings into discussion the principle of proportionality, stating that ”derogations from and limitations on the protection of personal data must apply only in so far as is strictly necessary” (para. 176).
Among other arguments, in order to invalidate the Privacy Shield Decision, CJEU states that the principle of proportionality is not respected because ”section 702 of the FISA does not indicate any limitations on the power it confers to implement surveillance programmes for the purposes of foreign intelligence or the existence of guarantees for non-US persons potentially targeted by those programmes” (para. 180). CJEU also observes that ”PPD‑28 does not grant data subjects actionable rights before the courts against the US authorities” (para. 181) because, among other arguments, „the ombudsperson mechanism to which the Privacy Shield Decision refers does not provide any cause of action before a body which offers the persons whose data is transferred to the United States guarantees essentially equivalent to those required by Article 47 of the Charter” (para 197).
In CJEU’s point of view in Schrems II, the consequences of annulment of Privacy Shield Decision is not liable to create a legal vacuum because GDPR has alternative instruments to facilitate the international transfer of personal data (para. 202).