What is an adequacy decision?
The General Data Protection Regulation (GDPR) provides that, in principle, personal data may only be transferred to a third country if the country in question ensures an adequate level of protection for the data. According to this Regulation, the Commission may determine that a third country ensures an adequate level of protection by virtue of its domestic legislation or its international obligations. In the absence of such an adequacy decision, such a transfer may only take place if the exporter of the personal data established in the Union provides appropriate safeguards, which may result, inter alia, from standard data protection clauses developed by the Commission, and if the data subjects have enforceable rights and effective remedies. Furthermore, the GDPR specifies the conditions under which such a transfer may be made if there is neither an adequacy decision nor appropriate safeguards.
What was the subject of the "Safe Harbour Decision"?
Mr Schrems, an Austrian national resident in Austria, has been a user of Facebook since 2008. As is the case with all other users residing in the territory of the Union, all or part of his personal data are transferred by Facebook Ireland to servers of Facebook Inc. located in the United States, where they are processed. Mr Schrems lodged a complaint with the Irish supervisory authority, essentially seeking to have these transfers prohibited. He claimed that the law and practice of the United States did not provide sufficient protection against access by the authorities to the data transferred there. His complaint was rejected, inter alia, on the grounds that the Commission had found in its Decision 2000/520 (the so-called "Safe Harbour Decision") that the United States ensured an adequate level of protection. In a judgment of 6 October 2015, the Court of Justice, following a request for a preliminary ruling from the Irish High Court, declared this decision invalid (hereinafter: Schrems I judgment).
What happened after the "safe harbour decision"?
Following the Schrems I judgment and the subsequent annulment by the Irish High Court of the decision rejecting Mr Schrems' complaint, the Irish supervisory authority invited Mr Schrems to reformulate his complaint in the light of the Court's invalidation of the Safe Harbour decision. In his reformulated complaint, Mr Schrems claims that the United States did not provide sufficient protection for the data transferred there. He requests that the transfer of his personal data from the Union to the United States, now carried out by Facebook Ireland on the basis of the standard safeguards in the Annex to Decision 2010/87, be suspended or prohibited for the future. The Irish supervisory authority considered that the handling of Mr Schrems' complaint depended in particular on the validity of Decision 2010/87 on standard contractual clauses and therefore instituted proceedings before the High Court with a view to obtaining a preliminary ruling from the Court of Justice. After these proceedings were initiated, the Commission adopted Decision (EU) 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield.
In its reference for a preliminary ruling, the Irish High Court asks the Court of Justice about the applicability of the GDPR to transfers of personal data based on the standard protection clauses in Decision 2010/87, as well as the level of protection required by that Regulation in the context of such a transfer and the obligations incumbent on supervisory authorities in that context. Furthermore, the High Court raises the question of the validity of both Decision 2010/87 on standard contractual clauses and the Privacy Shield Decision 2016/1250.
In its judgment delivered today, the Court of Justice finds that the examination of Decision 2010/87 on standard contractual clauses in the light of the Charter of Fundamental Rights of the European Union has revealed nothing capable of affecting its validity. On the other hand, it declares the Privacy Shield Decision 2016/1250 invalid.
Why is the Privacy Shield Decision 2016/1250 invalid?
The Court states, first, that EU law, in particular the GDPR, applies to a transfer of personal data for commercial purposes by an economic operator established in a Member State to another economic operator established in a third country, even though the data may be processed, at the time of their transfer or subsequently, by the authorities of the third country concerned for purposes of public security, defence and State security. Such processing of data by the authorities of a third country cannot result in such a transfer being excluded from the scope of the GDPR.
As regards the level of protection required in the context of such a transfer, the Court holds that the requirements laid down in the GDPR in that regard, which relate to appropriate safeguards, enforceable rights and effective judicial remedies, must be interpreted as meaning that individuals whose personal data are transferred to a third country on the basis of standard data protection clauses must enjoy a level of protection which is equivalent in substance to that guaranteed in the Union by the GDPR in the light of the Charter. In assessing that level of protection, account must be taken both of the contractual arrangements agreed between the data exporter established in the Union and the recipient of the transfer established in the third country concerned and, as regards possible access to the transferred data by the authorities of that third country, of the relevant aspects of that country's legal system.
As regards the obligations incumbent on supervisory authorities in the context of such a transfer, the Court finds that, in the absence of a valid Commission adequacy decision, those authorities are required, in particular, to suspend or prohibit a transfer of personal data to a third country if they consider, in the light of the circumstances of that transfer, that the standard data protection clauses are not or cannot be complied with in that country and that the protection of the transferred data required by Union law cannot be ensured by other means, unless the data exporter established in the Union has itself suspended or terminated the transfer.
Next, the Court examines the validity of Decision 2010/87 on standard contractual clauses. It does not consider it to be called into question by the very fact that the standard data protection clauses contained in that decision, by virtue of their contractual nature, do not bind the authorities of the third country to which data may be transferred. Rather, it depends on whether the decision contains effective mechanisms capable of ensuring, in practice, that the level of protection required by EU law is complied with and that transfers of personal data based on such clauses are suspended or prohibited where those clauses are infringed or compliance with them is impossible. The Court notes that Decision 2010/87 provides for such mechanisms. In that regard, it emphasises in particular that, under that decision, the data exporter and the recipient of the transfer must verify in advance whether the required level of protection is complied with in the third country concerned and, where appropriate, the recipient must notify the data exporter that it cannot comply with the standard protection clauses, whereupon the exporter must suspend the data transfer and/or withdraw from the contract with the recipient.
Finally, the Court examines the validity of the Privacy Shield Decision 2016/1250 against the requirements of the GDPR in the light of the provisions of the Charter guaranteeing respect for private and family life, the protection of personal data and the right to effective judicial protection. In this respect, he notes that this decision, like the Safe Harbour Decision 2000/520, gives priority to the requirements of national security, public interest and compliance with US law, which allows interference with the fundamental rights of individuals whose data are transferred to the United States. It concludes that the limitations on the protection of personal data assessed by the Commission in Privacy Shield Decision 2016/1250, which result from the fact that the United States authorities may access and use such data transferred from the Union to that third country under United States law , are not regulated in such a way as to meet requirements equivalent in substance to those existing under Union law in accordance with the principle of proportionality, since the surveillance programmes based on United States law are not limited to what is strictly necessary. On the basis of the findings in that order, the Court points out that, as regards certain surveillance programmes, the provisions in question do not in any way indicate that there are any restrictions on the authorisation contained therein to carry out those programmes, nor is it apparent that there are any safeguards for the persons potentially covered by those programmes who are not American citizens. The Court adds that, although those provisions lay down requirements to be complied with by the American authorities in carrying out the surveillance programmes in question, they do not confer on the persons concerned any rights which may be enforced against the American authorities before the courts.
As regards the requirement of judicial protection, the Court finds that, contrary to the Commission's findings therein, the ombudsman mechanism referred to in Privacy Shield Decision 2016/1250 does not provide data subjects with a judicial remedy before a body offering guarantees equivalent in substance to those required by EU law, that is to say, guarantees guaranteeing both the independence of the ombudsman provided for by that mechanism and the existence of standards empowering the ombudsman to take binding decisions vis-à-vis the US intelligence services. that is to say, guarantees ensuring both the independence of the Ombudsperson provided for by that mechanism and the existence of standards empowering the Ombudsperson to adopt binding decisions vis-à-vis the American intelligence services. For all these reasons, the Court declares Decision 2016/1250 invalid.
Judgment in Case C-311/18 - Data Protection Commissioner v Maximillian Schrems and Facebook Ireland
Source: Press Release No. 91/20 of the Court of Justice of the European Union of 16 July 2020
