What is an adequacy decision?
The General Data Protection Regulation (GDPR) stipulates that personal data may, in principle, only be transferred to a third country if that country ensures an adequate level of protection for the data. Under this Regulation, the Commission may determine that a third country ensures an adequate level of protection by reason of its domestic law or its international commitments. If no such adequacy decision exists, such a transfer may only take place if the exporter of the personal data established in the Union provides appropriate safeguards, which may arise, inter alia, from standard data protection clauses adopted by the Commission, and if the data subjects have enforceable rights and effective legal remedies. Furthermore, the GDPR precisely regulates the conditions under which such a transfer may be carried out if neither an adequacy decision nor appropriate safeguards exist.
What was the subject of the “Safe Harbour Decision”?
Mr. Schrems, an Austrian national residing in Austria, has been a Facebook user since 2008. As with all other users residing in the Union territory, his personal data is wholly or partially transferred by Facebook Ireland to servers of Facebook Inc. located in the United States and processed there. Mr. Schrems lodged a complaint with the Irish supervisory authority, primarily seeking to prohibit these transfers. He argued that the law and practice of the United States did not offer sufficient protection against governmental access to the data transferred there. His complaint was dismissed, inter alia, on the grounds that the Commission, in its Decision 2000/520 (the so-called “Safe Harbour Decision”), had found that the United States ensured an adequate level of protection. By judgment of 6 October 2015, the Court of Justice, in response to a request for a preliminary ruling from the Irish High Court, declared this decision invalid (hereinafter: Schrems I judgment).
What happened after the “Safe Harbour Decision”?
Following the Schrems I judgment and the subsequent annulment by the Irish High Court of the decision dismissing Mr. Schrems' complaint, the Irish supervisory authority requested Mr. Schrems to reformulate his complaint, taking into account the Court of Justice's declaration of invalidity of the Safe Harbour Decision. In his reformulated complaint, Mr. Schrems contended that the United States did not provide adequate protection for data transferred there. He requested that the transfer of his personal data from the Union to the United States, now carried out by Facebook Ireland on the basis of the standard contractual clauses in the Annex to Decision 2010/87, be suspended or prohibited for the future. The Irish supervisory authority was of the opinion that the processing of Mr. Schrems' complaint depended, in particular, on the validity of Decision 2010/87 on standard contractual clauses, and therefore initiated proceedings before the High Court, requesting it to refer a question for a preliminary ruling to the Court of Justice. After these proceedings were initiated, the Commission adopted Decision (EU) 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield (“Privacy Shield”).
In its request for a preliminary ruling, the Irish High Court asked the Court of Justice about the applicability of the GDPR to transfers of personal data based on the standard contractual clauses in Decision 2010/87, as well as the level of protection required by this regulation in the context of such transfers, and the obligations incumbent upon supervisory authorities in this regard. Furthermore, the High Court raised the question of the validity of both Decision 2010/87 on standard contractual clauses and Privacy Shield Decision 2016/1250.
In its judgment delivered today, the Court of Justice finds that the examination of Decision 2010/87 on standard contractual clauses, in light of the Charter of Fundamental Rights of the European Union, revealed nothing that could affect its validity. Conversely, it declares Privacy Shield Decision 2016/1250 invalid.
Why is Privacy Shield Decision 2016/1250 invalid?
The Court of Justice first states that Union law, in particular the GDPR, applies to the transfer of personal data for commercial purposes by an economic operator established in a Member State to another economic operator established in a third country, even if the data may be processed by the authorities of that third country for purposes of public security, national defense, and state security during or after their transfer. Such data processing by the authorities of a third country cannot result in such a transfer being excluded from the scope of the GDPR.
Regarding the level of protection required in the context of such a transfer, the Court of Justice rules that the requirements laid down in the GDPR concerning appropriate safeguards, enforceable rights, and effective remedies must be interpreted as meaning that individuals whose personal data are transferred to a third country on the basis of standard data protection clauses must enjoy a level of protection that is essentially equivalent to that guaranteed in the Union by the GDPR in light of the Charter. When assessing this level of protection, both the contractual arrangements agreed between the data exporter established in the Union and the recipient of the transfer established in the third country concerned must be taken into account, as well as, regarding any access by the authorities of that third country to the transferred data, the relevant aspects of that country's legal system.
Concerning the obligations incumbent upon supervisory authorities in connection with such a transfer, the Court of Justice holds that these authorities, in the absence of a valid Commission adequacy decision, are particularly obliged to suspend or prohibit a transfer of personal data to a third country if they, in light of the circumstances of that transfer, consider that the standard data protection clauses are not or cannot be complied with in that country and that the protection of the transferred data required by Union law cannot be ensured by other means, unless the data exporter established in the Union has itself suspended or terminated the transfer.
The Court of Justice then examines the validity of Decision 2010/87 on standard contractual clauses. It does not consider its validity to be called into question merely because the standard data protection clauses contained in this Decision, due to their contractual nature, do not bind the authorities of the third country to which data may be transferred. Rather, its validity depends on whether the Decision contains effective mechanisms that can practically ensure that the level of protection required by Union law is complied with and that transfers of personal data based on such clauses are suspended or prohibited if these clauses are breached or their compliance becomes impossible. The Court of Justice finds that Decision 2010/87 provides for such mechanisms. In this regard, it particularly emphasizes that, pursuant to this Decision, the data exporter and the recipient of the transfer must first assess whether the required level of protection is maintained in the third country concerned, and that the recipient must, if necessary, inform the data exporter that it cannot comply with the standard data protection clauses, whereupon the exporter must suspend the data transfer and/or withdraw from the contract with the recipient.
Finally, the Court of Justice examines the validity of Privacy Shield Decision 2016/1250 against the requirements of the GDPR in light of the provisions of the Charter, which guarantee respect for private and family life, the protection of personal data, and the right to an effective judicial remedy. In this regard, it finds that this Decision, like Safe Harbour Decision 2000/520, prioritizes the requirements of national security, public interest, and compliance with American law, which allows for interference with the fundamental rights of individuals whose data are transferred to the United States. It concludes that the limitations on the protection of personal data, assessed by the Commission in Privacy Shield Decision 2016/1250, resulting from the ability of American authorities under United States law to access and use such data transferred from the Union to that third country, are not regulated in such a way as to meet requirements that are essentially equivalent to those existing under Union law in accordance with the principle of proportionality, as the surveillance programs based on American legislation are not limited to what is strictly necessary. Based on the findings in this Decision, the Court of Justice points out that the relevant provisions concerning certain surveillance programs in no way indicate that there are limitations on the authorization contained therein for carrying out these programs; nor is it apparent that guarantees exist for individuals potentially covered by these programs who are not American citizens. The Court of Justice adds that while these provisions set out requirements to be observed by American authorities when implementing the surveillance programs concerned, they do not confer rights on affected individuals that can be judicially enforced against American authorities.
Regarding the requirement for judicial redress, the Court of Justice finds that the ombuds mechanism referred to in Privacy Shield Decision 2016/1250, contrary to the Commission's findings therein, does not provide affected individuals with a legal avenue to an body that would offer guarantees essentially equivalent to those required under Union law, i.e., guarantees ensuring both the independence of the ombudsperson provided for by this mechanism and the existence of standards empowering the ombudsperson to issue binding decisions vis-à-vis American intelligence services. For all these reasons, the Court of Justice declares Decision 2016/1250 invalid.
Judgment in Case C-311/18 – Data Protection Commissioner / Maximillian Schrems and Facebook Ireland
Source: Press Release No. 91/20 of the Court of Justice of the European Union of 16 July 2020
