Safe Harbour - Privacy Shield, Same Battle?

On July 16, 2020 in the matter Data Protection Commissioner/Maximillian Schrems and Facebook Ireland^[1], the Court of Justice of the European Union (“CJEU”) invalidated Privacy Shield, the mechanism that enables the transfer of personal data from the European Union (“EU”) to organizations located in the United States (“US”) using this same mechanism.

Background

This decision is subsequent to a previous judgment. To summarize, in 2015 in the matter Schrems 1,^[2] the CJEU invalidated Safe Harbour, which enabled the transfer of personal data from the EU to the US.

Following the Schrems 1 judgment, Mr. Schrems had to reformulate his complaint, which had become inapplicable due to the invalidation of Safe Harbour. He did so and that action has led to this latest decision.

More precisely, Mr. Schrems had asked the court to suspend or prohibit future transfers of his personal data from the EU to the US under Privacy Shield as well as standard contractual clauses, appearing in the schedule of the decision 2010/87, that apply to relations between a controller and its processors (“Standard Contractual Clauses”) and on which Facebook Ireland relies to transfer data to the US.

In fact, it should be noted that after Safe Harbour was invalidated, the European and American authorities negotiated a new agreement to allow, in certain circumstances, the transfer of personal data to the US. The purpose of this agreement, negotiated between 2015 and 2016, allowed data to be transferred to the US if the organization that received the data participated in the program. It was essentially a type of certification mechanism. The European Commission adopted the decision (EU) 2016/1250 regarding the adequacy of the protection ensured by the EU-US Privacy Shield (the “Privacy Shield” Decision).

It is this new mechanism that Mr. Schrems wanted to challenge. He also challenged the standard contractual clauses that apply between a controller and a processor located outside the EU territory.

In fact, it should be noted that the General Data Protection Regulation (the “GDPR”)^[3] provides that the transfer of such personal data to a third country may, in principle, take place only if that third country ensures an adequate level of data protection. This level of protection is recognized either by an adequacy decision,^[4] such as the partial adequacy decision regarding Canada or, in the absence of such a decision, by the organization exporting the personal data, located in the EU, providing appropriate safeguards, such as under standard data protection clauses adopted by the Commission or binding corporate rules.^[5] Moreover, the GDPR clearly establishes the derogations under which such a transfer may take place in the absence of an adequacy decision or suitable safeguards.^[6]

In its decision of July 16, 2020[7], the Court found that the review of Decision 2010/87 on standard contractual clauses under the Charter of Fundamental Rights of the European Union (the “Charter”) showed nothing that would affect its validity. However, the Court held Decision 2016/1250 on Privacy Shield to be invalid.

On the validity subject to standard contractual clauses

According to the CJEU, the validity of standard contractual clauses is not at issue simply because standard data protection clauses therein do not, due to their contractual nature, bind authorities in a third country to which a transfer of data may be sent.^[8]

It should be noted, “[t]hat validity depends, however, on whether, in accordance with the requirement of Article 46(1) and Article 46(2)(c) of the GDPR, interpreted in the light of Articles 7, 8 and 47 of the Charter, such a standard clauses decision incorporates effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law and that transfers of personal data pursuant to the clauses of such a decision are suspended or prohibited in the event of the breach of such clauses or it being impossible to honour them.”^[9]

In this decision, the standard contractual clauses in no way prevented the competent supervisory authority from either suspending or prohibiting a transfer of personal data to a third country pursuant to the standard data protection clauses in the annex to that decision.^[10]

In fact, standard contractual clauses provide for “effective mechanisms which, in practice, ensure that the transfer to a third country of personal data pursuant to the standard data protection clauses in the annex to that decision is suspended or prohibited where the recipient of the transfer does not comply with those clauses or is unable to comply with them.”^[11]

Note, however, that these clauses impose an obligation on the data exporter and the recipient of the data transfer to verify, prior to the transfer, whether this level of protection will be complied with in the applicable third country, and they further require the recipient to inform the data exporter of any inability to comply with the standard data protection clauses, the latter being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the former.^[12] Does this mean that if the US does not comply with these conditions, the transfer of personal data will not occur? This remains an open question.

On the unconditional invalidity of Privacy Shield

The CJEU invalidated Privacy Shield in part because of the insufficient safeguards under the monitoring program but also due to the inadequacy of the legal protection afforded to individuals whose rights are breached.

Firstly, the CJEU found that the American authorities’ access to and use of personal data transferred from the EU was not protected in a manner that was essentially equivalent to the requirements under EU law, under the principle of proportionality. More precisely, “the interference arising from the surveillance programmes based on Section 702 of the FISA and on E.O. 12333 are not covered by requirements ensuring, subject to the principle of proportionality, a level of protection essentially equivalent to that guaranteed by the second sentence of Article 52(1) of the Charter.”^[13]

In particular, “the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to the United States, which the Commission assessed in the Privacy Shield Decision, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required, under EU law, by the second sentence of Article 52(1) of the Charter.”^[14]

Moreover, “it should be noted that the first paragraph of Article 47 requires everyone whose rights and freedoms guaranteed by the law of the Union are violated to have the right to an effective remedy before a tribunal in compliance with the conditions laid down in that article. According to the second paragraph of that article, everyone is entitled to a hearing by an independent and impartial tribunal.”^[15]

In this case, the Ombudsman mechanism referred to in that decision does not provide such individuals with any cause of action before a body that offers guarantees substantially equivalent to those required by EU law, such as to ensure both the independence of the Ombudsman provided for by that mechanism and the existence of rules empowering the Ombudsman to adopt decisions that are binding on the US intelligence services.

For all the above reasons, the CJEU found Privacy Shield to be invalid, just as it did three years earlier with Safe Harbour. While awaiting a new protection mechanism similar to an adequacy decision that enables transfers to the US, it is therefore recommended to rely on other suitable safeguards like standard contractual clauses, binding corporate rules or codes of conduct.