25 Jan 2020 – Originally published as a guest post at nsucyberlaw.org.
Within the next several weeks, the Court of Justice of the European Union (CJEU) is expected to rule on the validity of the current data transfer processes for personal data flowing across the EU border from companies within the EU. In Data Protection Commission v. Facebook Ireland Limited, Maximillian Schrems (C-113/18) the CJEU will for the second time in five years review the privacy safeguards required by EU law when a company like Facebook Ireland Limited sends personally collected data to servers location in the United States. The pending case is known also as “Schrems II” because it follows the landmark decision in Maximillian Schrems v. Data Protection Commission (C-362/14), which is now known as “Schrems I.”
Schrems I originated with a complaint by Maximillian Schrems to Ireland’s Data Protection Commissioner (DPC) after the mass surveillance practices of the US National Security Agency became public. Schrems’ complaint was escalated to the CJEU, which ultimately agreed that the Safe Harbour agreement was insufficient to protect the data of EU citizens that was transferred to the US. In Schrems I, decided in October of 2015, the CJEU invalidated the Safe Harbour Privacy Principles set forth in Commission Decision 2000/520/EC as providing inadequate privacy and data protection under EU law.
After Schrems I, the EU and US negotiated the EU – US Privacy Shield, which became effective in August of 2016. In addition to the Privacy Shield, EU companies have been relying on Commission-approved “Standard Contractual Clauses” (SCCs) that may be used as protocols to transfer data outside the EU (See, Decision 2010/87/EU). In fact, following Schrems I, Facebook Ireland Limited (and many other companies) indicated that they had not actually relied on the now-invalid Safe Harbour Principles, but instead had properly transferred data pursuant to SCCs. Schrems then filed an udated complaint with the Irish DPC challenging Facebook’s reliance on SCCs when transferring his data. The DPC issued a draft decision stating that SCCs do not adequately protect the data of EU citizens but that it had limited authority on matters of EU law, so it took the case to the Irish High Court and requested referral of the main issue of law, whether SCCs do not protect EU citizen under EU law, to the CJEU. The Hight Court referred the Schrems case to the CJEU in April of 2018, resulting in Schrems II.
The CJEU presided over a hearing in Schrems II in July 2019, with the parties to the case (Maximillian Schrems, Facebook Ireland Limited, and the DPC); as well as representatives and expert witnesses from the European Parliament, the Commission, the European Data Protection Board, several EU member states, the US government, and industry lobby groups; providing many hours of testimony.[1] As is standard procedure, an advisory opinion from an Advocate General was sought after the hearing. On December 19, 2019, Advocate General Henrik Saugmandsgaard Øe issued a (non-binding) opinion on the case, in which he ultimately proposes that the Court determine that its analysis of the case ”has disclosed nothing to affect the validity of Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries…”[2] Ultimately, then, the Advocate General proposes that the SCCs not be deemed wholesale invalid. However, his opinion does discuss concerns with US surveillance, stressing the importance of assessing data transfers under Article 2(2) of the GDPR and Article 4(2) TEU. He indicates that a supervisory authority ”must suspend the transfer if it concludes that the standard contractual clauses are not being complied with and that appropriate protection of the data transferred cannot be ensured by other means…”[3] The Advocate General also is critical of the EU-US Privacy Shield and addresses the possibility that the Court might weigh in on its validity, but his opinion offers that the Court should not make that broader determination, since that issue, although relevant, is not directly before the Court.[4]
The opinion of the Advocate General will be followed early this year by the CJEU’s final judgment. Although the CJEU has no requirement to follow the advisory opinion of the Advocate General, it is common for the court to do so. Of course, if the Court decides to address SCCs more generally as opposed to only as they relate to the US, the Schrems II decision might have a global impact on cross-border data transfer. And it is still a possibility for the Court to address the Privacy Shield, as well. Until the final opinion issues, however, the status of EU law as it relates to data transfers from the EU to the US – and perhaps on a wider scale – is unknown. It is crucial for businesses in the EU and US to keep an eye on the pending Schrems II matter and to be informed about the realities of US surveillance as it related to data transfers from the EU.
[1] In addition, “The DPC, Facebook Ireland, Mr Schrems, the United States Government, the EPIC, the BSA, Digitaleurope, Ireland, the Belgian, Czech, German, Netherlands, Austrian, Polish, Portuguese and United Kingdom Governments, the European Parliament and the Commission lodged written observations before the Court.” Opinion of Advocate General Saugmandsgaard Øe in Facebook Ireland and Schrems, C-311/18, sec. III, para. 77.
[2] Opinion of Advocate General Saugmandsgaard Øe in Facebook Ireland and Schrems, C-311/18, sec. V, para. 343.
[3] Id., section IV, para. 148
[4] Id., section IV, F(2). The opinion also points out the Privacy Shield issue and proposed annulment is pending before the General Court of the European Union (Pending Case T‑738/16, La Quadrature du Net and Others v Commission.