It Happened Again (Part 1): Schrems II and SCCs
What the ECJ’s judgment means for the future of standard contractual clauses and international data flows
On July 16th, the ECJ delivered another significant decision for EU data protection law. The US Secretary of State, Mike Pompeo, said that he was “deeply disappointed” with the ruling, dubbed Schrems II, since it involved the invalidation of the Privacy Shield. Even so, the US “will continue to work closely with the EU to find a mechanism to enable the essential unimpeded commercial transfer of data from the EU to the United States.” The UK Government was equally as disappointed, but appreciated the ECJ upholding the validity of the standard contractual clauses (SCCs) of which it had advocated for in the case.
For the Irish Data Protection Commissioner (DPC), Helen Dixon, the judgment has made transfers from the EU to the US “questionable.” Maximillian Schrems, the eminent privacy activist central to the build up of the case, made similar remarks, stating that “[i]t is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market.” Meanwhile, the EU Commission was careful to reassure the thousands of organisations affected by the decision that “transatlantic data flows between companies can continue using other mechanisms for international transfers of personal data available under the GDPR.”
The ECJ’s verdict has material consequences for organisations transferring personal data from the EU to the US. The invalidation of the Privacy Shield eliminates one method for doing so, yet the judgment also makes SCCs a difficult alternative to turn to. Many are seeking answers to the numerous questions arising from the decision, particularly around the use of SCCs. The demand for such answers will be particularly heightened given that the prospect of a successor to the Privacy Shield looks unlikely. Thus, a deep analysis of the SCCs is now very much of essence.
How We Got Here
It all started in June 2013, around the time of the revelations by Edward Snowden of the expansive surveillance activities conducted by the NSA and others. At that time, Mr Schrems, now Honorary Chairman of NOYB (a non-profit organisation focusing on privacy issues in Europe), brought a complaint to the Irish DPC concerning the data processing operations of Facebook. His complaint sought to prohibit transfers of personal data from the company’s branch in Ireland (Facebook Ireland) to its headquarters in the US (Facebook Inc) on the basis that US law, as characterised by the Snowden revelations, did not provide an adequate level of protection for that data.
The DPC rejected his complaint on the ground that data transfers from Facebook Ireland to Facebook Inc were carried out under the Safe Harbour Agreement, the former legal mechanism legitimising data transfers from the EU to the US. This agreement was constituted by a European Commission decision made in July 2000 in accordance with Article 25(2) of the then Data Protection Directive (DPD 1995).
Mr Schrems then brought judicial review proceedings against the DPC in the Irish High Court challenging its rejection of his complaint. The High Court made a preliminary reference to the European Court of Justice (ECJ) to confirm the validity of the Safe Harbour Agreement under EU law. In October 2015, the ECJ gave its judgment invalidating the Agreement: US law did not, in the Court’s view, provide the necessary safeguards against unlawful surveillance by US public authorities as required under EU law, nor did it provide an opportunity for EU citizens to pursue legal remedies when their rights may be infringed by those authorities. This was the Schrems I Case.
As a result of this decision, the DPC revived the initial complaint brought by Mr Schrems and commenced an investigation into the activities of Facebook Ireland. During that investigation, Facebook Ireland argued that it relied on the SCCs, drafted and validated by the European Commission, to conduct data transfers to its US headquarters. The DPC then requested that Mr Schrems reformulate his complaint in light of this revelation by Facebook.
In his reformulated complaint submitted in December 2015, Mr Schrems highlighted that data transferred from Facebook Ireland to Facebook Inc would be subject to US surveillance law which requires the company to make that data available to US public authorities, such as the NSA or the FBI. In light of this, the DPC published a draft decision on its investigation into Facebook in May 2016 noting that while the SCCs may bind the data exporter (Facebook Ireland in this case) and the data importer (Facebook Inc), the US public authorities are not party to that contract. Accordingly, the SCCs could not make up for the deficiencies in US surveillance law as highlighted by the ECJ in Schrems I.
Also during this time period, the US Department of Commerce and the European Commission entered into talks to work out a replacement for the annulled Safe Harbour Agreement. Eventually, in July 2016, they agreed the EU-US Privacy Shield, a mechanism allowing certified companies to transfer data from the EU to the US. This was accompanied by a decision of the European Commission, made in accordance with Article 25(2) of DPD 1995, which found that the US provided an adequate level of protection of personal data belonging to EU citizens.
A few months before the birth of the Privacy Shield, the DPC initiated proceedings in the Irish High Court in order for the Court to make a preliminary reference to the ECJ to clarify questions on EU law. The DPC sought clarification on the validity of the use of the SCCs to transfer data from the EU to the US given the surveillance regime of the latter. During those proceedings, the High Court examined inter alia the evidence on US surveillance law, in particular Section 702 of the Foreign Intelligence Surveillance Act of 1977 (FISA) and Executive Order (EO) 12333 (together known as the FISA regime). In October 2017, it handed down a judgment setting out the results of its examination of that evidence. Then, in May 2018, the High Court submitted its preliminary reference to the ECJ along with its 2017 judgment on the FISA regime.
Two years later, in July 2020, the ECJ delivered its judgment on the case of Data Protection Commissioner v Facebook Ireland Limited, better known as Schrems II. Although in its preliminary reference the Irish High Court asked predominantly about the SCCs and their compatibility with the EU Charter on Fundamental Rights, the ECJ also took the opportunity to examine the validity of the Privacy Shield: the validity of that mechanism was considered to be connected to the question of SCCs and when they could be used for data transfers.¹
The Broken Shield
For those who have closely followed the debates around transatlantic data flows, the ECJ’s verdict on the Privacy Shield may not have been much of a surprise. While it contained mild improvements compared to its predecessor, the Privacy Shield ultimately suffered from the same flaws, as highlighted by numerous EU institutions beforehand (most notably the EDPB and the European Parliament). Thus, this latest judgment by the ECJ was hardly different from its judgment 5 years earlier.
The first flaw concerned the safeguards against surveillance. The EU Charter contains both the right to privacy and the right to data protection under Articles 7 and 8 respectively. However, the Court emphasised that these rights are not absolute and thus in some limited circumstances they can be interfered with by public authorities.² This is in recognition of the fact that those authorities may require access to personal data in order to carry out criminal investigations or to combat threats to national security.
Consequently, Article 52(1) of the Charter provides that interference with these rights may only be permitted when a number of cumulative conditions are satisfied. Firstly, the interference must be provided for by law, meaning that there must be in existence a legal authority detailing when certain surveillance powers may be used. Secondly, that interference must be necessary in order to achieve an envisaged legitimate aim, for example national security. Thirdly, the nature and scope of that interference must be proportionate to the achievement of that aim, meaning that the least intrusive surveillance measure, that also still manages to achieve the envisaged aim, should be used.
On the proportionality requirement, the ECJ noted that the law prescribing the interference with rights must (a) “lay down clear and precise rules governing the scope and application of the measure in question”, (b) contain minimum safeguards so that those subject to surveillance “have sufficient guarantees to protect effectively their personal data against the risk of abuse”, and (c) indicate the circumstances in which the surveillance measure may be used to ensure “that the interference is limited to what is strictly necessary.”³
Given this, the FISA regime did not, in the ECJ’s view, provide “any limitations on the power it confers to implement surveillance programmes for the purposes of foreign intelligence or the existence of guarantees for non-US persons potentially targeted by those programmes.”⁴ In particular, the Court noted that US surveillance allowed for the possibility of the bulk collection of data in transit to the US without being subject to judicial review or other limitations prescribed by law.⁵ Thus, US surveillance law did not meet the requirements under Article 52 of the Charter and thus did not provide an adequate level of protection.⁶
The second flaw related to Article 47 of the Charter: those who have their rights violated are entitled to an effective remedy. On this, the ECJ held that “the very existence of effective judicial review designed to ensure compliance with provisions of EU law is inherent in the existence of the rule of law.”⁷ Therefore, any omission of this right to a remedy would “not respect the essence of the fundamental right to effective judicial protection.”⁸
In this case, the ECJ found that there was a lack of an effective legal remedy available to EU citizens whose data may be transferred to the US. This was the case both under the FISA regime and under the Privacy Shield itself. The Privacy Shield Ombudsperson, of whom was supposed to provide an avenue for legal redress, fell short of the requirements under Article 47. It was apparent from the evidence on the FISA regime that the Ombudsperson did not have “the power to adopt decisions that are binding on [the] intelligence services.”⁹ In addition, the FISA regime does not grant EU data subjects rights that are “actionable in the courts against the US authorities.”¹⁰ Accordingly, US surveillance law did not provide an effective legal remedy as required under Article 47 of the Charter.¹¹
As a result of these two flaws, of which were similar to those pointed out by the ECJ in 2015 with the Safe Harbour, the Privacy Shield was invalidated as US surveillance law did not provide an adequate level of protection for data transferred from the EU, in particular under Articles 52 and 47 of the EU Charter.
The SCCs
The ECJ’s findings on the SCCs were as equally noticeable as those on the Privacy Shield even though the former were declared, in principle at least, to be a valid mechanism to conduct data transfers from the EU to a third country. This is because the Court made further stipulations on the use of the SCCs that raise some complicated questions.
Under the GDPR, there are a number of ways in which organisations can transfer data from the EU to third countries, of which the EU collectively refers to a “modern international data transfer toolbox.”¹² The first way is through the reliance on an adequacy decision made by the European Commission. Under Article 45, the Commission can make an assessment of a third country’s legal framework using the prescribed criteria under that same Article. If the Commission finds, based on that criteria, that the third country’s legal framework provides for the protection of personal data that is ‘essentially equivalent’ to that provided under EU law (namely the GDPR and the EU Charter), then data transfers may be made to that third country without any specific prior authorisation. The Privacy Shield was based on such an adequacy decision, but there are a number of other countries which still benefit from such a decision, such as Canada, New Zealand and Israel.
However, with the Privacy Shield now invalidated, organisations cannot rely on an adequacy decision for transfers to the US. Thus, in the absence of an adequacy decision, organisations may turn to a second option of which is detailed under Article 46. That provision states that an organisation may transfer data to a third country so long as that organisation implements ‘appropriate safeguards’. Article 46(1) and Recital (108) detail what those appropriate safeguards should entail: (i) enforceable data subject rights, (ii) effective legal remedies, (iii) compliance with the general data protection principles (under Article 5) and (iv) compliance with data protection by design and by default (under Article 25).
Article 46(2) then lists the specific mechanisms which could be used by an organisation to successfully implement these appropriate safeguards. One of these mechanisms includes the SCCs adopted by the European Commission (Article 46(2)(c)). The particular set of SCCs which were under examination in Schrems II were those pertaining to transfers from an EU-based data controller to a processor in a third country, adopted by the Commission in 2010.
An important point that was made by the ECJ on these SCCs was that such clauses, on their own, are not equivalent to an adequacy decision in terms of the validity given to the transfer in question. An adequacy decision under Article 45 validates all transfers from the EU to the third country as the European Commission has made the assessment that that third country provides an adequate level of protection. Accordingly, the appropriate safeguards referred to in Article 46 are already provided for under the third country’s legal framework. Therefore, organisations are not required to implement any further measures themselves with respect to the transfer and no specific authorisation is required.
Contrastingly, the Commission, in adopting a set of SCCs, is not required “to assess the adequacy of the level of protection ensured by the third countries to which personal data could be transferred pursuant to such clauses.”¹³ Therefore, when organisations are using SCCs, they must appreciate that such clauses should be treated as a more generic baseline mechanism which helps with achieving the appropriate safeguards required under Article 46. Consequently, when using SCCs in the absence of an adequacy decision, “it is for the controller or processor established in the European Union to provide [the] appropriate safeguards.”¹⁴
What this therefore means in practice is that the use of SCCs on their own may not always be enough to successfully implement the appropriate safeguards required under Article 46. Thus, Recital (109) states that there is nothing to stop data exporters and importers from supplementing the SCCs with additional clauses or other safeguards to ensure that the requirements under Article 46 can be met. This makes the SCCs a floor rather than a ceiling.
Essentially, the ECJ has stated that organisations relying on Article 46 to conduct transfers to a third country must engage in a three-step process. The first step involves the organisation making its own assessment of the legal framework of the third country in question using the criteria under Article 45. This will ultimately mean determining whether the third country provides a level of protection of personal data that is ‘essentially equivalent’ to that under EU law. The second step then requires organisations, based on its assessment, to determine whether the SCCs on their own meet the requirements under Article 46, namely the implementation of all of the appropriate safeguards. The third and final step requires the organisation to implement additional clauses or other safeguards if it considers, based on its assessment, that the third country does not provide an adequate level of protection. Those supplementary measures must make up for the deficiencies identified in the assessment on the adequacy of the third country’s legal framework.¹⁵
If the organisation cannot make up for the deficiencies through the use of supplementary measures, then the ECJ was clear that the data transfer to the third country should not take place. In addition, the supervisory authority can suspend transfers to a third country if it determines that the safeguards provided for by a data exporter are not adequate.¹⁶
Unfortunately, the ECJ did not specify what kind of supplementary measures could be implemented to deal with, as was the subject of Schrems II, requests from public authorities for data which may belong to EU citizens. Thus, since the Court’s decision, there has been speculation as to what these measures could entail. For example, Eduardo Ustaran, a partner at Hogan Lovells, has suggested that organisations include in their contracts obligations on the data importer to challenge any request from a public authority to ensure that authority is legally entitled to make the request and that the data sought is actually necessary for whatever purposes it intends to use the data for. Renzo Marchini, a partner at Fieldfisher, has also mentioned the possibility of encrypting the data in transit so as to prevent intelligence agencies from accessing such data. While it is debatable whether such measures, among others, would enough under Article 46, they also risk run-ins with public authorities akin to Apple’s fight with the FBI in 2016 or the more recent scuffle between WhatsApp and the UK Government in 2017.
Mr Schrems himself has also made the point that the FISA regime only focuses on acquiring data from certain companies, namely telecommunications and cloud storage/service providers. Andy Serwin, a partner at DLA Piper, made a similar remark that, in terms of national security, intelligence agencies are only looking for certain data from certain organisations. Therefore, if the data importer does not fall under the apparent scope of the FISA regime or any other surveillance legal framework, then it may be easier to implement the appropriate safeguards under Article 46 to validate transfers to the third country in question. However, many organisations use services such as AWS, Salesforce or Stripe, American companies that often transfer data to the US to carry out services for their customers. Such companies are likely to fall under the scope of the FISA regime and therefore be subject to requests from the NSA and others, meaning that meeting the requirements under Article 46, in light of Schrems II, may be more difficult after all.
Furthermore, one of the criticisms of the FISA regime highlighted by the ECJ was the lack of judicial redress for EU citizens whose data may be obtained by the public authorities. As pointed out by the Court, since SCCs form part of a contract between the data exporter and data importer, such a contract cannot bind the public authorities of a third country.¹⁷ Thus, organisations could not possibly implement measures to ensure that data subjects are entitled to judicial redress in a third country. The availability of such redress is ultimately determined by the law of the third country of which organisations, to a large extent, cannot change themselves. Although, given the political weight of some of the bigger tech giants due to their heavy lobbying presence in Washington, it may not be too unreasonable to argue that this issue could eventually be resolved over time. Even so, such a solution is not imminent and it may be many years before any progress is actually made (especially given the constitutional issues involved).
The Flow Must Go On?
For now, clarity will have to come from the regulators. In response to the ECJ’s decision, the EDPB announced that it would be drawing up guidance on what supplementary measures organisations could look to in complying with Article 46 (the IAPP has compiled a list of the statements and guidance issued by various governments and supervisory authorities on Schrems II). The European Commission has also been working on modernising the SCCs of which could be adopted very soon. To what extent the new guidance and updated SCCs provide the certainty that is needed after Schrems II remains to be seen. The impact that this has on the UK’s adequacy after it leaves the EU for good at the end of the year will also be interesting to watch. All of these dynamics just show how data protection, particularly at the international level, is still very much in its infancy.
Sources:
[1] Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited [2020] ECLI:EU:C:2020, para. 154.
[2] Ibid, para. 172.
[3] Ibid, para. 176.
[4] Ibid, para. 180.
[5] Ibid, para. 183.
[6] Ibid, para. 185.
[7] Ibid, para. 187.
[8] Ibid.
[9] Ibid, para. 196.
[10] Ibid, para. 192.
[11] Ibid, para. 197.
[12] EU Commission, ‘Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition - two years of application of the General Data Protection Regulation’ COM (2020) 264 final, p.10.
[13] Ibid, para. 130.
[14] Ibid, para. 131.
[15] Ibid, 132-133.
[16] Ibid, para. 135.
[17] Ibid, para. 125.