Saturday, 25 July 2020

Schrems II (Transfers of Data to the USA) Data Protection Commissioner v Facebook Ireland Ltd and Another

Damien Slattery / CC BY-SA (https://creativecommons.org/licenses/by-sa/3.0)






































Jane Lambert

Court of Justice of the European Union (K. Lenaerts, President, R. Silva de Lapuerta, Vice-President, A. Arabadjiev, A. Prechal, M. Vilaras, M. Safjan, S. Rodin, P.G. Xuereb, L.S. Rossi and I. Jarukaitis, Presidents of Chambers, M. Ilešič, T. von Danwitz (Rapporteur), and D. Šváby, Judges)  Case C‑311/18, Data Protection Commissioner v Facebook Ireland Ltd and another [2020] EUECJ C-311/18, EU:C:2020:559, ECLI:EU:C:2020:559 

This was a request for a preliminary ruling by Ms Justice Costello of the High Court of Ireland pursuant to art 267 of the Treaty on the Functioning of the European Union.  The request came at the behest of the Data Protection Commissioner of the Republic of Ireland.  The Commissioner had been asked by one Maximilian Schrems ("Mr Schrems") to require Facebook Ireland Ltd. ("Facebook") to cease or suspend transfers of personal data of which Mr Schrems was the data subject to Facebook's holding company in the United States where it could be intercepted and processed by US security and intelligence services without any legal redress.

The SCC Decisions
The Commissioner believed that she could not perform her task without a ruling of the validity of three Commission Decisions (referred to collectively as the "SCC Descirions") setting conditions for the transfer of personal data to the USA as a result of the Court of Justice's decision in Case C‑362/14, Schrems v Data Protection Commissioner  EU:C:2015:650, ECLI:EU:C:2015:650, [2016] QB 527, [2015] EUECJ C-362/14, [2016] 2 CMLR 2, [2016] 2 WLR 873, [2016] CEC 647, [2015] WLR(D) 403.  The Commissioner invited the Irish High Court either to make a finding on the validity of the SCC Decisions on its own initiative or to refer the question of their validity to Luxembourg under art 267 TFEU.

The Reference
In The Data Protection Commissioner v Facebook Ireland Limited and another [2017] IEHC 545, Ms Justice Costello found grounds for believing that the SCC Decisions were invalid. It was in her view extremely important for there to be uniformity on the issue throughout the European Union. On that basis, she believed that a reference was necessary and appropriate. Her ladyship delivered her order for a reference to the parties on 12 April 2018 whereupon Facebook Ireland appealed her decision to make a reference and applied for a stay of the reference pending their appeal.   Ms Justice Costello heard and rejected Facebook Ireland's application for a stay in Data Protection Commissioner v Facebook Ireland Ltd and another [2018] IEHC 236 (2 May 2018).

The Questions
The questions that Ms Justice Costlello referred to the Court of Justice were set out at paragraph [68] of the Court's judgment in Case C‑311/18, Data Protection Commissioner v Facebook Ireland Ltd [2020] EUECJ C-311/18, EU:C:2020:559, ECLI:EU:C:2020:559:
"(1) In circumstances in which personal data is transferred by a private company from a European Union (EU) Member State to a private company in a third country for a commercial purpose pursuant to [the SCC Decision] and may be further processed in the third country by its authorities for purposes of national security but also for purposes of law enforcement and the conduct of the foreign affairs of the third country, does EU law (including the Charter) apply to the transfer of the data notwithstanding the provisions of Article 4 (2) TEU in relation to national security and the provisions of the first indent of Article 3 (2) of Directive [95/46] in relation to public security, defence and State security?
(2)
 (a) In determining whether there is a violation of the rights of an individual through the transfer of data from the [European Union] to a third country under the [SCC Decision] where it may be further processed for national security purposes, is the relevant comparator for the purposes of [Directive 95/46]:
(i) the Charter, the EU Treaty, the FEU Treaty, [Directive 95/46], the [European Convention for the Protection of Human Rights and Fundamental Freedoms, signed at Rome on 4 November 1950] (or any other provision of EU law); or
(ii) the national laws of one or more Member States?
(b) If the relevant comparator is (ii), are the practices in the context of national security in one or more Member States also to be included in the comparator?
(3) When assessing whether a third country ensures the level of protection required by EU law to personal data transferred to that country for the purposes of Article 26 of [Directive 95/46], ought the level of protection in the third country be assessed by reference to:
(a) the applicable rules in the third country resulting from its domestic law or international commitments, and the practice designed to ensure compliance with those rules, to include the professional rules and security measures which are complied with in the third country; or
(b) the rules referred to in (a) together with such administrative, regulatory and compliance practices and policy safeguards, procedures, protocols, oversight mechanisms and non-judicial remedies as are in place in the third country?
(4) Given the facts found by the High Court in relation to US law, if personal data is transferred from the European Union to the United States under [the SCC Decision] does this violate the rights of individuals under Articles 7 and/or 8 of the Charter?
(5) Given the facts found by the High Court in relation to US law, if personal data is transferred from the European Union to the United States under [the SCC Decision]:
(a) does the level of protection afforded by the United States respect the essence of an individual’s right to a judicial remedy for breach of his or her data privacy rights guaranteed by Article 47 of the Charter?
If the answer to Question 5(a) is in the affirmative:
(b) are the limitations imposed by US law on an individual’s right to a judicial remedy in the context of US national security proportionate within the meaning of Article 52 of the Charter and do not exceed what is necessary in a democratic society for national security purposes?
(6)
 (a) What is the level of protection required to be afforded to personal data transferred to a third country pursuant to standard contractual clauses adopted in accordance with a decision of the Commission under Article 26(4) [of Directive 95/46] in light of the provisions of [Directive 95/46] and in particular Articles 25 and 26 read in the light of the Charter?
(b) What are the matters to be taken into account in assessing whether the level of protection afforded to data transferred to a third country under [the SCC Decision] satisfies the requirements of [Directive 95/46] and the Charter?
(7) Does the fact that the standard contractual clauses apply as between the data exporter and the data importer and do not bind the national authorities of a third country who may require the data importer to make available to its security services for further processing the personal data transferred pursuant to the clauses provided for in [the SCC Decision] preclude the clauses from adducing adequate safeguards as envisaged by Article 26(2) of [Directive 95/46]?
(8) If a third country data importer is subject to surveillance laws that in the view of a data protection authority conflict with the [standard contractual clauses] or Article 25 and 26 of [Directive 95/46] and/or the Charter, is a data protection authority required to use its enforcement powers under Article 28(3) of [Directive 95/46] to suspend data flows or is the exercise of those powers limited to exceptional cases only, in light of recital 11 of [the SCC Decision], or can a data protection authority use its discretion not to suspend data flows?
(9)
 (a) For the purposes of Article 25(6) of [Directive 95/46], does [the Privacy Shield Decision] constitute a finding of general application binding on data protection authorities and the courts of the Member States to the effect that the United States ensures an adequate level of protection within the meaning of Article 25(2) of [Directive 95/46] by reason of its domestic law or of the international commitments it has entered into?
(b) If it does not, what relevance, if any, does the Privacy Shield Decision have in the assessment conducted into the adequacy of the safeguards provided to data transferred to the United States which is transferred pursuant to the [SCC Decision]?
(10) Given the findings of the High Court in relation to US law, does the provision of the Privacy Shield ombudsperson under Annex A to Annex III to the Privacy Shield Decision when taken in conjunction with the existing regime in the United States ensure that the US provides a remedy to data subjects whose personal data is transferred to the United States under the [SCC Decision] that is compatible with Article 47 of the Charter]?
(11) Does the [SCC Decision] violate Articles 7, 8 and/or 47 of the Charter?’
Admissibility
The admissibility of the reference was challenged by Facebook and the British and German governments. Facebook argued that the reference served no useful purpose as the Data Protection Directive (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data OJ L 281, 23.11.1995, p. 31–50) had been repealed by the General Data Protection Regulation ("GDPR") (Regulation (EU)  2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ 4.5.2016 L119/1). The Court noted that the Directive was in force when the reference was made and the relevant articles of the Directive had been substantially reproduced in the GDPR. The German government contended that the Commissioner had not expressed an opinion but only doubts on the validity of the SCC Decisions and that the referring court had not made a finding on whether or not Mr Schrems had consented to the data transfer.  The British government submitted that there had been no finding that the transfer of data had been made in reliance on the SCC Decisions. The Court rejected both governments' contentions finding that the request for the preliminary reference had been well-founded.

The First Question
The Court reformulated the first question as follows at paragraph [80]:

"By its first question, the referring court wishes to know, in essence, whether Article 2 (1) and Article 2 (2) (a), (b) and (d) of the GDPR, read in conjunction with Article 4 (2) TEU, must be interpreted as meaning that that regulation applies to the transfer of personal data by an economic operator established in a Member State to another economic operator established in a third country, in circumstances where, at the time of that transfer or thereafter, that data is liable to be processed by the authorities of that third country for the purposes of public security, defence and State security."

Art 2 (1) of the GDPR provides:
"This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system."
However, art 2 (2) limits the scope of art 2 (1):
"This Regulation does not apply to the processing of personal data:
(a)  in the course of an activity which falls outside the scope of Union law;
(b)  by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
(c)  ................
(d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security."
 Art 4 (2) of the Treaty on European Union provides:
"The Union shall respect the equality of Member States before the Treaties as well as their national identities, inherent in their fundamental structures, political and constitutional, inclusive of regional and local self-government. It shall respect their essential State functions, including ensuring the territorial integrity of the State, maintaining law and order and safeguarding national security. In particular, national security remains the sole responsibility of each Member State."
The Court held that art 4 (2) applies only to member states of the EU and not to non-member states such as the USA.   None of the limitations of art 2 (2) applies to Facebook. It concluded at paragraph [89]:
"the answer to the first question is that Article 2 (1) and (2) of the GDPR must be interpreted as meaning that that regulation applies to the transfer of personal data for commercial purposes by an economic operator established in a Member State to another economic operator established in a third country, irrespective of whether, at the time of that transfer or thereafter, that data is liable to be processed by the authorities of the third country in question for the purposes of public security, defence and State security."
The Second, Third and Sixth Questions
The Court took the second, third and sixth questions together:
"[90] By its second, third and sixth questions, the referring court seeks clarification from the Court, in essence, on the level of protection required by Article 46 (1) and Article 46 (2) (c) of the GDPR in respect of a transfer of personal data to a third country based on standard data protection clauses. In particular, the referring court asks the Court to specify which factors need to be taken into consideration for the purpose of determining whether that level of protection is ensured in the context of such a transfer." 
Art 46 (1) and (2) (c) of the GDPR are as follows:
"(1) In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
(2) The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by
.............................
(c)  standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93 (2)......"
In the absence of an adequacy decision under art 45 (3) GDPR, the Court held that a controller or processor may transfer personal data to a third country only if the controller or processor has provided ‘appropriate safeguards’, and on the condition that ‘enforceable data subject rights and effective legal remedies for data subjects’ are available. These can be provided by contract unless public authorities in the recipient country can override those contracts.   Consequently, the answer to the second, third and sixth questions is that art  46 (1) and art 46 (2) (c) GDPR must be interpreted as meaning that the appropriate safeguards, enforceable rights and effective legal remedies required by those provisions must ensure that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses are afforded a level of protection essentially equivalent to that guaranteed within the European Union by that regulation, read in the light of the Charter of Fundamental Rights of the European Union ("the Charter").

The Eighth Question
The Court interpreted the Irish High Cour's eighth question as follows:
"By its eighth question, the referring court wishes to know, in essence, whether Article 58 (2) (f) and (j) of the GDPR must be interpreted as meaning that the competent supervisory authority is required to suspend or prohibit a transfer of personal data to a third country pursuant to standard data protection clauses adopted by the Commission, if, in the view of that supervisory authority, those clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law, in particular by Articles 45 and 46 of the GDPR and by the Charter, cannot be ensured, or as meaning that the exercise of those powers is limited to exceptional cases."
Art 58 (2) (f) and (j) of the GDPR are as follows:

"Each supervisory authority shall have all of the following corrective powers:
.............
(f) to impose a temporary or definitive limitation including a ban on processing;
.............
(j) to order the suspension of data flows to a recipient in a third country or to an international organisation."
Arts 45 and 46 provide safeguards for the transfer of data outside the EU. 

The Court observed that supervisory authorities have to enforce compliance with the GDPR in accordance with the Charter. They have to take particular care with transfers of data outside the EU and be diligent in dealing with data subjects' complaints.  It answered the eighth question as follows:
"In the light of the foregoing considerations, the answer to the eighth question is that Article 58 (2) (f) and (j) of the GDPR must be interpreted as meaning that, unless there is a valid Commission adequacy decision, the competent supervisory authority is required to suspend or prohibit a transfer of data to a third country pursuant to standard data protection clauses adopted by the Commission, if, in the view of that supervisory authority and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law, in particular by Articles 45 and 46 of the GDPR and by the Charter, cannot be ensured by other means, where the controller or a processor has not itself suspended or put an end to the transfer."

The Seventh and Eleventh Questions
The Court took the seventh and eleventh questions together and interpreted them as follows:
"By its 7th and 11th questions, which it is appropriate to consider together, the referring court seeks clarification from the Court, in essence, on the validity of the SCC Decision in the light of Articles 7, 8 and 47 of the Charter."
The SCC Decision was Commission Decision of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC (OJ L 181, 4.7.2001, p. 19–31). It has been modified by Commission Decision of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries (notified under document number C(2004) 5271)Text with EEA relevance (OJ L 385, 29.12.2004, p. 74–84) and Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593) (Text with EEA relevance) (OJ L 39, 12.2.2010, p. 5–18). The three Decisions are referred to collectively as the SCC Decisions.

The Court noted that art 1 of the SCC Decision provides that the standard data protection clauses set out in its annexe are considered to offer adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals in accordance with the requirements of art 26 (2) of the Data Protection Directive and now arts 46 (1) and 46 (2) (c) of the GDPR. Those clauses bind the recipient of a data transfer in a country outside the EU but not the public authorities of that country.  However, the clauses impose contractual obligations on both the controller and processor in the EU and the recipient of the data not to transfer data if the contractual safeguards cannot be guaranteed.   In the light of all of the foregoing considerations, the Court answered the 7th and 11th questions as follows:  "examination of the SCC Decision in the light of Articles 7, 8 and 47 of the Charter has disclosed nothing to affect the validity of that decision."

The Fourth, Fifth, Ninth and Tenth Questions
The Court interpreted those questions as follows at paragraph [150] of its judgment:
"By its ninth question, the referring court wishes to know, in essence, whether and to what extent findings in the Privacy Shield Decision to the effect that the United States ensures an adequate level of protection are binding on the supervisory authority of a Member State. By its 4th, 5th and 10th questions, that court asks, in essence, whether, in view of its own findings on US law, the transfer to that third country of personal data pursuant to the standard data protection clauses in the annex to the SCC Decision breaches the rights enshrined in Articles 7, 8 and 47 of the Charter and asks the Court, in particular, whether the introduction of the ombudsperson referred to in Annex III to the Privacy Shield Decision is compatible with Article 47 of the Charter."
The Privacy Shield Decision is Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield (notified under document C(2016) 4176) (Text with EEA relevance) C/2016/4176  (OJ L 207, 1.8.2016, p. 1–112).  This decision was made after the Data Protection Commissioner began her action in the Irish High Court. It is relevant to the proceedings because Facebook relies on the Privacy Shield Decision and alleges that it is binding on the Commissioner. The Court considered the provisions of the Decision and whether they provided adequate safeguards for data subjects.   It concluded that they did not and determined at [201] that the Privacy Shield Decision was invalid.

Further Proceedings
It is to be assumed that the Data Protection Commissioner's action will now be relisted for a  further hearing in the Irish High Court.  Irish readers are asked whether the relisted proceedings can be taken by Ms Justice Costello as she now sits in the Court of Appeal.

Further Information
Anyone wishing to discuss this case or data protection generally may call my clerk on 07986 948267 or send me a message through my contact page.

No comments:

Post a comment