Lorna Woods, Professor of Internet Law, University of Essex
The Court of Justice today handed
down the much anticipated ruling
on the legality of standard contractual clauses (SCCs) as a mechanism to
transfer personal data outside the European Union. It forms part of Schrems’ campaign to
challenge the ‘surveillance capitalism’ model on which many online businesses
operate: there are other challenges to the behavioural advertising model
ongoing. While this case is clearly
significant for SCCs and Facebook’s operations, there is a larger picture that
involves the Court’s stance against mass (or undifferentiated) surveillance.
This formed part of the background to Schrems
I (Case C-362/14, discussed here),
but has also been relevant in European jurisprudence on the retention of
communications data. This then brings us to a third reason why this judgment
may be significant. The UK, like the US, has a system for mass surveillance and
once we come to the end of the year data controllers in the EU will need to
think of the mechanisms to allow personal data to flow to the UK. The approach of
the Court to mass surveillance in Schrems
II is therefore an indicator of the approach to a similar question in
relation to the UK in 2021.
Background
The General Data Protection Regulation
provides that transfer of personal data may only take place on one of the bases
set out in the GDPR. The destination state may, for example, have an ‘adequacy
decision’ that means that the state in question ensures an adequate (roughly
equivalent) level of protection to the ensured by the GDPR (Article 45 GDPR). The original adequacy agreement in relation
to the United States (safe harbour) was struck down in Schrems I because it failed to ensure that there was adequate
protection on a number of grounds, some of which related to the safe harbour
system itself, but some of which related to the law in the US, specifically
that which allowed mass surveillance.
While the safe harbour was replaced by the Privacy Shield under Decision
2016/1250 on the Privacy Shield (Privacy Shield Decision) which improved
some of the weaknesses as regards the operation of the mechanism itself,
including the introduction of an ombusdman system, little if anything has
changed in relation to surveillance.
Another mechanism for transfer of
personal data outside the EU is that of SCCs, which are private agreements
between the transferor (data controller) and transferee. Article 46(1) GDPR states that
where there is no adequacy decision “a controller or processor may transfer
personal data to a third country or an international organisation only if the
controller or processor has provided appropriate safeguards, and on condition
that enforceable data subject rights and effective legal remedies for data
subjects are available”. Article
46(2) GDPR lists possible mechanisms including standard data protection
clauses. The Commission has produced a model form of these agreements in Commission
Decision 2010/87 (SCC Decision).
Following the outcome of Schrems I, Schrems reformulated his
complaint to the Irish Data Protection Commissioner (DPC) about data transfers
arguing that the United States does not provide adequate protection as United
States law requires Facebook Inc. to make the personal data transferred to it
available to certain United States authorities, such as the National Security
Agency (NSA) and the Federal Bureau of Investigation (FBI) and the data is used
in a manner incompatible with the right to private life, and that therefore
future transfers by Facebook should be suspended. These transfers are currently carried out on
the basis of SCCs as approved by the SCC Decision. The DPC took the view that this complaint
called into question the validity of that decision as well as the Privacy
Shield Decision, which moved the issue back into the courts. The Irish High
Court referred the question to the Court of Justice and it is the outcome in
this ruling that we see today.
The Judgment
The Advocate General in his
Opinion (discussed here)
suggested to the Court that the SCC Decision was valid; the problem was the
context in which it operated. He took the view that the Privacy Shield’s
validity should be considered separately. Crucially, he held that data
controllers need to determine the adequacy of protection in the destination
state. This in practice is difficult; while a data controller might have some
control over what the recipient does with the data (how processed, data
security etc), it would have little control over the general legal environment.
In any event, data controllers would be required to make specific country
assessments on this, which could be challenged by dissatisfied data
subjects. The Court took a slightly
different approach. It agreed with its Advocate General that the SCC Decision
was valid, but it struck down the Privacy Shield.
The Court made a number of
findings. The first relates to the scope of inquiry and to competence. Given
that national security lies outside the GDPR (and outside EU competence),
should questions about the processing of data for purposes of public security,
defence and State security be outside the scope of the GDPR rules. Following
its position in Schrems I, the Court
(like its Advocate General) rejected this argument [para 83, 86, 88]: the
transfers of personal data by an economic operators for commercial purposes,
even if that personal data is then processed by the authorities of the
destination state for national security reasons, remains within the GDPR
framework. Exclusions from the regime should be interpreted narrowly (citing Jehovan
todistajat (Case C-25/17), discussed here).
In determining the level of
protection the GDPR requires, the Court re-iterated its stance from Schrems I and following the reasoning of
its Advocate General in this case held that we are looking for a level of
protection “essentially equivalent” to that in the EU- and bearing in mind that
the GDPR is understood in the light of the EU Charter. So not only must the terms of the SCCs
themselves be taken into account but also the general legal environment in the
destination State. The Court summarised:
…..the
assessment of the level of protection afforded in the context of such a
transfer must, in particular, take into consideration both the contractual
clauses agreed between the controller or processor established in the European
Union and the recipient of the transfer established in the third country concerned
and, as regards any access by the public authorities of that third country to
the personal data transferred, the relevant aspects of the legal system of that
third country, in particular those set out, in a non-exhaustive manner, in
Article 45(2) of [the GDPR]. [para 105]
The Court noted that the national
supervisory authorities are responsible for monitoring compliance with EU
rules, and may check compliance with the requirements of the GDPR (following on
from the position under the DPD established in Schrems I), and the national regulatory authorities have
significant investigative powers. Where the SCCs are not complied with – or
cannot be complied with – the national regulatory authorities must suspend or
prohibit transfers and the Commission’s competence to draft SCCs does not
restrict the powers of national authorities to review compliance in any
way. In this the Court’s approach is
broadly similar to that of the Advocate General. As regards an adequacy decision, a valid
adequacy decision is binding, until such time as it may be declared invalid;
this does not stop individuals from being able to complain.
Applying the principles to the
SCC Decision, the Court noted that the standards bind only the parties to the
agreement. Consequently, although there are
situations in which, depending on the law and practices in force in the third
country concerned, the recipient of such a transfer is in a position to
guarantee the necessary protection of the data solely on the basis of standard
data protection clauses, there are others in which the content of those
standard clauses might not constitute a sufficient means of ensuring, in
practice, the effective protection of personal data transferred to the third
country concerned. [para 126]
Does this possibility mean that
the SCC Decision is necessarily invalid? The Court held not. Unlike an adequacy
agreement which necessarily relates to a particular place, the SCC decision
does not. The SCCs therefore may require supplementing to deal with issues in
individual cases. Moreover, the SCC
Decision includes effective mechanisms that make it possible to ensure
compliance with EU standards [para 137].
Specifically, the SCC Decision imposes an obligation on a data exporter and
the recipient of the data to verify, prior to any transfer, whether that level of
protection is respected in the
third country concerned. The recipient of the data must
inform the data controller of any inability to comply with the SCCs, at which
point the data controller is obliged to suspend transfers and/or terminate the
contract. The SCC Decision is therefore valid; the implications of this in
practice for this case were not drawn out. The Court in the end held that
…. unless
there is a valid European Commission adequacy decision, the competent
supervisory authority is required to suspend or prohibit a transfer of data to
a third country pursuant to standard data protection clauses adopted by the
Commission, if, in the view of that supervisory authority and in the light of
all the circumstances of that transfer, those clauses are not or cannot be
complied with in that third country and the protection of the data transferred
that is required by EU law, in particular by Articles 45 and 46 of that
regulation and by the Charter of Fundamental Rights, cannot be ensured by other
means, where the controller or a processor has not itself suspended or put an
end to the transfer [operative ground 3].
The existence of an adequacy
decision is then key. Turning to the Privacy Shield Decision, the Court set the
same analytical framework, emphasising the GDPR is understood in the light of
the Charter and the rights to private life, to data protection and to an
effective remedy. In assessing the decision, the Court noted that it awards
primacy to the requirements of US national security, public interest and law enforcement,
which the Court interpreted as condoning interference with the fundamental rights
of persons whose data are transferred.
In the view of the Court, access and use of personal data by US
authorities are not limited in a way that is essentially equivalent to EU law –
the surveillance programmes are not limited to what is strictly necessary and
are disproportionate. Further, data subjects are not granted rights to take
action before the courts against US authorities. The Ombudsperson mechanism,
introduced by the Privacy Shield Decision as an improvement on the position
under safe harbour, is insufficient. The
Court therefore declared the Privacy Shield invalid.
Comment
The most obvious consequence of
this ruling is that of how data transfers to the US can continue? The Privacy
Shield is no more, and its demise has consequences for the operations of SCCs
in practice. Given the weaknesses in the general legal system from the
perspective of the Court of Justice, weaknesses over which the data
controller/exporter can have little control, how can the requirements to
individually assess adequacy be satisfied?
Are there, however, any other mechanism on which data transfers could be
carried out?
In this context, we should note
how the Court has interpreted the provisions of Chapter V to create a common
baseline for standards, despite differences in wording between Arts 45 and 46
GDPR. Article 45 deals with adequacy
decisions and it requires that there is “an adequate level of protection”;
Article 45(2) then lists elements to be taken into account – notably respect
for the rule of law and human rights and “relevant legislation, both general
and sectoral, including concerning public security, defence, national security
and criminal law and the access of public authorities to personal data”. It was
this provision that was interpreted in Schrems
I to require a level of protection that is ‘essentially equivalent’.
Article 46(1) – which is relevant to the other mechanisms by which transfers
may take place, including agreements between public authorities and binding
corporate rules as well as SCCs – says something different. Article 46(1)
requires “appropriate safeguards” and “enforceable data subject rights and
effective legal remedies for data subject”. This is then not necessarily the
same – at least in terms of simple wording – as Article 45(1). The Court
however has read Articles 46 and 45 together so as to ensure that, as required
by Article 44, data subjects’
rights are not undermined. This brings the essential equivalence test across to
Article 46 [see para 96] and not just SCCs, but all the other mechanisms for
data transfer listed in Art 46(2). More
specifically the factors to be taken into account when considering whether
there are appropriate safeguards match the list set out in Article 45(2).
The Court also emphasised that
the requirements of the GDPR must be understood in the light of the EU Charter as
interpreted by the Court itself [para 100].
In this context, the backdrop of the Court’s approach to fundamental
rights – specifically the right to private life in Art 7 EU Charter – is
significant. The Court in a number of
cases involving the bulk retention of communications and location data by telecommunications
operators so that those data could be accessed by law enforcement and
intelligence agencies found those requirements – because they applied in an
undifferentiated manner irrespective of suspicion across the population – to be
disproportionate (Digital Rights Ireland and Others, Cases C-293/12 and C-594/12; Tele2/Watson (Cases C-203/15 and
C-698/15), discussed here
and here).
The Court has also criticised the use of passenger name records (PNR) data (Opinion 1/15 (EU-Canada PNR Agreement, discussed here))
and particular the use of automated processing.
The Court in its review of the facts referred to a number of
surveillance programmes and that the referring court had found that these were
not ‘essentially equivalent’ to the standards guaranteed by Article 7 and 8 EU
Charter. This would seemingly cause a
problem not just for the adequacy agreement, but for an operator seeking to
rely on SCCs – or on any other mechanism listed in Art 46(2).
This brings to the forefront Article 49 GDPR, referred to by
the Court as filling any ‘vacuum’ that results from its judgment, which allows
derogations for external transfers in specific situations, notably that the
data subject has consented or that the transfer is necessary for the
performance of a contract. While these might at first glance give some comfort
to data controllers a couple of words of caution should be noted. First, these
reflect the grounds for lawful processing and should be interpreted
accordingly. Notably ‘explicit consent’ is a high bar – and all consent must be
freely given, specific informed and unambiguous – and it should be linked to a
specific processing purpose (on consent generally, see EDPB
Guidelines). The ground that
something is necessary for a contract does not cover all actions related to
that contract – in general a rather narrow approach might be anticipated (see EDPB
Guidance).
The final point relates to the
UK. The UK perhaps infamously – also has an extensive surveillance regime which
has been the subject of references to the Court of Justice (as well as a number
of cases before the European Court of Human Rights). Crucially, the regime does
have some oversight and there is an independent tribunal which has a relaxed
approach to standing. Nonetheless, bulk collection of data is permissible under
the Investigatory Powers Act, and it is an open question whether the Court of
Justice would accept that this is necessary or proportionate, despite the
changes brought in since the Tele2/Watson
ruling on the communications data rules. Further, the UK has entered into some
data sharing agreements with the US which have given rise to disquiet in some
parts of the EU institutions. Whilst a member of the EU it benefitted in terms
of data flows from not having to prove the adequacy of its safeguards. From
2021 that will change. In the light of
the approach of the Court of Justice, which can be seen as reemphasising and
embedding its stance on surveillance, obtaining an adequacy agreement may not
be so easy for the UK and given the similarity in approach underpinning Articles
45 and 46 GDPR, other mechanisms for data flow may also run into problems if
this is the case. For now, the jury is out.
Photo credit: Security
Dive
This comment has been removed by a blog administrator.
ReplyDelete