Lorna Woods, Professor of Internet Law, University of Essex
Last week a CJEU Advocate-General gave an opinion in the case of Schrems II, the latest challenge to US national security rules as they apply to transfers of personal data from the EU (via Facebook). The original Schrems case (discussed here) shocked the data protection world when the Court of Justice of the EU (ECJ) ruled that the adequacy decision with regards to the United States (which simplified personal data transfers between the EU and the US) was invalid and – effectively - that US practices were incompatible with the EU Charter. Companies transferring data to the US turned to other legal mechanisms to legitimise the transfer of data and Schrems II (Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (Case C-311/18)) concerns one of these mechanisms: standard contractual clauses (SCCs). Surely, given the similar context and the fact that those under US jurisdiction must comply with US law, the outcome must be the same?
Max Schrems aimed to stop the transfer of his personal data from the EU to the US under SCCs, following on from the finding in Schrems I that US law did not provide sufficient safeguards for individuals’ privacy rights in the context of bulk surveillance. This resulted in an action being brought by the Irish Data Protection Commissioner (DPC). The DPC took the view that her assessment of whether the transfers were valid depended on whether the model SCCs (established by the European Commission by Decision 2010/87/EU) were valid and she brought an action before the Irish courts, which resulted in an 152 page judgment and a reference to the ECJ, to determine this.
The reference comprised 11 questions, which the Advocate General bundled into a number of topics:
- the applicability of EU law when data transferred is processed for national security purposes in third countries;
- the level of protection required;
- the impact of the non-binding nature of an SCC on the authorities of a third country on the validity of Decision 2010/87;
- the validity of Decision 2010/87 in the light of the EU Charter; and
- an assessment of the Privacy Shield decision (the replacement adequacy decision for transfers to the US, following the finding in Schrems I that the previous decision, known as ‘Safe Harbour’, was invalid).
The first issue was whether the fact that the concerns regarding privacy occur in the policy space of national security (an area outwith EU competence) affects the applicability of the data protection directive (DPD) or the replacement law, the GDPR. Those rules are designed for the commercial sphere. As the Advocate General noted,
The significance of that question … lies in the fact that, if such a transfer fell out side the scope of EU law, all the objections raised ...would be rendered baseless .
Given the Court’s approach in Schrems I, it is unsurprising that the answer here was that the locus of regulation was the commercial activity that was being undertaken. The purpose of the transfer was not that of allowing the data to be processed for national security . So, ‘the possibility that the data will undergo processing by the authorities of the third country of destination for the purposes of the protection of national security does not render EU law inapplicable...’ .
The second issue at which the Advocate General looked was that of the level of protection. He accepted that the approach of the Court in Schrems I to adequacy decisions (under Article 25(6) DPD, and now Article 45(3) GDPR) is also relevant to SCCs so that the ‘appropriate safeguards’ envisaged by Article 46 GDPR should ensure data subjects benefit from a level of protection ‘essentially equivalent’ to that which follows from the GDPR . While the adequacy decision mechanism and the SCC mechanism both aim towards the same objective, the way they each achieve it may be different: the underlying difference between the mechanisms is that the adequacy decision considers whether the protections provided by law in the destination country are adequate; the SCCs accept that they are not and provide other safeguards [120, see also 123-4].
Validity of Decision 2010/87
Moving on to the question of validity of Decision 2010/87 in the light of the EU Charter, the fact that SCCs are not binding on the third country undermines the ability of the recipient of the data always to respect the data protection safeguards contained in the SCC. The Advocate General considered this in the context of the question the Irish Court raised regarding the obligations on the national supervisory authority to suspend transfer . The Advocate General proposed that:
- SCCs may be assessed only on the ‘soundness of the safeguards’ they each provide;
- safeguards may be reduced/eliminated as a result of the law of the third country;
- the mechanism imposes on the exporter/controller or the national supervisory authorities, on a case-by-case basis, to prohibit or suspend transfers.
The Advocate General concluded that this did not invalidate the Decision but rather raised the question of ‘whether there are sufficiently sound mechanisms to ensure that transfers based on the standard contractual clauses are suspended or prohibited where those clauses are breached or impossible to honour’ . He also highlighted the requirement in Article 46(1) GDPR that data subjects’ rights must be enforceable and remedies available.
Obligations on data controllers
The SCC imposes obligations on exporter and importer to comply with the terms of the contract. Given the obligations on the data controller (the person in control of the uses to which the data is put) imposed by the GDPR, where the exporter is aware that the importer cannot honour the terms of the SCC, the controller does not have a choice to suspend transfer but is required to do so . The Advocate General also suggested that the parties should carry out an examination into whether the law of the third country would entail such a breach . The rights of the data subject are ensured as against the exporter/controller under the SCC in Decision 2010/87 and the data subject may also apply to the national supervisory authorities.
Obligations on the supervisory authorities
The Advocate General proposed that national supervisory authorities are required to order the suspension of the transfer. Specifically, the right to suspend is not only to be used in exceptional cases (this follows amendment of the SCC terms in the light of Schrems I) and recital 11 of Decision 2010/87 is ‘obsolete’ . The Advocate General emphasised that
‘the exercise of the powers to suspend and prohibit transfers …. is no longer merely an option left to the supervisory authorities’ discretion’ .
Article 58(2) GDPR, which sets out the powers of supervisory authorities, should be understood in the light of Article 8(3) EUCFR and Article 16(2) TFEU (both of which provide that compliance with data protection law should be overseen by an independent authority) – the Advocate General inferred that this meant the authorities have to act in such a way as to ensure the proper application of the GDPR. This imposes a due diligence requirement on the authorities, as well as an obligation to react appropriately to infringements. Failure to do so can lead to judicial action, and this re-emphasises that the obligation on the national supervisory authorities is ‘strict’, not discretionary .
The DPC had contended that this obligation is insufficient: it fails to address the systemic problems of inadequate safeguards; and that the approach leaves unprotected those whose data have already been transferred. The Advocate General disagreed; while problems existed they were not sufficient to invalidate the decision. He stated that:
EU law does not require that a general and preventive solution be applied for all transfers to a given third country that might entail the same risks of violation of fundamental rights .
As regards, effective redress for those already affected, the Advocate General emphasised the roles of the supervisory authorities to take corrective measures and the rights under Article 82 GDPR.
The Advocate General than took the view that it was unnecessary to consider the ‘Privacy Shield’ decision, in part because it assumes that the general level of law and protection in the recipient state need to afford adequate protection for SCCs to be available – a point which the Advocate General had already rejected. Nonetheless the Advocate General did produce some guidance for the Court were it to consider the issue.
The finding of adequacy under the Privacy Shield does not preclude a national supervisory authority from exercising its powers. A number of parties challenged (directly or indirectly) the finding of adequacy in relation to the Privacy Shield. He suggested that when considering the comparison between the law and safeguards of the third country the appropriate comparison would be with the approach of the Member States to their own national security within the framework of the European Convention on Human Rights (ECHR)  and that those standards must be known in advance. The Advocate General discussed the scope of the national security exception, defined as:
activities connected with the protection of national security in so far as they constitute activities of the State or of States authorities that are unrelated to fields in which individuals are active [para 210, citing inter alia Tele2 Sverige and Watson (Cases C-203/15 and C-698/15, discussed here)].
The Advocate General suggests that the exclusion covers measures ‘that are directly implemented by the State for the purposes of national security, without imposing specific obligations on private operators’ . He notes that where private operators are involved the law is less clear with the earlier PNR judgment (Parliament v Council and Commission (Cases C-317/04 and C-318/04)) seemingly pointing in a different direction from more recent jurisprudence including Tele2/Watson. He proposed a number of ways to reconcile the two lines of cases:
- Tele2/Watson arose where operators were required to keep data; the airlines kept the data for their own commercial purposes ;
- Tele2/Watson arises where operators are required to cooperate as regards the access to the data, irrespective of whether there is a prior obligation to retain data - because the provision required the operators to engage in data processing [219-220].
The Advocate General favoured the second approach, suggesting it was also in line with Schrems I and that, once national authorities have the data and engage in further processing of them, such processing is not caught by the scope of the GDPR. In this view of the Advocate General, this means verification must take place by reference first to the GDPR and Charter and secondly by reference to the ECHR.
A further issue was whether continuity of protection means that measures must be in place during transit (e.g. through submarine cables). Article 44 GDPR refers to ‘after transfer’ which could mean after arrival or once transfer has been initiated. Relying on a teleological interpretation, the Advocate-General adopted the second interpretation.
Moving on to the validity of the Commission’s assessment of adequacy, the Advocate General assessed whether the Commission’s findings warranted the adoption of an adequacy decision, recalling the principles set down in Schrems I allowing for ‘a certain flexibility in order to take the various legal and cultural traditions into account’ but ‘that certain minimum safeguards and general requirements for the protection of fundamental rights that follow from the Charter and the ECHR have an equivalent ...’ . It was this essential equivalence that the referring court challenged. The Advocate General re-stated case law from both Courts that recognised the existence of an interference, and as far as the ECJ is concerned it does not matter whether the data are sensitive. Further:
the obligation to make the data available to the NSA, in so far as it derogates from the principle of confidentiality of communications, entails in itself an interference even if those data are not subsequently consulted and used by the intelligence authorities .
As regards the requirement that interferences must be provided for by law, the Advocate General – treating the approach of the ECJ and ECtHR together states that this test means that:
regulations which entail an interference … lay down clear and precise rules governing the scope and application of the measure at issue and imposing a minimum of requirements, in such a way as provide the persons concerned with sufficient guarantees to protect their data against the risks of abuse and also against any unlawful access to or use of data [para 265, citing Digital Rights Ireland (discussed here), Tele 2 Sverige, Opinion 1/15 (discussed here), Weber and Saravia, Zakharov (discussed here) and Szabo and Vissy].
The Advocate General doubted whether the US framework met this threshold . Following existing jurisprudence, however, the Advocate General accepted that the very essence of Article 7 or 8 was not compromised. In this, the Advocate General noted that the position of the ECtHR was that such surveillance could, in principle, be capable of justification .
National security has long been accepted as a legitimate public interest ground justifying interferences with rights. The scope of ‘national security’ was challenged. The Advocate General accepted that some aspect of foreign affairs might fall within ‘national security’; further objectives dealt with under ‘foreign intelligence information’ could constitute other public interest objectives but that these would have a lesser weighting in a proportionality analysis. However, ‘it may be asked whether those measures are defined sufficiently clearly and precisely to prevent the risk of abuse and to permit a review of the proportionality.’ .
The Advocate General nonetheless considered the necessity and proportionality aspects, within the framing set down by Schrems I in particular. The Advocate General also noted the safeguards required by Article 23(2) GDPR. He doubted whether the selection criteria were sufficiently clear and precise and whether there were sufficient guarantees to prevent the risk of abuse noting in particular the difference between the requirement that an activity be ‘as tailored as feasible’ is not the same as an activity which is strictly necessary , nor does it necessarily forewarn data subjects . There is no prior review. He therefore concluded that he had doubts about the adequacy of protection provided.
The next issue was the right to an effective remedy and the impact of the introduction of the Ombudsperson Mechanism which is intended to compensate for some of the deficiencies in the US system. The Advocate General noted that the Article 47 right is in addition to the requirement that there be independent oversight/authorisation of surveillance activities. Re-iterating Schrems I, where there is no possibility to pursue legal remedies, the national rules do not respect the essence of the right. The right include that of receiving confirmation from national authorities whether or not they are processing data as well as being notified about an investigation once it would no longer jeopardise that investigation (though the ECtHR has not made this aspect a requirement). The US system is deficient in these aspects. The Advocate General considered whether the Ombudsperson Mechanism compensates but was not convinced. Such a body to be effective must be established by law and be independent. The Advocate General noted that the mechanism satisfied neither requirement and is not subject to judicial control.
A cursory look at the conclusion to the Opinion might suggest that there will be no change in the approach to data transfers and that in general this was a bit of a defeat for Schrems. This would mis-characterise the position (and also overlook the fact that it was the DPC that was arguing for invalidity of the SCC decision, not Schrems). The Opinion is divided broadly into two topics: the first which deals the legality of the SCC decision and the second which deals with the Privacy Shield adequacy decision.
The Advocate General may have suggested that the Decision underlying the SCCs should not be considered invalid but this does not mean that those transferring data to the US can ignore the privacy concerns. The response of the Advocate General - in avoiding challenging the underlying system itself - is to rely on decentralised, and ultimately private, enforcement by the exporter/data controllers, but also by the national supervisory authority. This obligation is described in rather strong terms; certainly a data exporter cannot be passive but must investigate conditions and if it finds problems it must act to suspend transfers. A head in the sand approach – if the Court follows the reasoning of the Advocate General – is unlikely to be successful. For national supervisory authorities the obligation seems still stronger and the obligation to assess on a case by case basis potentially increases their workload. Underpinning this again is the threat of legal action by data subjects. While empowering data subjects is probably to be regarded as positive, viewing private enforcement of regulation as an essential element of that scheme is problematic. It assumes data subjects have the energy and the resources to take action – a real weakness in this approach, despite the possibility for class actions.
It is noteworthy that while the Advocate General heads the section on the acceptability of the Decision as its acceptability under the Charter, in practice his analysis focuses on the right to a remedy. This leaves the impact of the transfers on privacy and data protection (especially against a backdrop of bulk surveillance) under-considered. Further, the Advocate-General seems to assume that the ability to sue in the EU (under Article 80 causes of action) compensates for the difficulties in standing and lack of remedies in the relevant third country, and assumes that compensation is adequate (as opposed to more behavioural remedies such as ceasing processing). This aspect of the analysis is in marked contrast to the considerations discussed under the Privacy Shield section.
While the ruling on the impact of national security in the early part of the Opinion may not come of much surprise, it is potentially significant for the UK. At the moment, as a member of the EU, the activities of its security and intelligence services mainly lie outside the ECJ’s purview (though note pending reference on scope of this: Privacy International v Secretary of State for Foreign and Commonwealth Affairs (Case C-623/17)); once it becomes a third country (and subject to any negotiated agreement) national security becomes a relevant consideration. This difference between EU States and third countries did not escape the attention of those making representations before the court. On this difference, the Advocate General when discussing the comparison that must take place to come to any decision on whether a third State’s data privacy protections are essentially equivalent argues that, in regards to interferences arising in the context of national security (which falls outside EU law and therefore the scope of the Charter), the relevant standards are to be found in the ECHR.
As noted, however, that boundary is somewhat uncertain and consequently the extent to which it is consistent with earlier jurisprudence, including Schrems I, open to question. The approach of the Advocate General does seem to move away from the approach in the PNR judgment, which was based on looking at the provision’s purpose to determine whether it fell within the national security exception. Perhaps the forthcoming cases will develop a clear and consistent line on this point going forward. The significance of drawing a boundary between the EU Charter and the ECHR lies in the extent of difference in approach of the Strasbourg and Luxembourg courts to bulk surveillance, especially that in relation to communications data. On this, the Big Brother Watch case (discussed here and here) is heading to the ECtHR Grand Chamber.
As regards the second aspect, having noted that the Advocate General seeks to avoid commenting on the Privacy Shield, some of his comments in this regard (made ‘in the alternative’) highlight some real problems for that system. In his discussion he beds his reasoning both in the ECJ’s jurisprudence but also that of the ECtHR. The Opinion constitutes a clear statement as to the applicability of the law to ‘automated’ surveillance and also as to the requirement of legality (which is not particularly clear as regards the Strasbourg jurisprudence). In this, as well as in the context of necessity and proportionality of the measures the Advocate General was not convinced the US framework passed the tests. This is not just one problem to fix, but many. While the Advocate General did not the difference in the jurisprudence between the two courts, this difference did not seem to lead to a different outcome in terms of his assessment of the acceptability of the US regime.
If the Court chooses to consider this question, there will be some serious difficulties going forward for data flows. Whether the approach will stick is a question; the ECJ has been under pressure to step back from its stance on bulk collection and automated assessment of data in particular. Some of the surveillance issues will be returning to the Court in a bevy of cases: in addition to Privacy International see La Quadrature du Net & Ors v Commission (Case T-738/16); La Quadrature du Net & Ors and French Data Network & Ors (Cases C-511-12/18); and Ordre des barreaux francophones et germanophone, Académie Fiscale ASBL, UA, Liga voor Mensenrechten ASBL, Ligue des Droits de l’Homme ASBL, VZ, WY, XX v Conseil des ministres (Case C-520/18). Further Advocates-General opinions in several of these cases are set for January.
Barnard & Peers: chapter 9
Photo credit: Forbes