Following the first analysis of the Schrems-II verdict from the Court of Justice of the European Union, delivered on 16 July 2020, it is time to take a closer look at some of the core issues discussed by the Court.
The EU law carve-out for national security legislation
The Schrems cases both have their origin in the revelations Edward Snowden made in 2013 on the existence of large-scale government surveillance programs in the United States, including PRISM and UPSTREAM. Under these programs, the U.S. intelligence and security services can collect personal data from outside the United States, and use it at their own discretion in order to protect the interests of the state. And although most countries around the world have intelligence and security services that collect and analyse large volumes of data, the scale with which this seems to happen in the United States for many came as a surprise.
In the European Union (EU) however, national security, and thus any activity by intelligence and security services, falls outside the competence of the Union. According to Article 4 of the Treaty on the European Union, “national security remains the sole responsibility of each Member State”. Thanks to this provision, we have the somewhat cynical situation that it doesn’t matter what the intelligence and security services of the EU Member States, but that it could be relevant what those in foreign countries do, at least from a data protection perspective. That is also the first question that was raised before the CJEU: why, if the EU is not competent to discuss national security, would foreign national security activity have an impact on data transfers under the GDPR.
According to the Court, the answer is relatively straightforward: the transfer from the EU to a third country is taking place between two commercial entities, in the Schrems-II case between Facebook Ireland and Facebook Inc. in the U.S., and that is a regular transfer that is covered by the provisions of the GDPR. The fact that in theory the data at some point may be intercepted by, or need to be handed over to, intelligence and security services in the U.S., does not make a difference. Since national security is not the purpose of the processing, it can also not be taken into account when deciding on the legality of the processing.
The ‘essentially equivalent’ requirement
The national security issues do become relevant when assessing if the third country to which the personal data flow (again, the U.S. were just used as an example in the case, but the judgment has an effect vis-a-vis all countries outside the European Economic Area) offers sufficient protection to personal data originating from Europe. In the judgment, the Court makes an explicit link between the various data transfer mechanisms and Article 44 GDPR, which requires that in case of cross-border data transfers “the level of protection of natural persons guaranteed by [the GDPR] is not undermined”. This means that any safeguards that are agreed for the international transfer of personal data, need to meet the same high standards.
Although Article 46 of the GDPR does not specify the nature of the requirements which flow from that reference to ‘appropriate safeguards’, ‘enforceable rights’ and ‘effective legal remedies’, it should be noted that that article appears in Chapter V of that regulation and, accordingly, must be read in the light of Article 44 of that regulation, entitled ‘General principle for transfers’, which lays down that ‘all provisions [in that chapter] shall be applied in order to ensure that the level of protection of natural persons guaranteed by [that regulation] is not undermined’. That level of protection must therefore be guaranteed irrespective of the provision of that chapter on the basis of which a transfer of personal data to a third country is carried out. [Schrems-II, §92]
For adequacy decisions, it was not a big surprise that the Court requires high standards of data protection in third countries. Already in the Schrems-I decision, it introduced the standard of “essential equivalence” to assess if the legal regime of the third country would sufficiently protect European data.
The word ‘adequate’ in Article 25(6) of Directive 95/46 admittedly signifies that a third country cannot be required to ensure a level of protection identical to that guaranteed in the EU legal order. However, as the Advocate General has observed in point 141 of his Opinion, the term ‘adequate level of protection’ must be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of Directive 95/46 read in the light of the Charter. [Schrems-I, §73]
The Court confirms in the Schrems-II decision that the “essential equivalence” is also required under the GDPR. What is new however, is that the Court has extended this standard to other transfer mechanisms, in situations where no adequacy decision exists. So far, it had been widely assumed that adequacy decisions would indeed require the highest level of equivalence between EU data protection law and that in a third country, but that the use of contractual clauses – whether the standard contractual clauses or tailor-made, DPA-approved ones – a slightly lower level of data protection was acceptable. The Court now makes clear this is not the case. Also when transferring personal data on the basis of Article 46 GDPR, using appropriate safeguards like Standard Contractual Clauses (SCCs),
(…) such appropriate guarantees must be capable of ensuring that data subjects whose personal data are transferred to a third country (…) are afforded, as in the context of a transfer based on an adequacy decision, a level of protection essentially equivalent to that which is guaranteed within the European Union.
Following this argument, a similar reasoning would need to be applied to transfers based on Binding Corporate Rules, although this is not explicitly mentioned by the Court.
Using Standard Contractual Clauses
What does this mean for the use of SCCs going forward? The good thing is that they still exist, and that means that it is possible to include SCCs in your contracts when exporting personal data from the EU. It is however less straightforward than before – just signing them is not enough. The Court agrees that the SCCs can be helpful for international data transfers, but also spells out that they
(…) are solely intended to provide contractual guarantees that apply uniformly in all third countries to controllers and processors established in the European Union and, consequently, independently of the level of protection guaranteed in each third country. [Schrems-II, §133]
The Court also explains that the existence of national surveillance laws in a third country in principle should not be problematic. National security is recognised as a possible necessary limitation to the fundamental right to data protection, including in the SCC decision itself (as per a footnote to the heading of Clause 5).
A data exporter and data importer therefore need to assess whether they consider they can meet the requirements of the SCCs in their specific situation. Do they assume they will be able to guarantee the protections enshrined in the clauses, and thus avoid undermining the level of data protection offered by the GDPR? If not, it might be possible to agree on additional safeguards – this is allowed, as long as the provisions of the SCCs themselves are not changed (they can only be included in a contract on a “as they are” basis). This additional step implies that the data exporter and data importer will need to undertake an assessment of the law of the country where the data are flowing to. Without such an assessment, agreeing on the adequate safeguards would not be possible.
The assessment of a third country’s level of data protection should take a broad look at the legal framework, but in the light of the Schrems-II decision it should in any case include an assessment of any national surveillance legislation: is the data importer subject to such legislation, are the data likely to be intercepted by intelligence and security services based on their nature, have there been requests from intelligence and security services to hand over personal data in the past, etc. If national security legislation applies, it is unlikely that contractual clauses in any form could result in the required “essentially equivalent” level of protection, meaning the data export from the EU can not (or no longer) take place.
If the data exporter and importer conclude that the transfers are not or unlikely subject to surveillance laws, and they have agreed on other additional safeguards to be included in the contract, the data transfers can likely take place without problems. It is however important to document both the assessment of the third country’s legislation, as well as the reasons for which additional safeguards have been agreed. With the Court’s decision in hand, we expect that data protection authorities will more actively look at international data transfers using SCCs or other contracts, and thus it could be that they will ask you to show your assessments. Maintaining the relevant documentation is also part of your accountability requirements under Articles 5(2) and 24 GDPR and could for example be included in your Article 30 processing activities register, which should include all information related to international transfers.
The Privacy Shield deficits
The “essential equivalence” requirement also decided the faith of the Privacy Shield. Based on his assessment of the U.S. national security legislation and the additional safeguards that were agreed as part of the Privacy Shield arrangement, the Court found that the fundamental rights to privacy and data protection of Europeans could not be guaranteed when their data would flow to the U.S.
Where for SCCs the decision whether or not to suspend data transfers needs to be taken on a case-by-case basis, for the Privacy Shield a generic decision was required. That is the distinction between a binding adequacy decision, that binds all EU Member States as well as their organs, including data protection authorities, and contracts, that only bind the parties to the contracts. You could therefore still argue an adequacy decision is still assessed against a higher standard, since the protections need to be effective under all circumstances.
In the case of the U.S. national security legislation, in particular section 702 FISA, Executive Order 12333 and Presidential Policy Directive 28, the CJEU concluded the legislation is too wide and too vague. It is therefore not possible for an individual to fully understand what might happen with their data. In addition, the U.S. surveillance laws go beyond what should be regarded as proportional or strictly necessary, at least from the EU perspective. Here, the Court refers to standing case-law, which includes the Schrems-I decision, but also decisions on massive and continuous data collections in the EU itself (e.g. Digital Rights Ireland, on the mandatory retention of telecommunications data to help fight terrorism and prevent serious crime) or in relation with other third countries (e.g. the transfer of Passenger Name Records data by airlines to the Canadian authorities).
The Court has held that the communication of personal data to a third party, such as a public authority, constitutes an interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter, whatever the subsequent use of the information communicated. The same is true of the retention of personal data and access to that data with a view to its use by public authorities, irrespective of whether the information in question relating to private life is sensitive or whether the persons concerned have been inconvenienced in any way on account of that interference. [Schrems-II, §171]
Also the fact that the U.S. surveillance laws do not allow Europeans to file a complaint in Court meets an objection from the Court. This point was already recognised by the European Commission when drafting the Privacy Shield. The EU and the U.S. therefore agreed to create an alternative redress mechanism with the introduction of the Ombudsperson. This person would be able to review upon request the processing of personal data of a given individual, and confirm if the processing was taking place in accordance with the protections offered by the Privacy Shield, if it was taking place at all. The Court concludes the Ombudsperson is mainly a political role. Since it is not supported by a legal obligation, for example to correct or delete data from the files of an intelligence and security service, and also does not allow for a legal remedy (e.g. an appeal in Court), it cannot replace judicial redress.
When looking at the conclusions of the CJEU on the Privacy Shield, the Court provides some important guidelines in order to assess the national security legislation in other third countries. First of all, the legislation in the third country needs to be sufficiently clear, detailed and foreseeable for an individual to understand what might happen to their data once it is used for national security purposes (even if that was not the intention of the data transfer). In addition, there need to be adequate means of judicial redress available to the individual. In other words: they need to be able to have their day in court, to fight any alleged misuse of their personal data by intelligence and security services.