The EU personal data transmission guarantees have universal application: Schrems v Facebook

In some cases, it takes a tenacious citizen and an equally critical national court to submit an important issue with a wide economic, political or religious impact on society or technology to the European Union Court of Justice in Luxembourg. Schrems v Facebook, decided just before the Summer holidays, is such a case. The possibility for national courts (for the highest courts even an obligation) to refer preliminary questions to the Court of Justice represents a well known mechanism to submit (sometimes) delicate questions on the interpretation of EU Law to Luxembourg. If EU legislation (regulations, directives or international agreements concluded by the EU) is at stake, these questions may also relate to their validity. The current American Tik Tok discussion confirms how important the data protection of citizens can be.

Facts of the case

Maximilian Schrems, a citizen with Austrian nationality and residing in Austria, has been a user of Facebook’s social network since 2008. Upon registration, he had to sign a contract with Facebook Ireland. Some or all personal data of Facebook Ireland’s users are transferred for further processing to servers located in the United States and belonging to the parent company Facebook Inc.. In 2013, mr Schrems filed a complaint with the Irish data protection law supervisor. He requested to prohibit Facebook Ireland from transferring his personal data to the United States, arguing that US law and practice did not provide adequate protection against the surveillance activities of governmental agencies such as the FBI, the NSA and the CIA. This complaint was rejected because the data transfer to the US was sufficiently regulated by the 2000 agreement between the European Commission and the US government. Mr Schrems appealed against this rejection to the Irish High Court, which raised its first set of preliminary questions to the EU Court of Justice. In 2015, the EU Court held that the 2000 agreement with the US did not provide adequate privacy protection of personal data and declared that the Commission’s decision to approve this arrangement was invalid. Mr Schrems was requested to update his complaint. L’histoire se répète. In 2016, the Commission started renegotiations and signed a new arrangement on the personal data transmission under the name Privacy Shield. In addition, the EU General Data Protection Regulation (GDPR) entered into force at European level on 18 April 2018, replacing the existing directive. Mr Schrems maintained his objections that the Privacy Shield arrangement with the US still did not meet the EU standards for adequate data protection as included in the new Regulation. Furthermore, EU citizens had insufficient access to US courts for complaints about the activities of US supervisors . The Irish Court again decided to stay the national proceedings and to refer the case to the Court of Justice for new preliminary questions on the interpretation of the GDPR and the validity of the Privacy Shield decision.

The EU adequate level for personal data protection

In its second Schrems v Facebook judgment, the Court of Justice first ruled that the new Irish questions must be analyzed from the perspective of the 2018 GDPR and not that of its predecessor. Furthermore, the GDPR also had to be interpreted in the light of the provisions on privacy protection and access to legal proceedings for citizens, as set out in the EU Charter of Fundamental Rights. In addition, the Court confirmed that the EU guarantees of a sufficient level of protection of personal data also apply in the event of circulation of personal data to destinations outside the European Union, i.e. to another economic operator established in a non-EU jurisdiction, regardless of whether such data may be processed by the authorities of that third country for the purposes of public security, defence or state security. According to the Court, the GDPR provisions are intended to ensure the continuity of a high level of protection when personal data of natural persons is transferred outside the EU. This high level of protection is included in the GDPR for domestic purposes and comprises appropriate safeguards, enforceable rights and effective legal remedies. These characteristics follow from the GDPR, interpreted in accordance with the EU Charter of Fundamental Rights. In case of transfer of personal data to a third country, the appropriate protection must be essentially equivalent to the level of protection guaranteed within the European Union. Both the contractual clauses agreed between the controlling company in the EU and the receiving company established in the third country and the public legal system of that third country are crucial to analyze the required level of protection. Essential elements for this assessment are the access regime for public authorities in that country to the transferred personal data and the availability of adequate legal protection for EU citizens.

Level of protection of the US legal system and the Privacy Shield arrangement

In the final parts of the judgment, the Court examines the Irish Court’s question as to whether the Commission has correctly decided on behalf of the European Union to approve the adequacy of the data protection standards set out in the Privacy Shield Agreement. The referring Irish Court had already indicated that these standards had not sufficiently been taken into account. The safeguards for interferences by US authorities under national law (the FBI surveillance programs) and effective judicial protection against such interference have not been sufficiently established by the Commission. The EU Court analyses closely the details of the US legislation concerned and whether it fulfils the conditions for access to effective legal protection that are essentially equivalent to those laid down in the EU Charter of Fundamental Rights. The Court finds that the restrictions in the relevant US legislation are too broad and do not sufficiently respect the principle of proportionality. For instance, the programs facilitate the “bulk” collection of large amounts of signals in personal data. The Court considers that the US Government, which participated in this case in the Luxemburg proceedings, had accepted in response to a question from the Court that these programs “do not grant data subjects actionable rights before courts against the US authorities”. Such access for US agencies is not subject to any judicial review. The restrictions on the protection of personal data arising from US national law, which the Commission has examined in its Privacy Shield decision, do not meet the requirements that are essentially equivalent to EU legal standards. According to the settled case law of the Court, the availability of effective judicial review is as such inherent in the existence of the rule of law. In this case, the essence of the fundamental right to effective judicial protection, as is enshrined in the EU Charter, is not respected. Apart from that, US law in this area does not provide an adequate redress mechanism. Moreover, the Ombudsperson mechanism, introduced during the negotiations, cannot be considered an effective legal protection tool. Finally, there is not an adequate provision for the correction or removal of personal data. The Ombudsperson is an integral part of the US State Department and, therefore, not independent.

Conclusion

It follows that the Commission could not approve the Security Shield Agreement with the US on legally acceptable grounds. This arrangement does not fulfil the EU standards for personal data transfer. The EU approval decision must be declared invalid. The Irish supervisory data protection agency must accept mr Schrems’ complaint against Facebook. The agency is compelled to prohibit data transfers to the US, unless Facebook significantly changes its contractual arrangements and US law is upgraded. It is an open question which impact this judgment will have on personal data transfer to the United Kingdom after the Brexit.