On December 19, 2019, ECJ’s Advocate General (“AG”)Saugmandsgaard Øe delivered his opinion in case Case C‑311/18.
In particular, the AG notes that the request for a preliminary ruling submitted by the High Court of Ireland (‘the High Court’) relates to one of the forms that the “appropriate safeguards” may take: a contract between the exporter and the importer of the data containing standard protection clauses adopted by the Commission. More particularly, it concerns, the validity of Decision 2010/87/EU which which the Commission established standard contractual clauses for certain categories of transfers.
BACKGROUND. The request originated in proceedings brought by the Irish Data Protection Commissioner against Facebook Ireland Ltd and Mr. Schrems in relation to Mr. Schrems’ complaint before the Commissioner concerning the transfer of personal data by Facebook Ireland to Facebook, Inc., in the US. The Commissioner’s position is that the assessment of the complaint is conditional on the validity of Decision 2010/87.
In. addition, the High Court has highlighted doubts relating to the adequacy of the level of protection guaranteed by the U.S. in sight of the interferences by intelligence authorities.
The AG analyzes the situation under the Directive 46/1995 (“Directive”) and the GDPR and reminds that “[d]ecisions adopted by the Commission on the basis of Article 25(6) of [Directive 95/46] shall remain in force until amended, replaced or repealed by a Commission Decision adopted in accordance with paragraph 3 or 5 of this Article.
Under Article 26(4) of the Directive 95/46 the Commission adopted three decisions in which it found that the standard contractual clauses listed afforded sufficient safeguards (‘the SCC decisions’). Those decisions include Decision 2010/87 and its Annex.
Article 25(6) of Directive 95/46 served also as the basis for the adoption by the Commission of two successive decisions whereby it found that the United States ensured an adequate level of protection provided that a self-certification procedure (of the recipient of the data) is followed: i) Commission’s Decision 2000/520/EC (“Safe harbour”) which was declared invalid by ECJ judgment of 6 October 2015, Schrems; (ii) The Commission then adopted the ‘privacy shield’ decision.
Mr Schrems asked Facebook Ireland to identify the legal bases for the transfer of personal data to the US; the company, without identifying all the legal bases on which it relies, referred to a data transfer processing agreement between with Facebook US that had been applicable since 20 November 2015, and relied on Decision 2010/87. Mr. Schrems’ complaint alleges that that the clauses in that agreement are not consistent with the standard contractual clauses in the annex to Decision 2010/87 and that anyway they could not in any event justify the transfer of the personal data to the US in light of the fact that under US law Facebook Inc. is required make the personal data of its users available to United States authorities, such as the NSA and the Federal Bureau of Investigation (FBI), in the context of surveillance program; Mr Schrems claims that there is no remedy that would allow the data subjects to rely on their rights and asks the DPC to suspend the transfer.
The Commissioner tried to determine, first, whether the US ensures adequate protection of personal data and, second, whether the SCC decisions offer sufficient safeguards as to the protection of that data. Because the Commissioner posited that it was impossible to adjudicate on Mr Schrems’ complaint unless the ECJ examined the validity of the SCC decisions, a preliminary ruling was requested on the validity of those decisions. Para 51.
The opinion turns on several major issues, however four issues are more critically analyzed:
- The applicability of EU law to transfers for commercial purposes of personal data to a third State which may process the data for national security purposes
The Advocate General stated:
The significance of that question for the outcome of the dispute in the main proceedings lies in the fact that, if such a transfer fell outside the scope of EU law, all the objections raised against the validity of Decision 2010/87 in the present case would be rendered baseless. (para. 101)
The first major issue was whether this particular transfer (transfer to a third country which then processed of data for national security policy) would be outside the scope of the Directive (now the GDPR).
While the processing of personal data for the purpose of public security is excluded from the Directive and the GDPR, this is not the case for the transfer for commercial activity. The Directive and the GDPR were designed to regulate the commercial activity that was being undertaken (which is not processing for national security). The Directive (and the GDPR) is applicable to transfer personal data for commercial purposes to a third country which then may then process the personal data for national security purposes, which is irrevelent to the issue.
- Level of protection in the context of a transfer based on standard contractual clauses
The second major issue was the level of protection that must be ensured in order for the transfer to be allowed on the basis of the standard contractual clauses. The AG concluded that the standard of protection of fundamental rights and freedoms required of standard contractual clauses that they must result in “essential equivalence” with EU law.
The AG noted the approach taken by the ECJ in Schrems I in interpreting Article 25(6) of Directive 95/46 is that adequacy decisions is being adopted only if the third country guarantees an adequate level of protection of fundamental rights and freedoms equivalent to protections guaranteed by the European Union.
The AG noted that Directive Article 25(6) — and the standard data protection clauses referred to in GDPR Article 46(2)(c) — may have the same objectives, however the mechanism differ: while the adoption of an adequacy decision assumes that the Commission analyzes the destination country’s laws protecting fundamental rights and freedoms to determine if they are adequate (and if so, and an adequacy decision is issue, personal data may then be transferred without the controller being required to obtain specific authorization. Para. 119;), in the case of a transfer under the standard data protection clauses, the laws of the country are not analyzed; “the transfers is lawful only when appropriate safeguards are provided by other means.
The AG concluded,
Thus, although Article 46(1) of the GDPR allows personal data to be transferred to a third country which does not provide an adequate level of protection, it authorises such transfers only when appropriate safeguards are provided by other means. The standard contractual clauses adopted by the Commission represent, in that respect, a general mechanism applicable to transfers irrespective of the third country of destination and the level of protection guaranteed there. European privacy regulators are to examine the lawfulness of the use of standard contractual clauses on a case-by-case basis. Para 120.
- Validity of Decision 2010/87
The third major issue was the validity of Decision 2010/87 in the light of Article 7, 8 and 47 of the EU Charter. More specifically, whether Decision 2010/87 is invalid because standard data protection clauses are not binding on the third country’s government, thus undermining the ability of the recipient of the data always to respect the data protection safeguards contained in the clauses.
As noted earlier, the AG stresses that standard contractual clauses are “a general mechanism applicable to transfers irrespective of the third country of destination and the level of protection guaranteed there”. Therefore, such a mechanism may be used for transfer to any third country despite the level of protection that exists in the country.
The AG concluded that standard data protection clauses are to be analyzed by the “soundness of the safeguards the provide” and so they may be limited or eliminated due the laws of the third country.
The fact that the contractual mechanism set out in Article 46(2)(c) of the GDPR is “not binding on the authorities of the third country of destination does not in itself render … [the] decision invalid”. Para 127.
The check is done on cases-by-case basis and can result in a ban or a suspension of transfers:
the contractual mechanism set out in Article 46(2)(c) of the GDPR is based on responsibility being placed on the exporter and, in the alternative, the supervisory authorities. It is on a case-by-case basis, for each specific transfer, that the controller or, failing that, the supervisory authority will examine whether the law of the third country of destination constitutes an obstacle to the implementation of the standard clauses and, therefore, to an adequate protection of the transferred data, so that the transfers must be prohibited or suspended. Para 126
Specifically, it will need to be analyzed whether, because of the government’s processing of data for national security, there are not “are sufficiently sound mechanisms to ensure that transfers based on the standard contractual clauses are suspended or prohibited where those clauses are breached or impossible to honour” (para 127). The AG noted that Article 46(1) of the GDPR provides that rights of the data’s subjects must be enforceable and remedies available.
The AG noted that ‘in the event of conflict between the obligations which they lay down and the requirements of the law of the third country of destination, those clauses will not be relied on in support of a transfer to that third country or, if the transfer has already taken place on the basis of those clauses, the exporter will be informed and may suspend that transfer.” Para 129.
What does it mean in concrete:
- If the importer cannot comply with the exporter’s instructions and the standard contractual clauses, the importer must inform the exporter promptly and the “the exporter is to be entitled to suspend the transfer and/or to terminate the contract” Para 130. The AG specifies that this is not an option of the exporter: when those conditions are met, he MUST suspend. Para 132.
- Complying with a mandatory requirements of the national aw of the third country, that do not go beyond what is “necessary in a democratic society in order to protect one of the interests listed” by 13(1) Directive and Article 23(1) GDPR – which include public security and the safeguarding of the State – is not a breach of the SCC. para 131.
- The DPAs, considering the circumstances can impose a ban or suspension of the transfer to a certain country. Para 140 and the following. Also for the DPA, when the circumstances require it, the suspension or ban is not an option. Para 144.
- Validity of the Privacy Shield
The fourth major issue was the validity of the Privacy Shield. The AG concluded that the Court should not consider its validity as doing so assumes that there is a required general level of protection in the destination state for standard data protection clauses to be available, which was a concept rejected earlier by the Court.
However, AG noted that “the review of the validity of the ‘privacy shield’ … [in light of the] activities of the United States intelligence authorities requires a double verification”
- examination of whether the United States ensures a level of protection essentially equivalent [to the GDPR]… against the restrictions resulting from the application of section 702 of the FISA”, allowing the NSA to require providers to make personal data available. Para 228.
- the provisions of the European Convention for the Protection of Human Rights and Fundamental Freedoms, signed at Rome on 4 November 1950 (‘the ECHR”) will constitute “the relevant reference framework” for the purpose of evaluating whether the limitations entails in EO 12333[i] Para 229.
The AG notes, however, that Privacy Shield does not prevents states from allowing its own supervisory authority from exercising its powers.
EU law does not apply to measures taken by states “relating to the collection and use of personal data that are directly implemented by the State for the purposes of the protection of national security” (para 211). The scope of the National Security Exception was described as “activities connected with the protection of national security in so far as they constitute activities of the State or of States authorities that are unrelated to fields in which individuals are active” (para 210). The exception covers all measures directly implemented by states for national security purposes with imposing specific obligations on private operators.
AG noted several flaws in the Privacy Shield, making the fate of the Privacy Shield less clear. One issue is when country’s national security measures involve private operators. In such cases, the AG noted that once a country’s national supervisory authorities have the data and engage in further processing of them, such processing is not caught by the scope of the GDPR. Another issue was the scope of the ‘essential equivalence’ standard.
The AG highlighted a fundamental principle of Schrems I, that although there is flexibility in taking various legal and cultural traditions into account, certain minimum safeguards and general requirements for the protection of fundamental rights (as expressed by the EU Charter and the ECHR) are still required. The AG continued by explaining that the determination of an unlawful intrusion does not turn on whether the data collected was sensitive.
The AG discussed three disputed approaches the United States undertakes regarding foreign intelligence surveillance: bulk collection, filtering and lawfulness of surveillance for foreign affairs.
Regarding bulk collection for national security purposes, the AG discusses what constitutes as “essential content, or the very essence, of the right to respect for private life” ( para 282). The AG concluded that if an intrusion compromises the essence of “essential content”, then the intrusion is so grave that “no legitimate objective can justify it” ( para 272). Thus, the AG concludes that bulk collection should be analyzed on a case-by-case basis instead of being categorically prohibited.
Regarding filtering for national security purposes, the AG analyzes whether filtering is targeted as only the individually targeted communications are available for analysis. The AG concludes that “temporary access by the intelligence authorities to all the content of the electronic communications for the sole purpose of filtering…cannot be treated as equivalent to generalised access to that content” (para 276). Therefore, depending on the applicable safeguards, filtering may be permissible.
Regarding the lawfulness of surveillance for foreign affairs, the AG noted that it is a “common ground that the protection of national security is a legitimate objective that may justify” exceptions to European privacy rules (para 285) and it is accepted that some “foreign intelligence information” and other aspects of foreign affairs might fall within national security. The AG states “the perimeter of national security may include, to a certain extent, the protection of interests relating to the conduct of foreign affairs” (para 286). However, “it may be asked whether those measures are defined sufficiently clearly and precisely to prevent the risk of abuse and to permit a review of the proportionality.” (para 289).
These three disputed approaches the United States undertakes regarding foreign intelligence surveillance, bulk collection, filtering and lawfulness of surveillance for foreign affairs, provide a strengthened ECJ legal rationale for foreign intelligence surveillance. Nonetheless, the AG’s opinion expresses many concerns about the safeguards currently in effect for Section 702 and Executive Order 12333, and whether the current United States framework met the required threshold.
In conclusion, the AG proposes to answer the questions for a preliminary ruling as follows:
Analysis of the questions for a preliminary ruling has disclosed nothing to affect the validity of Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, as amended by Commission Implementing Decision (EU) 2016/2297 of 16 December 2016.
Full opinion here
For more information, see here
[i] EO (executive order) 12333 “authorises the surveillance of electronic communications outside the United States by permitting access, for foreign intelligence purposes, to data either ‘in transit’ to the United States or ‘transiting’ through the United States but not intended to be processed there, and also the collection and retention of those data. EO 12333 defines ‘foreign intelligence’ as including information relating to the capabilities, intentions and activities of foreign powers, organisations or persons. Para 61