CJEU Judgment - First Statement

Data Transfers
 /  16 July 2020
(c) Court of Justice of the European Union

CJEU invalidates “Privacy Shield” in US Surveillance case.  SCCs cannot be used by Facebook and similar companies.

Facebook and similar companies may also not use "SCCs" to transfer data as DPC must stop transfers under this instrument. Schrems: “We need US surveillance reform. The Court has clarified that there cannot be any transfer of data in violation of EU law.”

Max Schrems’ (chair of noyb.eu and party to the case) first reaction to the judgment:

Schrems: “I am very happy about the judgment. It seems the Court has followed us in all aspects. This is a total blow to the Irish DPC and Facebook. It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market.

US Surveillance reform is unavoidable - CJEU just says it out loud

The Court was clear that the far-reaching US surveillance laws are in conflict with EU fundamental rights. The US limits most protections to “US persons”, but does not protect the data of foreign customers of US companies from the NSA. As there is no way of finding out if you or your business are under surveillance, people also have no option to go to the courts. The CJEU found that this violates the 'essence' of certain EU fundamental rights.

Schrems: “The Court clarified for a second time now that there is a clash between EU privacy law and US surveillance law. As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley."

"This judgment is not the cause of a limit to data transfers, but the consequence of US surveillance laws. You can’t blame the Court for saying the unavoidable - when shit hits the fan, you can’t blame the fan."

European Commission bowed to US pressure

The judgment also makes clear that the European Commission did not undertake a thorough and accurate assessment of US surveillance laws under the Privacy Shield. Instead, it bowed to US pressure when passing Privacy Shield.

Herwig Hofmann, law professor at the University of Luxembourg and one of the lawyers arguing the Schrems cases before the CJEU: “The CJEU has invalidated the second Commission decision violating EU fundamental data protection rights. There can be no transfer of data to a country with forms of mass surveillance. As long as US law gives its government the powers to vacuum-up EU data transiting to the US, such instruments will be invalidated again and again. The Commission’s acceptance of US surveillance laws in the Privacy Shield decision left them without defence.”

DPAs have a “duty to act” - Important strengthening for the GDPR

The Court has also clarified that EU data protection authorities (DPAs) have a duty to take action. The Court highlighted that DPAs are "required to execute its responsibility for ensuring that the GDPR is fully enforced with all due diligence". So far, many DPAs have taken the view that they have unlimited discretion to look the other way. The Court has now put an end to this practice.

Schrems: “The Court is not only telling the Irish DPC to do its job after seven years of inaction, but also telling all European DPAs that they have a duty to take action and cannot just look the other way. This is a fundamental shift going far beyond EU-US data transfers. Authorities like the Irish DPC have so far undermined the success of the GDPR by simply not processing complaints. The Court has clearly told the DPAs to get going and enforce the law.”

SCCs cannot be used anymore by Facebook and US companies that fall under US surveillance

The Court has also joined Mr. Schrems’ view that in a first step EU companies and non-EU recipients of data have to review the law in the respective third country. Only if there is no conflicting law, can they then use the SCCs. As a second layer of protection, the relevant Data Protection Authority (DPA) has to use the “emergency clause” built into the SCCs (Article 4 of the Standard Contractual Clauses Decision). In cases of US surveillance laws violating EU data protection principles, the companies did not take action. The DPC has fought this idea since 2016 with the false claim it had discretion to do nothing in the face of mass surveillance by foreign powers. In summary this means that Facebook may not use the SCCs for EU-US data transfers anymore and if they continue to violate the law, the DPC has to take urgent action - contrary to some claims made in the first reactions to the judgment.

Schrems: “The judgment makes it clear that companies cannot just sign the SCCs, but also have to check if they can be complied with in practice. In cases such as Facebook, where they don't take action, the DPC had the solution to this case in her own hands all along. She could have ordered Facebook to stop transfers years ago. In our complaint, we demanded that she would issue a prohibition notice with a reasonable implementation period to allow Facebook take all necessary steps. Instead, she turned to the CJEU to invalidate the SCCs, which are valid. It’s like screaming for the European fire brigade, because you don’t feel like blowing out a candle yourself.

Users have to unite & extremely high costs

The fact that this case has been ongoing for 7 years and the DPC alone has spent almost €3million to fight Mr. Schrems’ complaint instead, of taking decisive action to protect the rights of Europeans, also shows some fundamental flaws in the GDPR’s system of enforcement. It is currently impossible for a normal person to ensure that GDPR rights are not just an empty promise, but instead become a normal part of our digital lives.

Schrems: “The DPC has invested € 2.9 Mio against us – and in essence lost. I don’t even want to know how many millions Facebook threw at this case. The financial fallout of this case will now be decided by the Irish Courts. Under EU law there must be a free and quick handling of a citizen’s complaint. However, in this case, we have been in the courts for 7 years with more than 45,000 pages of documents submitted. The myth that a law student can just do this on his own is unfortunately wrong.”

"Necessary" data flows to the US can continue

Despite the invalidations made by the judgment, absolutely "necessary" data flows can continue to flow under Article 49 of the GDPR. Any situation where users want their data to flow abroad is still legal, as this can be based on the informed consent of the user, which can be withdrawn at any time. Equally the law allows data flows for what is "necessary" to fulfil a contract. This is a solid basis for most legal transactions with the US. In simple words: the US has now been brought back to the "normal" situation that the EU has with most other third countries, but lost its special access to the EU market over US surveillance.

Schrems: "The Court explicitly highlighted that the invalidation of the Privacy Shield will not create a 'legal vacuum' as crucially necessary data flows can be still undertaken. The US is now simply put back to an average country with no special access to EU data."