CJEU hears case on EU-US data transfers (Standard Contractual Clauses and Privacy Shield)
Download: Updated Press Release
Due to a number of requests, we have summarized the key facts of the case before the Court of Justice of the European Union (CJEU) on EU-US data transfers and mass surveillance by the US government. The case will be heard tomorrow (9:00, Tuesday, July 9th) before the Grand Chamber of the Court of Justice.
Common misunderstandings of the case
- Is this case about all EU-US data transfers? No, it only about transfers to the US that are subject to “mass surveillance”. In most situations, there are simple ways to avoid mass surveillance and many industry sectors (e.g. banks, airlines, trade and banking) do not fall under any such mass surveillance law. The complaint by Mr Schrems only targets Facebook, who is named in the Snowden document as aiding the NSA with mass surveillance under “PRISM”.
- It this case about all international EU data transfers? Of the parties to the procedure, only the Irish Data Protection Commissioner takes the view that the “Standard Contractual Clauses” (SCCs) are invalid. Mr Schrems takes the view that (if correctly applied and enforced by the DPC) the SCCs provide for a proper solution. No other party to the Irish procedure than the DPC raised any validity issues.
- Are all data transfers to the US problematic? No. Surveillance laws like FISA 702 only apply to “electronic communication service providers”. European law also differentiates between necessary transfers (listen in the derogations) and unnecessary “outsourcing” of processing. In combination, the problem arises mainly with cloud service and communication providers that fall under surveillance laws (e.g. Facebook, Google, Apple, Amazon Web Services), but not with any other industry sector or “necessary” data transfers (e.g. emails, booking and alike).
- Does Mr Schrems argue to invalidate the SCCs? No. Mr Schrems argues that the SCCs allow the Irish Data Protection Commissioner to stop individual data transfers, such as the one by Facebook. As there is an obvious solution for the problem, there is no validity question in his view.
- Is “Privacy Shield” on the table? Yes. Facebook has relied on the European Commission’s assessment of US law in the “Privacy Shield” and argues that this assessment should also apply to the “Standard Contractual Clauses”. Mr Schrems in turn argued that this assessment by the Commission is wrong. As the Privacy Shield is based on a false interpretation of US law, it should be invalidated.
- Will you still be able to send emails to the US or book a flight? Yes. Article 49 GDPR foresees “derogations” that allow all data transfers if they are for example “necessary to provide a contract” or where the user has explicitly consented. For example: It is necessary to send an email to the US if the recipient is there, but it is not necessary to send emails via the US if the sender and recipient are in Europe.
- What type of transfers may need to stop then? Basically “outsourcing” of data processing that could also be done in Europe or other countries that provide proper data protection standards.
History of the case
The case centers on a complaint by privacy lawyer Max Schrems against Facebook in 2013 (link to complaint). More than six years ago, Edward Snowden disclosed that Facebook allows the US intelligence services access to personal data of Europeans under surveillance programs like “PRISM” (see Wikipedia). The complaint seeks to stop EU-US data transfers of Facebook. So far, the Irish DPC has not taken any concrete action to do so.
First Rejection and CJEU Judgement on Safe Harbor
The case was first rejected by the Irish Data Protection Commissioner (DPC) in 2013, then subject to judicial review in Ireland and a reference to the Court of Justice of the European Union (CJEU). The CJEU ruled in 2015 that the so-called “Safe Harbor” agreement that allowed EU-US data transfers was invalid (link to judgment in C‑362/14), and that the Irish DPC had to investigate the case, which they initially refused to do.
Information about the use of “Standard Contractual Clauses”
Surprisingly, the DPC informed Mr. Schrems at the end of 2015 that Facebook in fact had never relied on the now invalidated “Safe Harbor” agreement, but instead relied already in 2013 on “Standard Contractual Clauses” (another mechanism to transfer data from the EU to the US). The DPC had failed to disclose this fact and instead suggested that Safe Harbor was blocking them for proceeding with the case. This “detour” made the first ruling by the CJEU irrelevant for the case.
Second Investigation and Lawsuit
Mr. Schrems adapted his complaint to the transfers being made under “Standard Contractual Clauses” and equally demanded the end of data transfers to Facebook USA, based on the argument that they make the data available to the NSA. The DPC’s investigation lasted only a couple of months from December 2015 to spring 2016. Instead of deciding on the complaint, the DPC filed a lawsuit against Facebook and Mr. Schrems (both are now defendants) at the Irish High Court in 2016, in order to refer further questions to the CJEU. After more than six weeks of hearings mainly taking place in 2017, the Irish High Court found that the US government engages in “mass processing” of European personal data and referred eleven questions to the CJEU for a second time (link to judgement) in 2018.
The CJEU has listed the case under C-311/18 and will hear it for a second time on July 9th 2019 – about six years from the filing of the original complaint. A judgment is expected before the end of the year. After the judgement of the CJEU, the DPC would finally have to decide on the complaint for the first time. The decision could again be subject to appeals by Facebook or Mr. Schrems.
Core Arguments by the Parties
- The Irish Data Protection Commissioner joins Mr. Schrems in his view that US surveillance laws violate fundamental rights to privacy, data protection, and redress under European law. The DPC says, however, that she has no powers to solve the issue. Because the data transfer mechanism Facebook uses (Standard Contractual Clauses) does not foresee such a situation, the clauses themselves need to be invalidated. This would mean that data transfers to any non-EU country under this instrument would have to be stopped.
- Facebook takes the view that US law does not go beyond what is legal under EU law. Facebook also questions whether the EU has any jurisdiction on “national security” cases. In summary Facebook sees no problem to continue to transfer data to the United States under mass surveillance laws like FISA. Facebook also relies on the European Commission’s assessment of US law in the so-called “Privacy Shield” decision, which says that US surveillance laws comply with EU requirements.
- Schrems agrees with the DPC on the problem, but proposes a more measured solution. The law (Article 4 SCCs) permits the DPC to stop individual data transfers (like Facebook’s). Mr. Schrems says that the Irish DPC has a duty to act, instead of kicking the case back to the CJEU. On Facebook’s reliance on the “Privacy Shield”, Mr. Schrems takes the view that the Privacy Shield Decision by the European Commission does not adequately describe US surveillance laws, is not even remotely capable of providing adequate privacy protections, and must therefore be invalidated.
- European Commission: The European Commission is expected to defend both its decisions: The Standard Contractual Clauses and Privacy Shield. It will likely side with the United States and Facebook on the view that there is no violation of fundamental rights in the United States, but also acknowledge that the DPC has the power to solve the issue itself if the CJEU sees a violation of fundamental rights in the US.
Statement by Mr. Schrems
Max Schrems, chairperson of noyb: “We are proposing a measured solution: The Irish DPC must simply enforce the rules properly, instead of kicking the case back to Luxembourg over and over. This case has been pending for six years. Over these six years, the DPC has actually decided in a mere 2-3% of the cases that were brought before it. We don’t have a problem with ‘Standard Contractual Clauses’, we have a problem with enforcement.”
noyb is a new European non-profit that enforces the right to privacy through litigation. It supports this case and is itself supported by more than 3.500 donating members.
The parties before the court are the Irish Data Protection Commissioner, Facebook Ireland Ltd, and Max Schrems. The Irish Court has also allowed four “amicus curiae” (neutral helpers to the court) to join the case, namely the US Government, the Electronic Privacy Information Center (epic.org), and two industry lobby organizations.
All EU Member States, the European Commission, the European Parliament, and the European Data Protection Board (EDPB) were able to make submissions.