EU-US Data Transfers

Since 2013 this case on US mass surveillance and EU companies feeding into it, is pending. It has been before the Irish High Court and the European Court of Justice (CJEU) twice and even made a short visit at the Irish Supreme Court. The history of this case is in may aspects unique.

Background

At its core, this case is about a conflict of law between US surveillance laws which demand surveillance and EU data protection laws that require privacy.

Problem: US Surveillance Laws

In 2013, Edward Snowden publicly disclosed that US Intelligence Agencies have access to the personal data of European users with the aid of surveillance programs such as PRISM. This access was facilitated by a US law not known to be used to permit such wide-reaching surveillance, called 50 U.S.C. §1881a (or FISA 702). FISA 702 was passed in 2008 and fundamentally expanded the options for surveillance and data access for US authorities. At the same time as this expansion, more and more personal data was being collected by US electronic communication service providers (like Apple, Microsoft, Facebook, Google and Yahoo). In combination, this lead to an ever increasingly detrimental impact on the privacy of European users.

Under FISA 702, US "electronic communication service providers" (as defined in 50 U.S.C. §1881(4)) can be forced to give US security authorities access to the personal data of "non-US persons", who are defined as anyone who is not a US citizen or permanent US resident. The surveillance orders under this law are not required to be specific to an individual target, but rather allow for a whole blanket surveillance program such as PRISM or Upstream. There is no individualised judicial approval for non-US persons. FISA 702 also allows surveillance for rather broad purposes, such as "information that ... relates to ... the conduct of the foreign affairs of the United States" (see 50 U.S.C. §1801(e)).

There are also US surveillance powers based on the "inherent power of the US president" and further defined in an executive order (EO 12.333), while other elements are described in the Presidential Policy Directive 28 (PPD-28). Both are internal orders within the executive branch that do not create any duties or rights for private entities, but allow for the surveillance of non-US persons.

The documents disclosed by Edward Snowden listed a number of US companies that are providing data to the US government for surveillance programs like PRISM or Upstream under these provisions, including Apple, Microsoft, Facebook, Google and Yahoo.

Reaction: GDPR Limits Data Transfers

European privacy laws (previously Directive 95/46, and now the GDPR) are based on the concept of a free flow of personal data, but only within a sphere that protects user privacy. If personal data were only protected within the European Union but could be transferred outside the EU's jurisdiction without any restrictions, the high level of protection for personal data necessary within the EU could easily be undermined.

However, EU law has always simultaneously provided for exceptions to this principle of limiting transfers, such as where personal data necessarily has to be transferred (e.g. when booking a service abroad or when sending an email) or when a user freely consents to a transfer. These derogations for non-structural transfers are currently codified in Article 49 GDPR.

In addition, EU law recognises that there may be situations where non-EU companies provide an equivalent level of protection for personal data. In some countries national law is similar to EU law (e.g. Switzerland, Israel, Canada or Japan), and in other countries companies can voluntarily commit to EU principles by signing civil law arrangements, such as Standard Contractual Clauses (SCCs), Binding Corporate Rules or the EU-US Privacy Shield. These latter legal bases can be found in Article 46 to 48 GDPR and are largely used for situations best described as "outsourcing" of the processing of personal data by companies to non-EU countries.

As the US does not have an omnibus or federal privacy law, US companies must rely on one of these contractual options in Articles 46 to 48 GDPR for outsourcing. However, for companies that fall under US surveillance laws, using these contractual options is impossible in practice, as US law requires them to break their obligations under EU law. This problem is at the core of all cases between Mr Schrems, the Irish Data Protection Commissioner (DPC) and Facebook, as Facebook clearly falls under US surveillance laws and participated in programs like PRISM, while contradictorily signing SCCs, Safe Harbor and now Privacy Shield (the decision on EU-US data transfers replacing Safe Harbor).

First reference to the CJEU in 2013-2015 ("Safe Harbor")

Procedure before the Irish Data Protection Commissioner (DPC)

After the Snowden disclosures, Mr Schrems (then an Austrian law student) filed a complaint against Facebook Ireland Ltd before the Irish Data Protection Commissioner (DPC). The complaint argued that under the EU-US Safe Harbor Decision 2000/520/EC (an executive decision made by the European Commission in 2000) Mr Schrems' personal data should not be sent from Facebook Ireland Ltd (serving Facebook users outside of the US and Canada) to Facebook Inc. (the US parent company), given that Facebook has to grant the US National Security Agency access to such data.

The Irish DPC rejected Mr Schrems' complaint as "frivolous and vexatious", arguing that Facebook relied on the Safe Harbor Decision for carrying out their data transfers to the US. In the view of the DPC, the European Commission had accepted that US law is adequate in the decision from 2000 (8 years before 50 U.S.C. § 1881a was passed) and that the DPC was absolutely bound by the Commission's decision.

Judicial Review against the DPC

In October 2013 Mr Schrems filed for a Judicial Review of the DPC decision, arguing that the DPC could use an "emergency clause" in the Safe Harbor decision to suspend the data transfer, and that in any case, the Safe Harbor Decision was invalid. In a judgment of 18. 6. 2014 [2014] IEHC 310, the Irish High Court paused the procedure and referred the case to the Court of Justice of the European Union (CJEU). The Irish High Court largely agreed on the fact that there is "mass surveillance" under US law, but took the view that it could not make a final decision on Mr Schrems' case without determining the validity of the Safe Harbor Decision first. Under EU law only the CJEU can make determinations on the validity of EU acts such as the Safe Harbor Decision, which meant that the Irish High Court had to refer the case to the CJEU.

Judgement of the CJEU on 6 October 2015 (C-362/14)

In a groundbreaking judgment (C-362/14 Schrems) the CJEU declared the Safe Harbor decision invalid, largely following Mr Schrems' arguments. The Court held that a third country such as the US must provide an "essentially equivalent" level of protection to that afforded by EU law, and that "legislation permitting  public authorities to have access on a generalised basis" violated the essence of the EU fundamental right to privacy under Article 7 of the EU Charter of Fundamental Rights (CFR). Equally, the lack of any legal redress in the US for non-US persons violates the fundamental right to a judicial remedy under Article 47 of the CFR.

Following the judgment by the CJEU, the Irish High Court closed the procedure in the Irish courts, as the DPC pledged to swiftly implement the decision by the CJEU.

Second reference to the CJEU in 2015-20 (SCCs & Privacy Shield)

Information that Facebook actually relied on the SCCs

To the great surprise of Mr Schrems, in November 2015 the DPC informed him that the judgement by the CJEU on the Safe Harbor decision was irrelevant for his original complaint, because Facebook had in fact always relied on the so-called "Standard Contractual Clauses" (SCCs) to make their data transfers. The DPC had not disclosed this information to Mr Schrems, leading him to believe that Facebook had relied on Safe Harbor, despite receiving that information from Facebook already in an email response to the complaint in 2013.

Mr Schrems accordingly reformulated his complaint to now include the SCCs and any other legal basis for data transfers that could be relied on by Facebook, and provided the DPC with an updated complaint on 1 December 2015. Mr Schrems argued that the DPC should use Article 4 of the SCC Decision to suspend transfers, since Article 4 allows the DPC to suspend data transfers if the fundamental rights of users are violated.

Lawsuit by the DPC against Facebook and Mr Schrems

Instead of swiftly deciding on the case, the DPC surprisingly filed a lawsuit against Facebook Ireland Ltd and Mr Schrems shortly after starting its "investigation" into the reformulated complaint involving the two parties. In the view of the DPC the two parties were the "natural defendants" in this case, and the DPC was forced to call upon the High Court to issue another reference to the Court of Justice of the EU. Mr Schrems has contested the case, arguing that the DPC may only refer to the CJEU for a second time once all facts and issues have been investigated.

Several parties have applied to be joined as amicus (neutral helpers of the court) to the case; the US government, EPIC.org and two industry lobby groups were joined to it.

In the lawsuit, the DPC argued that it would not only join Mr Schrems' views in his concerns over US surveillance law, but, beyond that, it also had serious concerns over the validity of the SCCs used by Facebook. The DPC took the view that the SCCs do not provide for a lawful mechanism to transfer data, if a third country like the US has passed laws that are in conflict with the SCCs. Facebook and Mr Schrems took no issue with the SCCs themselves and agreed that in such a case Article 4 of the SCCs Decision (EU) 2010/87 would allow for a solution.

Contrary to Mr Schrems and the DPC, Facebook did not see any problem with US surveillance laws and took the view that the EU does not have jurisdiction over issues of "national security". Facebook also relied on the Privacy Shield Decision (EU) 2016/1250 by the European Commission, which replaced the invalidated Safe Harbor decision. In this decision, the European Commission found that there is no conflict between US surveillance laws and EU fundamental rights. According to Facebook this finding in the Privacy Shield decision must also apply to transfers under the SCCs. Mr Schrems took the view that the Privacy Shield decision itself is invalid as it fundamentally misrepresents US surveillance laws and is therefore no authority to interpret the SCCs.

After several procedural steps and more than five weeks of hearings featuring multiple expert witnesses on US surveillance law, the Irish High Court recognised the existence of US government mass surveillance programs. In a judgment of 3 October 2017 [2017] IEHC 545, the Irish High Court summarised all factual findings, highlighting that the US conducts "mass processing" of personal data, when for example filtering the entire internet traffic that flows through parts of the internet backbone. On 13 April 2018 it referred eleven interpretive questions to the CJEU for determination. The questions were to a large extent drafted by the DPC.

Following the reference, Facebook applied to the Irish Supreme Court in a bid to stop the reference by the High Court, but the appeal was ultimately rejected on 31 May 2019.

Procedure before the CJEU (C-311/18)

On 30 August 2018 the parties had to submit their written observations.

On 19 July 2019, the CJEU heard the case before the Grand Chamber (the largest composition of the Court, with 15 judges), hearing the three parties, the four amicus, the European Commission, the European Parliament, the European Data Protection Board (EDPB), and a large number of EU member state governments. The judges' questions focused in particular on issues surrounding US surveillance laws and the validity of the Privacy Shield decision.

On 19 December 2019 the Advocate General (AG) of the Court issued his non-binding Advisory Opinion on the case, largely joining the position of Mr Schrems. According to the Opinion, US surveillance laws are incompatible with EU fundamental rights, but the solution to the incompatability lies in the DPC ordering the suspension of the data transfers under Article 4 of the SCCs Decision. While the AG explicitly criticised the Privacy Shield Decision, he took the view that the question of its validity does not a form an integral part of the case.

The final judgement on these matters by the CJEU will be delivered on 16 July 2020 from approximately 09:30 CET.

 

Relevant articles