The case in question concerned Maxmillian Schrems, an Austrian privacy advocate, who had filed a complaint to the Irish Data Protection Commissioner in 2015, contesting Facebook Ireland’s reliance on the SCCs as a legal basis for transferring personal data to Facebook Inc. in the United States. Facebook had been relying on SCCs after the CJEU invalidated that U.S.EU Safe Harbor Framework in 2015, following a challenge by the same privacy advocate (Schrems I case).
In this case, Schrems argued that the SCCs did not ensure an adequate level of protection for EU data subjects, as the United States’ legislation did not explicitly limit interference with an individual’s right to protection of personal data in the same manner as the EU data protection legislation, namely, the General Data Protection Regulation (GDPR).
A key concern in the dispute was whether EU personal data might be at risk of being accessed and processed by the United States government once transferred, in a manner which is incompatible with privacy rights guaranteed by the Charter of Fundamental Rights and where there was any remedy available to EU individual to ensure the protection of their personal data after transfer to the United States. In pursuit of the complaint, the Irish Data Protection Commissioner brought proceedings against Facebook in the Irish High Court, which referred 11 questions to the CJEU for a preliminary ruling under Art 267 of the Treaty of Function on the Functioning of the European Union (TFEU). The preliminary questions concerned the validity of the SCCs but also concerned the EU-U.S. Privacy Shield framework.
The CJEU’s Ruling
Regarding SCCs, the CJEU primarily followed the non-binding opinion of the CJEU’s Advocate General Saugmandsgaard Øe. The CJEU held that SCCs provided sufficient protection for EU personal data. However, the Court held that EU organizations which relied on SCCs must take a proactive role in evaluating, before any transfer, whether there was, in fact, an “adequate level of protection” for personal data in the importing jurisdiction. Moreover, organizations may implement additional safeguards, over and above contained in the SCCs, to ensure “an adequate level of protection” for the personal data transferred. In addition, the CJEU further noted that non-EU organizations importing data from the EU based on the SCCs must inform data exporters in the EU of any inability in compliance with SCCs. If non-EU data importers are unable to comply with the SCCs, and there are no additional safeguards in place that would ensure an “adequate level of protection”, the EU data exporter is required to suspend the data transfer and/or terminate the contract. Furthermore, the judgment also restated the role of supervisory authorities in assessing and, where necessary, suspending and prohibiting the transfer of personal data to an importing jurisdiction “where they take the view that the SCCs are not or cannot be complied within that country and that the protection of data transferred that is required by EU law cannot be ensured by other means.”
Contrary to the approach suggested by Advocate General Saugmandsgaard Øe in his opinion, the CJEU decided to examine the rule on the validity of the EU-U.S. Privacy Shield framework. In its ruling, the CJEU held that the Privacy Shield framework was invalid as “the limitations on the protection of personal data arising from [U.S. domestic legislation] on the access and use [of the transferred data] by U.S. public [agencies].. are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU [legislation], by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.” Moreover, the CJEU found that the Privacy Shield framework did not grant EU individuals actionable rights before a body offering guarantees that are substantially equivalent to those required by EU legislation. Based on this, the CJEU declared the Privacy Shield invalid.
Points to Takeaway
Although SCCs remain valid, organizations that currently rely on them will need to reconsider, having regard to the nature of the personal data, the purpose and context of processing, and the country of destination, and the “adequate level of protection” for personal data as required by EU legislation. If the aforementioned considerations are not met, organizations should pursue additional safeguards to be implemented to ensure there is an “adequate level of protection”.
Alternatively, organizations that currently rely on the EU-US Privacy Shield framework need to urgently identify an alternative means of data transfer mechanism to continue the transfer of personal data to U.S. organizations under the current GDPR legislation. Some plausible means might include Binding Corporate Rules as provided under the GDPR.
Libertatem.in is now on Telegram. Follow us for regular legal updates and judgment from courts. Follow us on Google News, Instagram, LinkedIn, Facebook & Twitter. You can subscribe to our Weekly Email Updates. You can also contribute stories like this and help us spread awareness for a better society. Submit Your Post Now.