Tag: Schrems

CJEU judges the EU-US Privacy Shield invalid

16. July 2020

On June 16th, 2020, the Court of Justice of the European Union (CJEU) has declared the invalidity of Decision 2016/1250, therefore rendering protection granted to data transfers under the EU-US Privacy Shield inadequate.

The background

The case originated in a complaint of Mr. Max Schrems against Facebook Ireland regarding the transfer of his personal data as a Facebook user to Facebook Inc., situated in the USA, for further processing. Mr. Schrems lodged a complaint with the Irish supervisory authority seeking to prohibit those transfers. He claimed that the law and practices in the United States do not offer sufficient protection against access by the public authorities to the data transferred to the USA. That complaint was rejected on the ground that, in Decision 2000/5205, the Safe Harbour Decision, the Commission had found that the United States ensured an adequate level of protection. In a judgment delivered on October 6th, 2015, the CJEU, to which the High Court of Ireland had referred questions for a preliminary ruling, declared that decision invalid, resulting in the Schrems I judgment.

Today’s judgement in the Schrems II case came from the request of the Irish High Court to Mr. Schrems to reformulate his initial complaint, seeing as the Safe Harbour Agreement had been deemed inadequate. In the following, Mr. Schrems reformulated his complaint, and claimed that the United States does not offer sufficient protection of data transferred to that country. He seeks the suspension of future transfers of his personal data from the EU to the United States, which Facebook Ireland now carries out pursuant to the Standard Contractual Clauses (SCCs) set out in the Annex to Decision 2010/87. After the initiation of those proceedings, the Commission adopted Decision 2016/1250 on the adequacy of the protection provided by the EU-U.S. Privacy Shield.

In its request for a preliminary ruling, the referring court asked the CJEU whether the GDPR applies to transfers of personal data pursuant to the SCCs, what level of protection is required by the GDPR in connection with such a transfer, and what obligations are incumbent on supervisory authorities in those circumstances. The High Court of Ireland also raised the question of the validity of both decisions,  Decision 2010/87 and  Decision 2016/1250.

Judgement in regard to SCCs

In its judgements, the CJEU has stated that it had, after examination of the SCCs in light of the Charter of Fundamental Rights, found nothing that affected the validity of the SCCs and Decision 2010/87.

With regards to the transfer of personal data to third countries, the CJEU claims that the requirements for such purposes set out by the GDPR concerning appropriate safeguards, enforceable rights and effective legal measures must be interpreted in such a way that data subjects whose personal data is transferred into a third country must be afforded a level of protection essentially similar to the level of protection granted within the European Union by the GDPR.

Data Protection Authorities must, unless an adequacy decision has been ruled by the Commission, be required to suspend or prohibit a transfer of personal data to a third country which does not meet these requirements.

The CJEU holds that the SCCs are still effective mechanisms that make it possible to ensure compliance with a level of protection required by the European Union. In that regard the CJEU points out that this imposes an obligation on the data exporter and the recipient of the data to verify, prior to any transfer, whether that level of protection is respected in the third country concerned, and to suspend the transfer of the personal data if it is not.

Judgement in regard to the EU-US Privacy Shield

The CJEU, after thorough examination, concluded that the EU-US Privacy Shield is not adequate protection for transfers to the USA.

This result comes from the fact that the far-reaching US surveillance laws are in conflict with EU fundamental rights. The USA limits most of its protections of personal data from governmental surveillance to US citizen, but does not extend that protection to the personal data of citizens of other countries.

In essence, the limitations on the protection of personal data arising from the domestic law of the USA on the access and use by US public authorities of such data transferred from the European Union are not restricted in a way that satisfies requirements that are equivalent to those required under EU law, which were mentioned in regards to SCCs above. By the principle of proportionality, the surveillance programmes based on those provisions are not limited to what is strictly necessary.

Unless an empowerment and independence of the Ombudsperson takes place, which would give the competence to adopt decisions which are binding on US intelligence services, there are no substantial cause of actions for data subjects before a body which gives legal guarantees in the way that is required by European law for transfers to be equivalent in protection.

Assessment

Overall, the CJEU states that necessary data transfers are still able to continue under Article 49 of the GDPR. However, the provision’s interpretation is restrictive, leaving most companies with data transfers to the USA which are now considered illegal.

Due to the requirements of adequate protection even when relying on the validated SCCs, transfers under such circumstances may also be found unlawful due to the local intelligence laws in the USA, which do not uphold the requirements necessary by European law.

Overall, it is a clear statement of the necessity of reforms of the US intelligence laws, which have to create adequate protections to be able to guarantee the same level of data protection as the European Union, if they want to continue data trades and data transfers necessary for processing.

What does this mean for you?

  • If your business has a EU-US Privacy Shield certification, and uses such for legitimization of data transfers within a group of companies, you should push towards the use of the European Standard Contractual Clauses within that corporate group.
  • If you are employing service providers which rely on the EU-US Privacy Shield certification, you should also push for the use of Standard Contractual Clauses, or base the data transfer on a different solution for an adequate level of data protection.

Regional Court of Vienna judges in Schrems against Facebook case

6. July 2020

On June 30th, 2020, the Vienna Regional Court passed judgement in the case of Max Schrems against Facebook Ireland Limited, in the case number 3 Cg 52/14k-91 (in German). In the following, we will be presenting the case and the court’s judgement.

Facts of the case

In the years 2011, 2012, 2013, 2015 and 2019, the plaintiff submitted requests for information in accordance with Art. 15 GDPR. The defendant initially responded to these requests with an 18-page pdf file dated 09.06.2011 and a CD with further pdf files of 1,222 A4 pages. Despite the information provided, the plaintiff felt that his rights as stated by the GDPR had been violated, as none of the consecutive requests had been answered. From his point of view, the information provided was neither sufficient in terms of content nor was the number of responses in relation to the number of requests made sufficient for him.

Furthermore, the plaintiff was concerned by the data processing by third parties, about which he received no clear information. He also stated that he was “Controller” in the sense of the GDPR. The defendant had not fulfilled the resulting requirements, as Data Processor, of concluding a Data Processing Agreement with the plaintiff. Finally, the defendant had violated Art. 9 GDPR by failing to obtain consent in respect of his interests and further sensitive data, for which the plaintiff demanded injunction for future data processing.

Guiding principles of the judgement

The Regional Court judged on the following guiding principles in the case:

  • the defendant must provide the plaintiff with complete information in writing and free of charge within fourteen days about all personal data of the plaintiff processed by it, stating the exact origin and, if applicable, the exact recipients of the data,
  • and pay the applicant the sum of EUR 500 in damages within fourteen days.

Reason for decision

The regional court’s guiding principles on the case were the only points in the plaintiff’s claim in which they judged in his favour. The court has stated that the tools used and information given by the defendant to inform the plaintiff about the processed personal data is not enough to meet the requirements of Art. 15 GDPR’s right of access. This results in a lack of control of the plaintiff over his own personal data, which goes against his fundamental right to data privacy. Therefore, the court has ruled damages in the sum of EUR 500 as adequate compensation for the infringement of Mr. Schrems’ privacy.

Regarding Mr. Schrems’ other points, the court ruled that because the plaintiff uses the Facebook platform in light of private/family activities, he cannot be a Controller of the processed personal data due to the fact that according to Art. 2 II lit.c GDPR, the regulation does not apply to him. This also applies to social media and online networks, as mentioned in Recital 18. Therefore, Facebook is not a Data Processor in the terms of those private activities and purposes, which negates the requirement of a Data Processing Agreement according to Art 28 GDPR.

Further, the court sees no sensitive data in the lines of Art. 9 GDPR to be at risk. In light of the personalisation of the platform, such as personalized ads and suggestions, the court stated that this belongs to the core of the defendant’s business activities. As such, there is no consent needed, as the defendant states that the processing of the data is for the purpose of a contract. The plaintiff, according to the court, has entered into such a contract knowing of the terms of service and on his own behalf in order to use the platform’s services. An injunction regarding the future processing of such personal data is therefore not to be applied.

Assessment

Overall, the Regional Court’s judgement has only a minimal practical relevance, as it is hard to fully assess the consequences of the passed judgement. One can neither say how the conduct will affect the future management of the company, nor is it certain whether the judgement will even become final in the first place. However, the plaintiff has already announced on NOYB’s homepage that he will lodge an appeal, and it therefore will remain to be seen what practical relevance can be drawn from the case in the future.

Advocate General releases opinion on the validity of SCCs in case of Third Country Transfers

19. December 2019

Today, Thursday 19 of December, the European Court of Justice’s (CJEU) Advocate General Henrik Saugmandsgaard Øe released his opinion on the validity of Standard Contractual Clauses (SCCs) in cases of personal data transfers to processors situated in third countries.

The background of the case, on which the opinion builds on, originates in the proceedings initiated by Mr. Maximillian Schrems, where he stepped up against Facebook’s business practice of transferring the personal data of its European subscribers to servers located in the United States. The case (Schrems I) led the CJEU on October 6, 2015, to invalidate the Safe Harbor arrangement, which up to that point governed data transfers between the EU and the U.S.A.

Following the ruling, Mr. Schrems decided to challenge the transfers performed on the basis of the EU SCCs, the alternative mechanism Facebook has chosen to rely on to legitimize its EU-U.S. data flows, on the basis of similar arguments to those raised in the Schrems I case. The Irish DPA brought proceedings before the Irish High Court, which referred 11 questions to the CJEU for a preliminary ruling, the Schrems II case.

In the newly published opinion, the Advocate General validates the established SCCs in case of a commercial transfer, despite the possibility of public authorities in the third country processing the personal data for national security reasons. Furthermore, the Advocate General states that the continuity of the high level of protection is not only guaranteed by the adequacy decision of the court, but just as well by the contractual safeguards which the exporter has in place that need to match that level of protection. Therefore, the SCCs represent a general mechanism applicable to transfers, no matter the third country and its adequacy of protection. In addition, and in light of the Charter, there is an obligation for the controller as well as the supervisory authority to suspend any third country transfer if, because of a conflict between the SCCs and the laws in the third country, the SCCs cannot be complied with.

In the end, the Advocate General also clarified that the EU-U.S. Privacy Shield decision of 12 July 2016 is not part of the current proceedings, since those only cover the SCCs under Decision 2010/87, taking the questions of the validity of the Privacy Shield off the table.

While the Advocate General’s opinion is not binding, it represents the suggestion of a legal solution for cases for which the CJEU is responsible. However, the CJEU’s decision on the matter is not expected until early 2020, setting the curiosity on the outcome of the case high.

Irish High Court refers Facebook case to the CJEU

6. October 2017

On October 3rd 2017, the Irish High Court publicised it will refer the Facebook case to the Court of Justice of the European Union (CJEU). The lawsuit is based on a complaint to the Irish Data Protection Commissioner filed by Max Schrems, an Austrian lawyer and privacy activist. Schrems was also involved in the case against Facebook resulting in the CJEU’s landmark decision declaring the Commission’s US Safe Harbour Decision invalid.

In his new complaint, Schrems is challenging the data transfers of Faceook to the US on the basis of the “Model Contracts for the transfer of personal data to third countries”, also known as standard contractual clauses (SCCs). Schrems himself said, “In simple terms, US law requires Facebook to help the NSA with mass surveillance and EU law prohibits just that.”

In contrast to Schrems, the Irish Data Protection Commissioner challenged the validity of the SCCs in general and not only in matters of Facebook. Due to the importance of the case, the Irish High Court referred it to the CJEU. The CJEU will now have to decide whether data transfers to the US are valid on the basis of the Commission’s Model Contracts. It remains to be seen what the CJEU will decide and if its decision will have an impact on the Privacy Shield framework.