Data Protection Commissioner v. Facebook & Max Schrems (CJEU)

Top News

Summary

Data Protection Commissioner v. Facebook & Max Schrems is a follow up case to the landmark Court of Justice for the European Union (CJEU) ruling striking down the "Safe Harbor" arrangement for transferring personal data of EU consumers from the EU and the United States. This case, now before the CJEU, was brought by the Irish Data Protection Commissioner in Irish High Court. The case concerns whether transferring data to the United States using a different legal mechanism, "standard contractual clauses," violates the European Charter of Fundamental Rights.

Following the CJEU ruling invalidating "Safe Harbor" (promptly replaced by a similarly flawed EU-US "Privacy Shield" pact), Austrian privacy activist Schrems filed a renewed complaint with the Irish DPC based on Facebook’s use of standard contractual clauses (SCCs); to authorize EU-US data transfers. If a country does not have an adequate level of privacy protection, EU law still permits personal data to be transferred abroad where another legal mechanism, can provide sufficient data privacy safeguards. Mechanisms approved by the European Commission include certain "standard contractual clause." However, Schrems contended that U.S. surveillance law is not in line with the requirements laid down by EU law including the judgment of the CJEU in the Safe Harbor decision, resulting in a violation of European fundamental rights notwithstanding the use of SCCs. The Irish DPC began an investigation into two key issues: does the US provide adequate legal protection to EU users whose data is transferred, and, if not, could SCCs used by Facebook Ireland and Facebook, Inc. to regulate the transfer of that data raise the level of protection and still render transfer permissible? The DPC determined that US law fails to adequately provide legal remedies to EU citizens and the SCCs did not provide an adequate remedy above and beyond that shortcoming. The Irish DPC brought suit in Irish High Court, asking referral to the CJEU on the question of whether the SCCs violated EU fundamental rights. EPIC was designated the sole US amicus in that case and provided detailed submissions on US surveillance and privacy law.

On October 3, 2017, the High Court ruled that there were "well founded" concerns that SCCs violate European fundamental rights, would the case to the CJEU. The High Court formally referred the case to the CJEU on April 12, 2018. The referral asked eleven questions of the CJEU to determine whether the SCC's are invalid.

Questions referred

1.

In circumstances in which personal data is transferred by a private company from a European Union (EU) member state to a private company in a third country for a commercial purpose pursuant to Decision 2010/87/EU1 as amended by Commission Decision 2016/22972 (“the SCC Decision”) and may be further processed in the third country by its authorities for purposes of national security but also for purposes of law enforcement and the conduct of the foreign affairs of the third country, does EU law (including the Charter of Fundamental Rights of the European Union (“the Charter”)) apply to the transfer of the data notwithstanding the provisions of Article 4(2) of TEU in relation to nationalsecurity and the provisions of the first indent of Article 3(2) of Directive 95/46/EC3 (“the Directive”) in relation to public security, defence and State security?

2.

(1) In determining whether there is a violation of the rights of an individual through the transfer of data from the EU to a third country under the SCC Decision where it may be further processed for national security purposes, is the relevant comparator for the purposes of the Directive: a) The Charter, TEU, TFEU, the Directive, ECHR (or any other provision of EU law); or b) The national laws of one or more member states?

(2) If the relevant comparator is b), are the practices in the context of national security in one or more member states also to be included in the comparator?

3.

When assessing whether a third country ensures the level of protection required by EU law to personal data transferred to that country for the purposes of Article 26 of the Directive, ought the level of protection in the third country be assessed by reference to:

a) The applicable rules in the third country resulting from its domestic law or international commitments, and the practice designed to ensure compliance with those rules, to include the professional rules and security measures which are complied with in the third country; OR

b) The rules referred to in a) together with such administrative, regulatory and compliance practices and policy safeguards, procedures, protocols, oversight mechanisms and non judicial remedies as are in place in the third country?

4.

Given the facts found by the High Court in relation to US law, if personal data is transferred from the EU to the US under the SCC Decision does this violate the rights of individuals under Articles 7 and/or 8 of the Charter?

5.

Given the facts found by the High Court in relation to US law, if personal data is transferred from the EU to the US under the SCC Decision:

a) Does the level of protection afforded by the US respect the essence of an individual’s right to a judicial remedy for breach of his or her data privacy rights guaranteed by Article 47 of the Charter?

If the answer to a) is yes,

b) Are the limitations imposed by US law on an individual’s right to a judicial remedy in the context of US national security proportionate within the meaning of Article 52 of the Charter and do not exceed what is necessary in a democratic society for national security purposes?

6.

(1) What is the level of protection required to be afforded to personal data transferred to a third country pursuant to standard contractual clauses adopted in accordance with a decision of the Commission under Article 26(4) in light of the provisions of the Directive and in particular Articles 25 and 26 read in the light of the Charter?

(2) What are the matters to be taken into account in assessing whether the level of protection afforded to data transferred to a third country under the SCC Decision satisfies the requirements of the Directive and the Charter?

7.

Does the fact that the standard contractual clauses apply as between the data exporter and the data importer and do not bind the national authorities of a third country who may require the data importer to make available to its security services for further processing the personal data transferred pursuant to the clauses provided for in the SCC Decision preclude the clauses from adducing adequate safeguards as envisaged by Article 26(2) of the Directive?

8.

If a third country data importer is subject to surveillance laws that in the view of a data protection authority conflict with the clauses of the Annex to the SCC Decision or Article 25 and 26 of the Directive and/or the Charter, is a data protection authority required to use its enforcement powers under Article 28(3) of the Directive to suspend data flows or is the exercise of those powers limited to exceptional cases only, in light of Recital 11 of the Directive, or can a data protection authority use its discretion not to suspend data flows?

9

(1) For the purposes of Article 25(6) of the Directive, does Decision (EU) 2016/12504 (“the Privacy Shield Decision”) constitute a finding of general application binding on data protection authorities and the courts of the member states to the effect that the US ensures an adequate level of protection within the meaning of Article 25(2) of the Directive by reason of its domestic law or of the international commitments it has entered into?

(2) If it does not, what relevance, if any, does the Privacy Shield Decision have in the assessment conducted into the adequacy of the safeguards provided to data transferred to the United States which is transferred pursuant to the SCC Decision?

10.

Given the findings of the High Court in relation to US law, does the provision of the Privacy Shield ombudsperson under Annex A to Annex III of the Privacy Shield Decision when taken in conjunction with the existing regime in the United States ensure that the US provides a remedy to data subjects whose personal data is transferred to the US under the SCC Decision that is compatible with Article 47 of the Charter?

11.

Does the SCC Decision violate Articles 7, 8 and/or 47 of the Charter?

EPIC’s Interest

The Irish High Court accepted EPIC's application to participate in the case below as the only NGO from the United States to provide a counterbalancing perspective on U.S. surveillance law to the views offered by the U.S. Government. EPIC has participated as an amicus before international courts. For instance, EPIC joined a case before the European Court of Human Rights concerning the activities of British and U.S. intelligence organizations. EPIC has also appeared as a "friend of the court" in almost 100 cases in the United States concerning emerging privacy and civil liberties issues.

EPIC has a long history in the policy debate over data transfers between the EU and the US, advocating for adequate safeguards for transatlantic data transfers. EPIC and a coalition of EU and U.S. consumer organizations have opposed the Privacy Shield arrangement for its failure to comply with the terms set out by the CJEU in its Safe Harbor decision. Speaking before the European Parliament, Marc Rotenberg outlined several flaws in the agreement, including a weak privacy framework, lack of enforcement, and a cumbersome redress mechanism. In testimony before Congress, EPIC also criticized the prior Safe Harbor Arrangement for its lack of effective means of enforcement, redress, and accountability for privacy violations.

Legal Documents

  • Irish High Court Referral to the CJEU (April 12, 2018)
  • Irish High Court Judgment (Oct. 3, 2017)
  • Resources

    Relevant CJEU Caselaw

    News

    Share this page:

    Support EPIC

    EPIC relies on support from individual donors to pursue our work.

    Defend Privacy. Support EPIC.