So when is it permissible to transfer personal data to a third country or international organisations? This is a question that has taken on new relevance. The long-running litigation by Austrian lawyer Max Schrems has moved another step towards a final resolution, following a decision in the Supreme Court on May 31st. It has once again brought the legality of transfers of personal data to 3rd countries or international organisations to the forefront of data protection discourse. (Link to Irish Times article here). Although the Schrems litigation commenced under the old Directive rules, the GDPR is now in effect and represents the law in the area since May 2018.
A brief overview will place the most recent litigation within its relevant context. That relevant context is the transfer of personal data outside of the EU/EEA and to international organisations. A more specific context means it has to be viewed in the light of the Safe Harbour Agreement and Standard Contractual Clauses (SCCs). Back in Oct. 2017, Ms. Justice Caroline Costello gave judgment in the High Court, and in May 2018 made a referral to the Court of Justice of the European Union (CJEU) of issues to be determined by the Court. These issues related to transfers using SCCs as the transfer channel. Facebook did not want the referral to reach the CJEU and initiated an appeal grounded on procedural legal grounds. Facebook’s strategy was to question the process rather than the principles involved.
At its core was whether there was or is an actual right to appeal a referral to the CJEU. In his judgment of Facebook’s appeal the Chief Justice, Mr. Frank Clarke, held that it is for the referring court, and that court alone, to decide to make a reference and whether to amend or withdraw that reference. He was satisfied it was only in limited circumstances, such as where the facts themselves were not sustainable on the evidence before the High court in accordance with Irish procedural law, that any aspect of the High Court judgment could be overturned. Facebook was criticising the ‘proper characterisation of the underlying facts’, not the facts themselves, he said.
Ms. Justice Costello had sought to have clarifications on issues that spoke to the validity of the data transfer channels known as Standard Contractual Clauses (SCC). She had 11 questions that she needed the CJEU to answer concerning a European Commission decision to approve the SCC’s in the first place. Whether or not the measures provided for under Privacy Shield were comparable to the remedy available to EU citizens under Art.47 of the EU Charter for breach of data protection rights was one point raised by the DPC in the High Court case. Privacy Shield replaced the Safe Harbours Privacy Principles, elements of which formed the basis of complaint for Max Schrems in some of his litigation. For more information on Privacy Shield click here.
We have referred in previous blogs to the notion of the balancing of the data subjects’ rights where their data is being processed. In the context of rights and personal data processing, all rights are taken into account, not just data protection rights. GDPR was not in effect at the time of the litigation commenced by Schrems and hence the reference to the EU Charter and, in particular, Arts. 7, 8 and 47. (Article 7 provides that “everyone has the right to respect for his or her private and family life, home and communications.” Article 8 states “everyone has the right to the protection of personal data concerning him or her,” and mandates that such data must be “processed fairly for specified purposes and on the basis of the person concerned or some other legitimate basis laid down by law.”
According to Article 7, “everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.” Article 8 further authorizes enforcement of the rules via independent authority. Article 47 guarantees a “right to an effective remedy before a tribunal” to “[e]veryone whose rights and freedoms [are] guaranteed by the law of the Union.” It also requires a “fair and public hearing within a reasonable time by an independent and impartial tribunal previously established by law.”)
The revelations by Edward Snowden in 2013 gave insights into the massive extent of the interception and surveillance of internet and telecommunications systems by the US National Security Agency. It was not just that these actions were disproportionate, but that they infringed upon the very right to privacy. At the time of the Snowden revelations, data transfers to the US were being governed by the so- called, ‘Safe Harbours Agreement’.Despite this agreement, Schrems had concerns about both Facebook’s transfer of his personal data to the US, and processing of those data by American authorities.
A position taken by the DPC was that once an adequacy decision (here, the Safe Harbours Agreement) had been issued, the office had no part in investigating a complaint. Safe Harbours itself stood as testament to the adequacy of the protection of transfers of personal data to the US. Mr. Justice Hogan in the High Court thought Schrems was objecting more ‘to the terms of the Safe Harbour regime itself’, than to the DPC’s application of it. (Schrems v DPC [2014] IEHC 310 (18 June 2014) Para.69). This is often referred to as Schrems No.1.
Another position taken by the DPC was that the complaint was essentially speculative and hypothetical in nature. Mr. Justice Hogan took the view that there was no need to establish that the applicant had even grounds to suspect such a breach had occurred. It was enough to believe the mere absence of controls might lead to a breach of the applicant’s rights. If the matter was solely governed by Irish law significant issues would have arisen under the constitutional right to privacy. Mr Justice Hogan referred the case to the CJEU partly on the basis that, ‘in reality, on that key issue Irish law has been pre-empted by general EU law in the area…’ (Schrems, as above, at paras. 78-80). In hindsight, this reference to the CJEU was the beginning of the end for the Safe Harbours agreement.
CJEU Case C-362/14 (6 Oct.2015)
It has to be borne in mind that the case before the Court dates back to Directive 95/46 days, pre-GDPR, that is. One definitive finding by the Court was that the DPC (or any National Supervisory Authority) when examining a claim concerning the compatibility of a Commission decision with the protection of the privacy rights and fundamental rights of an individual cannot declare the decision invalid themselves (of course, neither can the national courts). Where a national supervisory authority, such as the DPC, comes to the conclusion that the complaint is unfounded, the complainant must have, in accordance with Art. 47 of the EU Charter, access to judicial remedies enabling a challenge to be made before the national courts. The court must stay proceedings and make a reference to the CJEU for a preliminary ruling on validity, where the court is of the opinion that some grounds for invalidity are well founded. In addition ,the national courts themselves can raise issues of their own motion.
In the converse situation, where the Supervisory Authority (SA) is of the opinion that the objections of a person lodging a complaint are well-founded, then the SA must put forward those objections in order for a national court to adjudicate upon them. A reference to the CJEU for a preliminary ruling can be made where a national court shares the doubts as to the validity of a decision. The Court ultimately found the Safe Harbours agreement invalid, mainly because the Commission had not made, ‘any finding regarding the existence , in the United States, of rules adopted by the State intended to limit any interference with those rights and without referring to the existence of effective legal protection against interference of that kind’. United States’ authorities were, ‘able to process the personal data transferred …and process the data in a way incompatible, in particular, with the purposes for which they were transferred…data subjects had no administrative or judicial means of redress…’( at paragraph 90). Without appropriate safeguards in place, that mirror or match safeguards under EU law, there can be no adequacy.
Later on 20th Oct 2015, the proceedings were returned before the High Court and the decision of the CJEU was implemented by the making of an order setting aside the decision of the DPC not to investigate the original complaint of June 2013. The High Court then remitted the original complaint back to the DPC for investigation. Immediately following the High Court order Mr.Schrems re-formulated and resubmitted his complaint to take into account the fact that Safe Harbour had been struck down. Having considered the matter the DPC decided to proceed on the basis of the new formulation. During its investigation, the DPC established that Facebook, and many internet companies, continued to transfer personal data to the U.S. in large part by means of Standard Contractual Clauses (SCCs). These are pro forma agreements which have been approved by way of certain EU Commission decisions, as providing adequate data protection for the purpose of transferring personal data to third countries.
On 24 May 2016, the DPC issued a draft decision to Schrems and Facebook informing both that the preliminary decision was the complaint was well-founded but further submissions were invited from both parties. Three reasons were given by the DPC :
- a) A legal remedy compatible with Article 47 of the Charter is not available in the US to EU citizens whose data is transferred to the US where it may be at risk of being accessed and processed by US State agencies for national security purposes in a manner incompatible with Articles 7 and 8 of the Charter;
(b) The SCCs do not address the CJEU’s objections concerning the absence of an effective remedy compatible with the requirements of Article 47 of the Charter as outlined in its judgment of 6 October 2015, nor could they; and,
(c) The SCCs themselves are therefore considered likely to offend against Article 47 insofar as they purport to legitimise the transfer of the personal data of EU citizens to the US.
The DPC, therefore, commenced legal proceedings in the Irish High Court seeking a declaration as to the validity of the EU Commission decisions concerning SCCs and a preliminary reference to the CJEU on this issue. Both Facebook and Mr. Schrems were named, as the joining of these parties affords them an opportunity (but not an obligation) to fully participate if they so wish and to make submissions in the case. All of this brings us back to the High Court and the decision by Ms Justice Costello to make a reference to the CJEU. She had also refused to put a stay on the reference to the CJEU, but Facebook then took things to the Supreme Court As detailed earlier, Facebok’s appeal against the reference has been dismissed in the Supreme Court.
Soon it will be back to the CJEU. As it stands, it will be some time before we know whether the Standard Contractual Clauses at issue will hold up as legally sound channels of personal data transfer, in particular, to the United States. One can hypothesise about the interpretation the CJEU will favour, but whatever it is will have a bearing on future interpretation of the channels of transfer under the new GDPR regime.
In an upcoming blog, we will look through the lens of the GDPR to focus on the means by which personal data can now be legally transferred to third countries and international organisations. Future interpretations will be informed by the final decision of the CJEU on the Standard Contractual Clauses reference that is soon to be in that court.
Patrick Rowland, GDPRXpert.ie