DPC under pressure from critics.

The  DPC is  under pressure from critics with varied agendas. The backdrop for all of  this has to be criticism from late last year,  especially the criticism of the handling of some cases investigated by the DPC . Much of this criticism, perhaps unexpectedly, came from other EU  Data Protection authorities, and more from journalists, commentators, interested actors ( some perhaps with questionable motives) and data protection practitioners. In the foreground will be the DPC’s recently announced 2022-2027  regulatory strategy, which is timely in light of all the criticism  levelled at the DPC of late. An annual report  from the DPC is also  informative and its timing is helpful to the public and for the morale of staff at the DPC. It is available here for your convenience.

In some opening remarks to the new regulatory strategy the DPC acknowledges that  some “challenges, against a backdrop of hugely increased public consciousness of data protection, have given rise to ambiguities of interpretation and application of the law that the DPC – along with its peer data protection authorities – must work to clarify”. The regulatory strategy is also “being implemented in the very early years of radically reformed data protection legislation – in the form of the GDPR and ancillary Law Enforcement Directive – along with all the attendant interpretative challenges that such immense regulatory change usually produces”.

 

The DPC “recognises that it cannot achieve its ambitions alone – new partnerships and new ways of engaging will be necessary as we look towards a future of closer convergence. Nonetheless, the DPC builds from a position of confidence: we are a Regulatory office with ambition, a clear sense of purpose, a history of achievement, and a future of considerable promise”. This last sentence will be questioned by many and it will  irritate even more. It can hardly be stated with any conviction  that the DPC builds from a position of confidence and a history of achievement.  If anything, maybe it has underachieved, but that is for another time and forum.

Another sentence,  “The DPC is of the belief that compliance in general will be greatly improved when stakeholders are clear in their understanding of how the law is enforced”, holds the essence of much of the criticism levelled at the DPC. Stakeholders are not clear in their understanding of how the law is enforced and  many of these stakeholders are other EU Data Protection authorities who have their own  expertise in knowing and applying the GDPR, in particular. A stated goal in the new strategy is to bring clarity to stakeholders. This is  easily stated as a goal to aim for, but again, sure to irritate many . Data protection law experts GDPRXPERT .ie  take the view that  the direct and primary  strategy to achieve this goal will not be stated as easily. Two aspects will be key: having a clear goal, and knowing the most effective route to get to that goal. Compromises will  be needed along the way as there are so many stakeholders involved.  Ultimately, although the most effective route may well be signposted, there will be necessary diversions along the way in the interest of overall stakeholder consensus. Pragmatism has to guide any strategy where there are legitimate and valid  competing interpretations of any regulation. In this context, the co-operation and consistency mechanism under GDPR is a clear example of necessary deviation from a legitimate route to a destination.

GDPRXPERT previously looked at issues in relation to the workings of the  office of the DPC ( see https://www.gdprxpert.ie/the-dpc-is-not-infallible/). We can say that some  of the more recent  criticism levelled at the office of the DPC  is unjustified, some is justified, and more is premature. There is premature criticism because  the CJEU still is going to have to interpret some aspects of the GDPR  so that at least there is more clarity ,if not 100% certainty,  in relation to some contentious aspects of the GDPR. It is not surprising that some of the criticism of the DPC  consistently emanates from the same sources, and one has to consider the possibility that some of these sources have their own particular agendas. Some of these  agendas  have very little to do with bolstering the  data protection environment  for any data subject. These agendas are more  to do with  using supposed concerns about  data protection as a  shallow conduit to increase their own profiles.  Repetitive sources that spring to mind include Max Schrems and his NOYB organisation, The Irish Council for Civil Liberties , and  some Euro MEPs who are sceptical about everything, including  their own fellow sceptics.

Recent Criticism.

From the inception of the GDPR  it became clear that the role of the Irish DPC would be central in the overall enforcement of the Regulation. There was no way it could be other than central, having so many global tech companies head quartered here. Indeed, there is much anecdotal evidence of regulators in other jurisdictions not exactly wishing the office of the DPC the best in their GDPR enforcement endeavours. Unquestionably, some regulators in more populous  countries  felt slighted by the stronger role the DPC here was destined to play. This was shared by many MEPs with nationalistic fervour, as opposed to  European commitment . There was a similar sentiment expressed for years in relation to Ireland’s corporation tax regime.

It may be that criticisms that gained media attention at the end of 2021 had their origins in similar nationalistic contexts. For example, several members of the European Parliament (MEPs) recently wrote to the EU authorities and Minister for Justice Helen McEntee accusing the Irish DPC of lobbying for lower standards for big tech. This was vehemently denied by the DPC. It seems to expert data protection consultants, GDPRXPERT, that these criticisms were outlandish. At the core is an allegation that the DPC was acting in bad faith and devoid of objectivity. This was particularly the case in relation to the criticism directed at the DPC concerning some of its interactions with Facebook.

DPC response

The DPC responded by stating, “ There has been considerable media coverage in recent days, alleging that the Data Protection Commission (DPC), acting in bad faith on foot of meetings it held with Facebook as part of its regulatory role, “lobbied” the European Data Protection Board (EDPB) with a view to achieving the adoption of guidelines by the EDPB on Article 6(1)(b) GDPR (‘necessity for the performance of a contract’), in the best interests of the company. These allegations are utterly untrue. Issuesrelating to the proper legal interpretation of the necessity for the performance of a contract are presently the subject of an ongoing regulatory procedure. That procedure is currently being conducted under  Article 60 of the GDPR. (Art. 60 GDPR sets out the scenarios for co-operation between the lead supervisory authority and other supervisory authorities concerned over the same issue.) More significantly and separately, Article 6(1)(b) is the subject of proceedings before the Court of Justice of the European Union.”

 

As referenced earlier, the objective in going to the CJEU is to get clarity on an issue where it may not be possible to get certainty. There is not always going to be ‘a one size fits all’ decision. From  a pragmatic perspective, often the best that can be expected is clarity, as opposed to certainty. Circumstances change from case to case and so much within the GDPR  has valid differing interpretations. Differing interpretations are consistent with a  regulation that has to be interpreted and applied in light of other competing rights. It has also  been alleged that the DPC approved/ negotiated/ jointly developed Facebook’s position in relation to the legal basis for its processing operations. “This is absolutely incorrect and without basis in fact. To be clear, the DPC does not and never has, endorsed, jointly developed, approved or in any other way assented or consented to a controller’s or processor’s policies or position in relation to compliance with its data protection obligations”( DPC statement, 7th December, 2021).

Form of the criticism

A central tenet of the criticism in relation to the DPC’s dealings with Facebook on the issue of contract as a lawful basis for processing is that the DPC sought to subvert the procedures of the EDPB with a view to achieving the adoption of guidelines by the EDPB on Article 6(1)(b), favourable to the interests of a particular controller. As a long established data protection advisory service, GDPRXpert.ie  would reject that  immediately. What can be accepted is that issues relating to the proper legal interpretation of the necessity for the performance of a contract are presently the subject of an ongoing regulatory procedure. The outcome of the procedures to which reference is made above will of course bind controllers and regulators alike, and may determine whether, when, and in what circumstances Article 6(1)(b) may be relied on by controllers as providing a legal basis for certain of their personal data processing operations.

Some critics of the DPC seem unaware themselves of the process that precedes the issuance of any  guidelines from  the European Data Protection Board on the interpretation of any concepts inherent in the GDPR. Amongst other things, according to the DPC, the criticism  also “reveals a lack of any kind of basic understanding of the workings of the EDPB, and how, through an iterative process, divergent views relating to complex issues of principle are typically reconciled through dialogue, and through respectful and mature engagement”. ( DPC statement, 7 December, 2021)

It is a common sense expectation that stakeholders’ compliance level will improve when they are clearer in their understanding of how the law is enforced. This is especially so when regulations such as the GDPR are based on some very broad principles, ( See Art.5 GDPR) rather than specifics, thus making regulations more open to  interpretation than, for example , road traffic legislation. No wonder then that the DPC is involved in so much discussion with other Supervisory Authorities in other EU countries, and other stakeholders, with the goal of increasing certainty and stability in how data protection law is to be applied. If  the DPC is doing this  in good faith, then can any criticism be justified? Increased certainty and stability is to the benefit of all stakeholders.

This has been a consistent prong of attack for critics of the DPC but what is often ignored or denied is the complex nature of many of the issues involved. As with all EU regulations the CJEU is the final arbiter in the case of dispute, and the journey to that final point is long and arduous. Along the way, many  opinion writers  are guilty  of unprofessionalism in  simply repeating the same sources and quoting incorrect statistics. One of the most vocal critics of the DPC before and since the GDPR has been Max Schrems. Schrems  No:1 and No: 2 dragged on for years, but through no fault of the DPC. A closer look at these cases may  enable a clearer understanding of the legal obstacles to be overcome in order to avoid the procedural pitfalls embodied in much of the GDPR.  They also should  demonstrate the complicated nature of the legal and regulatory remit of the office of the DPC.

Warranted criticism?

The painstaking nature of the legal processes that must be gone through to make prudent adjudications on data protection law issues leads to unfair criticism being directed at the DPC. Such criticism usually takes the form of hastily made statements to the press citing inaction by the DPC. These statements are often perceived as facts by some journalists who lack  an  understanding of both  the depth of data protection  issues involved and the consequences of a misapplication of the facts. Criticism is often then repeated without any objective analysis. Some  analysis that is carried out is done by those least qualified to do it.  Again, data protection law advisers GDPRXPERT.IE  would reject such criticism as ill-informed at best and strategically devised at worst.  If one takes the High Court judicial review taken by FBI, [2020 No. 617 JR.] [2020 No. 126 COM.] , the judgment runs to 200 pages and  is deserving of more than a cursory perusal by some commentators who later claimed to be expertly knowledgeable. What was clear from their comments was that,  in all likelihood , they  had hurriedly  skimmed through a few pages.

Schrems  seems to have  taken matters somewhat personally  and accused the DPC of failing to make a decision.  In fact, much of his criticism seems to take the form of personality based attacks rather than legal or principles based formats. He seems to never have forgotten that his original complaint  was dismissed on grounds of frivolity  by the DPC. This seemed a reasonable view at the time, and it was only in the aftermath of the full revelations by Edward Snowden that the scenarios took on a different texture.  However, what was lost on Schrems,  who is himself a lawyer, was that, as pointed out by Bermingham  J in O’N v McD  [2013] IEHC 135, “the words frivolous and vexatious are terms of the Article, they are legal terms and they are not used in a pejorative sense. They merely mean the plaintiff has no reasonable chance of succeeding, and that , because there is no reasonable chance of success, it is frivolous to bring the case”.

Defensive position

A position  taken by the DPC was that once an adequacy decision (here, the Safe Harbours Agreement) had been issued, the office had no part in investigating a complaint. This has always been the accepted view in relation to Commission decisions . For example, in Schrems No. 1  the CJEU stressed that while national authorities retained the ability to examine EU decisions, the CJEU alone retained the authority to declare an EU act (such as a Commission decision) invalid. It was clearly not within any legal remit of the DPC to act as a quasi court of last resort.  Safe Harbours itself stood as testament to the adequacy of the protection of transfers of personal data to the US.  Mr Justice Hogan in the High Court thought Schrems was objecting more ‘to the terms of the Safe Harbour regime itself’, than to the DPC’s application of it. (Schrems v DPC [2014] IEHC 310 (18 June 2014) Para.69).  Another position taken by the DPC was that the complaint ( the original) was essentially speculative and hypothetical in nature.  However, Mr. Justice Hogan took the view that there was no need to establish that the applicant had even grounds to suspect such a breach had occurred. It was enough to believe the mere absence of controls might lead to a breach of the applicant’s rights. If the matter was solely governed by Irish law significant issues would have arisen under the constitutional right to privacy.

Mr Justice Hogan referred the case to the CJEU partly on the basis that, ‘in reality, on that key issue Irish law has been pre-empted by general EU law in the area…’  Facebook appealed this  referral to the CJEU but the Supreme Court did not find reason to block  it. The Court held it could not entertain an appeal over the fact of a referral itself. There had to be inconsistencies with the   ‘facts’ found by the High Court . The Court held  (through Clarke J.)  it  could only overturn those if it could  be established they were not sustainable in accordance with the relevant Irish jurisprudence. Having reached the CJEU ,the decision known as Schrems I, was finally made in Oct. 2015.  In that ruling, the CJEU quashed the Commission’s Decision, meaning that the US Safe Harbours could no longer be relied on as providing a legal basis for transfers of personal data to the US. It was in fact to enable a decision to be made that the DPC referred the case to the High Court in the first place. The idea was to get a decision  for once and for all from the  CJEU. This course of action has been assessed as rational, prudent and proper by EU Justice Commissioner  Didier Reynders. Indeed, the action was widely praised although some ( including some MEPs) did not agree but Commissioner Reynders was categorical in stating,  “the DPC faces “complex” matters, including in an issue over the targeting of ads by social media companies.

Support for DPC

The Irish regulator has supported the idea of allowing social media companies to target users with adverts without their consent, on the basis of rules governing the performance of a contract. Many other European national data regulators oppose this stance and some have criticised the DPC’s position. However, Mr Reynders reminded the MEPs that the issue of advert targeting as it pertains to Facebook has already been referred to the EU’s court of justice in the context of contract law, essentially backing the Irish regulator’s decision to weigh the issue carefully. Remember this;  at the very start Hogan J in the High Court had stated that the DPC had “demonstrated scrupulous steadfastness to the letter of the 1995 Directive and the 2000 Decision”. Commissioner Reynders  also backed the DPC by dismissing criticism that it is running late in its handling of 98 per cent of cross-border privacy cases: “The figure about the proportion of cases dealt by the Irish DPC mentioned in your letter appears to be a misinterpretation of the statistic.”

Any criticism of the bona fides of the DPC regarding the original  Schrems case was, and is ,unjustified and cannot be legitimately upheld. Meanwhile, Facebook Inc. switched to “standard contractual clauses” to transfer EU data to the U.S., to which Schrems responded by updating his complaint with the DPC to include this new transfer mechanism which launched Schrems No:2. Although apparently not known by Mr Schrems at the time, FBI had identified three legal bases for ongoing transfers to the US. These were standard contractual clauses (SCCs), transfers with the consent of the data subject and transfers under the contractual necessity derogation in the then Directive.  In fact, it was the DPC that had  invited Schrems to reformulate his complaint in light of the judgment in Schrems 1 and in light of the fact that Safe Harbours had been found to be invalid. On Dec.1  2015 Schrems submitted a reformulated complaint using the validity of the standard contractual clauses as the prong of attack.

End in sight

In May 2016, the DPC issued a draft decision stating that the DPC had formed the view on a “preliminary basis” that Max Schrems’s contention that the SCCs could not be relied on was well founded. However, in the DPC’s view, questions as to the validity of the SCCs could only be determined by the CJEU, not by the DPC, or by national courts. The DPC therefore immediately commenced further proceedings in the Irish High Court seeking a reference to the CJEU. Following an unsuccessful appeal by Facebook Ireland Ltd. (FBI) against the High Court’s decision to refer a range of questions to the CJEU, these proceedings   ultimately led  to the CJEU’s Schrems II ruling in July 2020. It is worth noting that in the meantime the European Commission had adopted a Decision that the Privacy Shield, as a replacement for the Safe Harbor, now ensured an adequate level of protection for personal data transferred from the EU to the US. Furthermore the GDPR had replaced the former Data Protection Directive, coming into force in May 2018.

The Schrems II ruling established that, although the SCCs remained valid, a data exporter in the EU making use of them is nevertheless required to verify, on a case by case basis, and taking into account their terms, whether the law and practice in the destination country ensures essentially equivalent protection for any transferred data . At particular issue was the ability of public authorities in the destination country to conduct surveillance on the transferred data.  The CJEU had specially concluded that EU citizens had no effective way to challenge American government surveillance of their personal data after it had been sent to the U.S.  Such surveillance was legal under U.S. law. If the data exporter is not, as far as is necessary, able to put in place sufficient supplementary measures to guarantee essentially equivalent protection, the data exporter, or, failing that, the relevant data protection authority, is required to suspend or end the transfers. In the ruling, the CJEU also went on to quash the Commission’s Decision on the Privacy Shield.

Getting closer

In August 2020 , the month following the CJEU’s ruling in Schrems 11,  the DPC wrote to FBI enclosing the PDD that was subsequently the subject of the FBI’s judicial review application. This gave FBI 21 days to respond and stated that the DPC was now undertaking an “own-volition” inquiry into FBI’s data transfers after which it would return to Max Schrems’ original, reformulated complaint. At that stage the situation was that if the Preliminary Draft Decision of the DPC  was translated into a final decision , then Facebook would be required to suspend its data transfers to the US.  However Max Schrems appears to have taken exception to his apparent exclusion from proceedings and submitted his own application to the Irish High Court for judicial review of the DPC’s approach. Settlement was subsequently reached between the DPC and Max Schrems on this judicial review application in which the DPC agreed, upon the Court’s lifting of the stay of its investigation, to progress the handling of Max Schrems complaint and its “own-volition” inquiry as expeditiously as possible. FBI took exception to the issuing of the PDD on several grounds relating to unfairness including procedural unfairness and instigated judicial review proceedings against the DPC with a consequential stay on the DPC’s “own-volition” inquiry. The case was heard by the Irish High Court in December.

What we now know

We now know that on 14  May 2021  the Irish High Court handed down its judgment in the judicial review case brought by Facebook Ireland Ltd (FBI)against the DPC, finding substantially in favour of the DPC. Although not entirely uncritical of the DPC, the judgment accepts the validity of the approach adopted by the DPC in its investigation of FBI’s data transfers. The Court did agree with FBI that the issuing of the PDD and the surrounding procedures were open to judicial review and therefore went on to consider, in some depth, each of the grounds of challenge advanced by FBI. In the course of proceedings, FBI dropped two of these grounds. The remaining grounds were all rejected by the Court, the overall conclusion being that FBI had not established any basis for calling into question the validity of the DPC’s processes. It is reported that on 20 May and with consent of the parties, the Irish High Court formally lifted the stay on the DPC’s “own-volition” inquiry. FBI  still had the opportunity at that time  to respond to this PDD but, unless it could  satisfy the DPC as to the safeguards in place for its international transfers to the US, it seems likely that, following the application of the GDPR’s cooperation and consistency mechanism, FBI would  be ordered to suspend these transfers.

Judgment time

The High Court judgment when it came was lengthy and detailed, running to nearly 200 pages. For the most part, it addressed procedural points which, given that that the findings went against FBI, are unlikely to be particularly instructive for other businesses. The picture is also made more complex by the involvement of Max Schrems himself as a participant in the hearing and by his own application for judicial review against the DPC. This application was settled between the date of the High Court hearing and the date of the delivery of its judgment and is referred to in the judgment. There is thus little to be gained from an in depth analysis of all aspects of the judgment. It might nevertheless be of value to recap just where we are now, and how we have arrived there, in the long running saga of Max Schrems and his challenges to FBI’s international data transfers. Some high level insights can also be drawn about the conduct of major investigations by data protection authorities which might be instructive. Finally, there remains an open question as to where this now leaves other businesses that are continuing to transfer personal data to the US on the basis of the European Commission’s Standard Contractual Clauses (SCCs).

It was  clear from the judgment that the DPC’s preliminary view, as set out in its PDD, was that;

  • US law did not provide a level of protection that is essentially equivalent to that provided by EU law;
  • SCCs cannot compensate for the inadequate protection provided by US law;
  • FBI did not appear to have in place any supplemental measures which would compensate for the inadequate protection provided by US law.

More support for DPC

The High Court judgment was  undoubtedly welcome news for the embattled Irish Data Protection Commissioner, Helen Dixon. She had, and continues to, come under fire from many sides, including the European Parliament’s LIBE Committee, for what is perceived to be a reluctance to take sufficiently strong enforcement action against major tech companies that have their European headquarters in Ireland and for her office’s long processing times. The LIBE Committee even expressed disappointment with her decision to initiate the Schrems II case rather than triggering enforcement action against FBI. Furthermore, the Committee  has called on the European Commission to launch infringement proceedings against Ireland for a failure to enforce the GDPR effectively. Against this background, the judicial review case makes clear that DPC was right to have proceeded cautiously.

When faced with enforcement action that seeks to significantly restrict their business models or when faced with multi-million euro fines businesses will understandably look for legitimate avenues to challenge the actions of data protection authorities, whether through more conventional appeals against sanctions or by means of judicial review. Any data protection authority needs to have a defensible position that it can put before the courts when challenged. The DPC has survived an examination by the Irish High Court and there can be no denying that it was a comprehensive and searching examination.

Had the DPC been found to have jumped to conclusions without a thorough investigation, not to have been offering FBI a proper opportunity to state its case, otherwise followed procedures that were unfair to any of the parties involved or had not been sufficiently transparent about those procedures, it would almost certainly have come a cropper. Ensuring the necessary procedural fairness requires time and effort by a data protection authority whatever the political pressures on it might be. At the time there was a concerted and shallow choreography of criticism directed at the DPC.

The High Court did  recognise that there has to be some flexibility. A data protection authority can legitimately be expected to continue a well-established practice of following a particular procedure but, provided that it stays within the law, it does not have to do so rigidly. It can adapt its approach to the circumstances of particular cases. It is just that any procedural variation by the data protection authority has to be based on objective reasons and must not create unfairness or be unjust to the party under investigation. Nothing was written in stone. An earlier  annual report, detailing inquiry  procedures that Facebook sought to rely on, did state  ( at p.28) things were “subject to changes”. ( See DPC Annual Report 2018)

Rebuke for DPC

The DPC did not entirely escape criticism though. The High Court judge, whist finding in favour of the DPC in relation to an allegation of premature judgment, suggested that it might have been wiser for the Commissioner, Helen Dixon, to have been more circumspect in remarks she made in a conference address to the effect that the Schrems II ruling by the CJEU had given her no room for manoeuvre in relation to EU-US data transfers. Again, whilst finding in favour of the DPC in relation to an allegation of a failure to respect the duty of candour, the judge expressed some misgivings about the DPC’s failure to respond more fully to requests for information from FBI and suggested that it had acted in an overly defensive manner. The Judge was actually at his most critical in relation to an allegation by the DPC that FBI’s issuing of its proceedings amounted to an abuse of process and had been done for an improper purpose, that of buying time. Here the Judge said that this was a serious allegation, that there was no basis for it and that it ought never to have been made.

 

Data protection commissioners have a difficult path to steer. On the one hand they operate in an increasingly political environment and are expected to be champions of privacy and of data subject rights. On the other hand, when considering sanctions, they carry out quasi-judicial functions and have to act, and be seen to act fairly and without bias. The High Court judgment confirms that Helen Dixon has managed to keep to the straight and narrow so far in the case in question but the same might not have been true had she conceded more ground to her critics. What is clear though is the extent to which commissioners, when acting in their quasi-judicial capacity, can now be held accountable to the courts, and the extent to which affected businesses may be willing to exercise their rights to give effect to this accountability. As the UK Commissioner, Elizabeth Denham was also reminded of when seeking to defend the ICO’s imposition of a fine on Facebook in the wake of the Cambridge Analytica scandal, commissioners need to be very careful not to risk giving any appearance of rushing to premature judgment, to stick to their published procedures unless there are objective and fair reasons for departing from these and not to otherwise risk bringing unfairness or injustice into their deliberations whatever the wider pressures on them might be.

Back to the SCCs

It was the question of supplemental measures that  attracted most interest from other businesses. Here it needs to be borne in mind that Facebook Inc in the US qualifies as an electronic communications service provider and can therefore be ordered to make transferred data about specified non-US persons in its stored communications directly available to US public authorities. It is not just liable to have its communications to and from the EU intercepted in transit by such authorities. Although, in an effort to be helpful, the EDPB had produced recommendations on supplemental measures that could be adopted to enhance the SCCs, there remained  a question in relation to EU-US transfers as to how to sufficiently compensate for the inadequate protection provided by US law in practice.

We now know that the DPC went on to prepare a full draft decision and submitted it via the co-operation and consistency mechanism. The DPC had simultaneously  been working on an inquiry into Facebook  Ireland( now Meta Platforms) concerning a series of data breaches between 7 June 2018 and 4 December 2018.  The inquiry examined the extent to which Meta Platforms complied with the requirements of GDPR Articles 5(1)(f), 5(2), 24(1) and 32(1) in relation to the processing of personal data relevant to the twelve breach notifications.

As a result of its inquiry, the DPC found that Meta Platforms infringed Articles 5(2) and 24(1) GDPR.  The DPC found that Meta Platforms failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches.

Final destination in sight?

Given that the processing under examination constituted “cross-border” processing, the DPC’s decision was subject to the co-decision-making process outlined in Article 60 GDPR and all of the other European supervisory authorities were engaged as co-decision-makers.  While objections to the DPC’s draft decision were raised by two of the European supervisory authorities, consensus was achieved through further engagement between the DPC and the supervisory authorities concerned.  Accordingly, the DPC’s decision represents the collective views of both the DPC and its counterpart supervisory authorities throughout the EU. On 15 March 2022 the DPC imposed a fine of €17 million on FBI( Meta Platforms). To any fair minded neutral observer, any criticism of the DPC on the basis of inactivity is certainly  unsustainable.

Remember, in the content of the FBI/Schrems saga the DPC had to prepare its draft decision and submit this to the cooperation and consistency mechanism, which ultimately  involved the need for an EDPB opinion. This process seldom results in a quick outcome, despite the time limits in the GDPR.Because of a sort of  stalemate on the issue going back to February this year, there were movements by some national supervisory authorities to take a  stand on the case. Some  adopted  a literal interpretation of the ruling.

The French privacy regulator CNIL ruled that an unnamed website could not use Google Analytics because doing so involves the transfer of personal information from Europe to the U.S. in violation of the 2020 Schrems II decision. The French decision came  hot on the heels of a decision by Austria’s data protection authority to also ban a website from using the popular Google web analytics tool for the same reason, and presages a raft of decisions by other European data protection authorities on the use of these tools. The Dutch privacy agency warned last December  that using Google Analytics may soon be illegal. Elsewhere, the Norwegian data watchdog has advised companies to start looking for alternatives to Google’s tools.

Almost there!

Data protection authorities, including the CNIL, are also expected to rule soon on the use of Facebook’s analytics tool, known as Facebook Connect. These decisions mark a significant clamp-down on data transfers, which form the lifeblood of the digital economy and represent billions of euros’ worth of transatlantic trade.   GDPR and data protection advisory services, such as GDPRXPERT.ie, have had  large volume of enquiries from businesses regarding the future of transfers to the US. Much from the preceding paragraphs has been reported through https://www.politico.eu/article/us-eu-data-transfers-on-life-support-after-french-google-decision/

Once the landmark decision began to bite, regulators across the bloc were left with few  alternatives or choices in adhering to the new rules. That began to prompt companies like Google, Microsoft and TikTok to consider the once unthinkable: storing ever more data in Europe. The potential negative effects of such moves may also have spurred the DPC to continue efforts to resolve the issue.  After the 2021 High Court ruling against Facebook the DPC was able to continue efforts to bring a conclusion to the protracted affair. This meant publishing a full draft decision and taking it all through the cooperation and consistency mechanism under Art. 60 GDPR in order to set out a final decision. This is exactly what the DPC did. Throughout all of this, proper procedures were followed.

Finally, the stage was reached where it was imperative the Commission  reached a decision on transfers. Some measure of substantive adjustment to existing Standard Contractual Clauses, or an entirely new mechanism, was needed to ensure uninterrupted data flows to the US.  On 22nd March 2022 the European Commission and the Biden administration reached an agreement in principle, the Trans-Atlantic Data Privacy Framework Agreement. While the agreement is still “in principle” and specific details have yet to be determined, if approved, this agreement will reimplement an important legal mechanism necessary to facilitate data transfers between the European Union and the United States. Some have urged caution, “From a purely technical perspective, there’s no path forward for data transfers. That’s why we need [a] durable EU-U.S. data pact that can stand the test in court,” said Rob van Eijk, Europe managing director for the Future of Privacy Forum think tank.

More still to come

Very soon we will return to the issue to report on the evolving  position on transfers to the US.

We also note the DPC has attempted to clear the air on the criticisms directed at it and has issued a report on cross border complaints where it sets out the actual statistics, instead of some alternative ones, that to an objective observer were  clearly  distorted, biased and misleading. See https://www.dataprotection.ie/en/news-media/press-releases/dpc-publishes-statistical-report-handling-cross-border-complaints-under-gdprs-one-stop-shop-oss   The actual report is here.

 

Here at GDPRXPERT.ie we are GDPR and data protection law experts  offering businesses our  vast expertise in addressing compliance issues.

GDPRXPERT.ie are located in Carlow/Kilkenny and Mayo, offering a  nationwide service.

Call 0858754526 or 0599134259 to discuss your particular need.

Patrick Rowland, GDPRXPERT.ie

Schrems case drawing to a close?

 

So when is it permissible to transfer personal data to a third country or international organisations?  This is a question that has taken on new relevance. The long-running litigation by Austrian lawyer Max Schrems has moved another step towards a final resolution, following a decision in the Supreme Court on May 31st. It has once again brought the legality of transfers of personal data to 3rd countries or international organisations to the forefront of data protection discourse. (Link to Irish Times article here).  Although the Schrems litigation commenced under the old Directive rules, the GDPR is now in effect and represents the law in the area since May 2018.

A brief overview will place the most recent litigation within its relevant context. That relevant context is the transfer of personal data outside of the EU/EEA and to international organisations. A more specific context means it has to be viewed in the light of the Safe Harbour Agreement and Standard Contractual Clauses (SCCs). Back in Oct. 2017, Ms. Justice Caroline Costello gave judgment in the High Court, and in May 2018 made a referral to the Court of Justice of the European Union (CJEU) of issues to be determined by the Court. These issues related to transfers using SCCs as the transfer channel. Facebook did not want the referral to reach the CJEU and initiated an appeal grounded on procedural legal grounds. Facebook’s strategy was to question the process rather than the principles involved.

 

At its core was whether there was or is an actual right to appeal a referral to the CJEU.  In his judgment of Facebook’s appeal the Chief Justice, Mr. Frank Clarke, held that it is for the referring court, and that court alone, to decide to make a reference and whether to amend or withdraw that reference. He was satisfied it was only in limited circumstances, such as where the facts themselves were not sustainable on the evidence before the High court in accordance with Irish procedural law, that any aspect of the High Court judgment could be overturned. Facebook was criticising the ‘proper characterisation of the underlying facts’, not the facts themselves, he said.

Ms. Justice Costello had sought to have clarifications on issues that spoke to the validity of the data transfer channels known as Standard Contractual Clauses (SCC). She had 11 questions that she needed the CJEU to answer concerning a European Commission decision to approve the SCC’s in the first place. Whether or not the measures provided for under  Privacy Shield were comparable to the remedy available to EU citizens under Art.47 of the EU Charter for breach of data protection rights was one point raised by the DPC in the High Court case. Privacy Shield replaced the Safe Harbours Privacy Principles, elements of which formed the basis of complaint for Max Schrems in some of his litigation. For more information on Privacy Shield click here.

We have referred in previous blogs to the notion of the balancing of the data subjects’ rights where their data is being processed. In the context of rights and personal data processing, all rights are taken into account, not just data protection rights.  GDPR was not in effect at the time of the litigation commenced by Schrems and hence the reference to the EU Charter and, in particular, Arts. 7, 8 and 47. (Article 7 provides that “everyone has the right to respect for his or her private and family life, home and communications.” Article 8 states “everyone has the right to the protection of personal data concerning him or her,” and mandates that such data must be “processed fairly for specified purposes and on the basis of the person concerned or some other legitimate basis laid down by law.”

According to Article 7, “everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.” Article 8 further authorizes enforcement of the rules via independent authority. Article 47 guarantees a “right to an effective remedy before a tribunal” to “[e]veryone whose rights and freedoms [are] guaranteed by the law of the Union.” It also requires a “fair and public hearing within a reasonable time by an independent and impartial tribunal previously established by law.”)

The revelations by Edward Snowden in 2013 gave insights into the massive extent of the interception and surveillance of internet and telecommunications systems by the US National Security Agency. It was not just that these actions were disproportionate, but that they infringed upon the very right to privacy. At the time of the Snowden revelations, data transfers to the US were being governed by the so- called, ‘Safe Harbours Agreement’.Despite this agreement, Schrems had concerns about both Facebook’s transfer of his personal data to the US, and processing of those data by American authorities.

A position taken by the DPC was that once an adequacy decision (here, the Safe Harbours Agreement) had been issued, the office had no part in investigating a complaint. Safe Harbours itself stood as testament to the adequacy of the protection of transfers of personal data to the US. Mr. Justice Hogan in the High Court thought Schrems was objecting more ‘to the terms of the Safe Harbour regime itself’, than to the DPC’s application of it. (Schrems v DPC [2014] IEHC 310 (18 June 2014) Para.69). This is often referred to as Schrems No.1.

Another position taken by the DPC was that the complaint was essentially speculative and hypothetical in nature. Mr. Justice Hogan took the view that there was no need to establish that the applicant had even grounds to suspect such a breach had occurred. It was enough to believe the mere absence of controls might lead to a breach of the applicant’s rights. If the matter was solely governed by Irish law significant issues would have arisen under the constitutional right to privacy. Mr Justice Hogan referred the case to the CJEU partly on the basis that, ‘in reality, on that key issue Irish law has been pre-empted by general EU law in the area…’ (Schrems, as above, at paras. 78-80). In hindsight, this reference to the CJEU was the beginning of the end for the Safe Harbours agreement.

CJEU Case C-362/14 (6 Oct.2015)

It has to be borne in mind that the case before the Court dates back to Directive 95/46 days, pre-GDPR, that is. One definitive finding by the Court was that the DPC (or any National Supervisory Authority) when examining a claim concerning the compatibility of a Commission decision with the protection of the privacy rights and fundamental rights of an individual cannot declare the decision invalid themselves (of course, neither can the national courts). Where a national supervisory authority, such as the DPC, comes to the conclusion that the complaint is unfounded, the complainant must have, in accordance with Art. 47 of the EU Charter, access to judicial remedies enabling a challenge to be made before the national courts. The court must stay proceedings and make a reference to the CJEU for a preliminary ruling on validity, where the court is of the opinion that some grounds for invalidity are well founded. In addition ,the national courts themselves can raise issues of their own motion.

In the converse situation, where the Supervisory Authority (SA) is of the opinion that the objections of a person lodging a complaint are well-founded, then the SA must put forward those objections in order for a national court to adjudicate upon them. A reference to the CJEU for a preliminary ruling can be made where a national court shares the doubts as to the validity of a decision. The Court ultimately found the Safe Harbours agreement invalid, mainly because the Commission had not made, ‘any finding regarding the existence , in the United States, of rules adopted by the State intended to limit any interference with those rights  and without referring to the existence of effective legal protection against interference of that kind’. United States’ authorities were, ‘able to process the personal data transferred  …and process the data in a way incompatible, in particular, with the purposes for which they were transferred…data subjects had no administrative or judicial means of redress…’( at paragraph  90). Without appropriate safeguards in place, that mirror or match safeguards under EU law, there can be no adequacy.

 

Later on 20th Oct 2015, the proceedings were returned before the High Court and the decision of the CJEU was implemented by the making of an order setting aside the decision of the DPC not to investigate the original complaint of June 2013. The High Court then remitted the original complaint back to the DPC for investigation. Immediately following the High Court order Mr.Schrems re-formulated and resubmitted his complaint to take into account the fact that Safe Harbour had been struck down. Having considered the matter the DPC decided to proceed on the basis of the new formulation. During its investigation, the DPC established that Facebook, and many internet companies, continued to transfer personal data to the U.S. in large part by means of Standard Contractual Clauses (SCCs). These are pro forma agreements which have been approved by way of certain EU Commission decisions, as providing adequate data protection for the purpose of transferring personal data to third countries.

On 24 May 2016, the DPC issued a draft decision to Schrems and Facebook informing both that the preliminary decision was the complaint was well-founded but further submissions were invited from both parties. Three reasons were given by the DPC :

  1. a) A legal remedy compatible with Article 47 of the Charter is not available in the US to EU citizens whose data is transferred to the US where it may be at risk of being accessed and processed by US State agencies for national security purposes in a manner incompatible with Articles 7 and 8 of the Charter;

(b) The SCCs do not address the CJEU’s objections concerning the absence of an effective remedy compatible with the requirements of Article 47 of the Charter as outlined in its judgment of 6 October 2015, nor could they; and,

(c) The SCCs themselves are therefore considered likely to offend against Article 47 insofar as they purport to legitimise the transfer of the personal data of EU citizens to the US.

The DPC, therefore, commenced legal proceedings in the Irish High Court seeking a declaration as to the validity of the EU Commission decisions concerning SCCs and a preliminary reference to the CJEU on this issue. Both Facebook and Mr. Schrems were named, as the joining of these parties affords them an opportunity (but not an obligation) to fully participate if they so wish and to make submissions in the case. All of this brings us back to the High Court and the decision by Ms Justice Costello to make a reference to the CJEU. She had also refused to put a stay on the reference to the CJEU, but Facebook then took things to the Supreme Court As detailed earlier, Facebok’s appeal against the reference has been dismissed in the Supreme Court.

Soon it will be back to the CJEU. As it stands, it will be some time before we know whether the Standard Contractual Clauses at issue will hold up as legally sound channels of personal data transfer, in particular, to the United States. One can hypothesise about the interpretation the CJEU will favour, but whatever it is will have a bearing on future interpretation of the channels of transfer under the new GDPR regime.

In an upcoming blog, we will look through the lens of the GDPR to focus on the means by which personal data can now be legally transferred to third countries and international organisations. Future interpretations will be informed by the final decision of the CJEU on the Standard Contractual Clauses reference that is soon to be in that court.

Patrick Rowland, GDPRXpert.ie

 

Latest News