EU to US facebook data transfer ruled insufficient

Personal data transferred from the European Union to the United States was not sufficiently protected from use by US public authorities so as to satisfy the requirements of EU law. Consequently, a decision of the European Commission to contrary effect was invalid.

The Grand Chamber of the Court of Justice of the European Union so held on a reference for a preliminary ruling from the High Court of Ireland in proceedings brought by the Data Protection Commissioner in Ireland concerning Facebook Ireland Ltd and the data subject, Maximillian Schrems. The United States of America, Electronic Privacy Information Centre, BSA Business Software Alliance Inc and Digitaleurope intervened in the proceedings.

The Grand Chamber said that Mr Schrems, an Austrian national residing in Austria, had been a user of the Facebook social network since 2008. Any person residing in the EU who wished to use Facebook was required to conclude, at the time of his or her registration, a contract with Facebook Ireland Ltd, a subsidiary of Facebook Inc which was established in the United States. Some or all of the personal data of Facebook Ireland’s users who resided in the EU was transferred to servers belonging to Facebook Inc that were located in the United States, where it underwent processing. Mr Schrems filed a complaint with the Data Protection Commissioner in Ireland requesting that Facebook Ireland be prohibited from transferring his personal data to the United States. That complaint led to the Court of Justice judgment in Schrems v Data Protection Commissioner (Case C-362/14) ([2016] QB 527).

Following that judgment, the European Commission adopted Implementing Decision (EU) 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield (the Privacy Shield Decision), article 1(1) of which stated that the United States ensured an adequate level of protection for personal data transferred from the EU to organisations in the United States under the EU-US “Privacy Shield”.

Regarding Mr Schrems complaint, Facebook Ireland Ltd explained that a large part of personal data was transferred pursuant to the standard data protection clauses in the annex to Commission Decision 2010/87/EU which established standard contractual clauses for certain categories of transfers (the SCC Decision). Mr Schrems then reformulated his complaint claiming, inter alia, that United States law required the American undertaking to make the personal data transferred to it available to certain US authorities, such as the National Security Agency and the Federal Bureau of Investigation. He submitted that, since the transferred data was used in the context of various monitoring programmes in a manner incompatible with articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union, the SCC Decision could not justify the transfer of that data to the United States. In those circumstances, the High Court of Ireland referred further questions to the Court of Justice for a ruling on the interpretation of various provisions of Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR), and the validity of, respectively, the SCC Decision and the Privacy Shield Decision.

Those questions were answered as followed: article 2(1) and (2) of the GDPR meant that the GDPR applied to the transfer of personal data for commercial purposes by an economic operator established in a member state to another economic operator established in a third country, irrespective of whether, at the time of that transfer or thereafter, that data was liable to be processed by the authorities of the third country in question for the purposes of public security, defence and state security.

Article 46(1) and article 46(2)(c) of the GDPR meant that the appropriate safeguards, enforceable rights and effective legal remedies required by those provisions had to ensure that data subjects whose personal data was transferred to a third country pursuant to standard data protection clauses was afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR, read in the light of the Charter of Fundamental Rights.

To that end, the assessment of the level of protection afforded in the context of such a transfer had, in particular, to take into consideration both the contractual clauses agreed between the controller or processor established in the EU and the recipient of the transfer established in the third country concerned and, regarding any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country, in particular those set out, in a non-exhaustive manner, in article 45(2) of the GDPR.

Article 58(2)(f) and (j) of the GDPR meant that, unless there was a valid Commission adequacy decision, the competent supervisory authority was required to suspend or prohibit a transfer of data to a third country pursuant to standard data protection clauses adopted by the Commission, if, in the view of that supervisory authority and in the light of all the circumstances of that transfer, those clauses were not or could not be complied with in that third country and the protection of the data transferred that was required by EU law could not be ensured by other means. The SCC Decision provided for effective mechanisms which, in practice, ensured that the transfer to a third country of personal data pursuant to the standard data protection clauses in the annex to that Decision was suspended or prohibited where the recipient of the transfer did not comply with those clauses or was unable to comply with them. Accordingly, the SCC Decision, read in the light of articles 7, 8 and 47 of the Charter of Fundamental Rights, was valid. However, the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the EU to the United States, which the European Commission had assessed in the Privacy Shield Decision, were not circumscribed in a way that satisfied requirements that were equivalent to those required, under EU law, by article 52(1) of the Charter.

To that effect, article 45(2)(a) of the GDPR required the Commission, in its assessment of the adequacy of the level of protection in a third country, to take account, in particular, of: “effective administrative and judicial redress for the data subjects whose personal data were being transferred”. The existence of such effective redress in the third country concerned was of particular importance in the context of the transfer of personal data to that third country, since data subjects might find that the administrative and judicial authorities of the member states had insufficient powers and means to take effective action in relation to data subjects’ complaints based on allegedly unlawful processing, in that third country, of their data thus transferred, which was capable of compelling them to resort to the national authorities and courts of that third country. Although recital 120 of the Privacy Shield Decision referred to a commitment from the US government that the relevant component of the intelligence services was required to correct any violation of the applicable rules detected by the Privacy Shield Ombudsperson, there was nothing in that decision to indicate that that ombudsperson had the power to adopt decisions that were binding on those intelligence services and did not mention any legal safeguards that would accompany that political commitment on which data subjects could rely.

Therefore, the ombudsperson mechanism to which the Privacy Shield Decision referred did not provide any cause of action before a body which offered the persons whose data was transferred to the United States guarantees essentially equivalent to those required by article 47 of the Charter.

Therefore, in finding, in article 1(1) of the Privacy Shield Decision, that the United States ensured an adequate level of protection for personal data transferred from the EU to organisations in that third country under the EU-US Privacy Shield, the Commission disregarded the requirements of article 45(1) of the GDPR, read in the light of articles 7, 8 and 47 of the Charter.

It followed that article 1 of the Privacy Shield Decision was incompatible with article 45(1) of the GDPR, read in the light of articles 7, 8 and 47 of the Charter, and was therefore invalid. Since article 1 of the Privacy Shield Decision was inseparable from the rest of the decision, its invalidity affected the validity of the decision in its entirety and the Privacy Shield Decision was, therefore, invalid.