The July 2020 judgement of the Court of Justice of the European Union (CJEU) in the so-called Schrems II case has resulted in a great deal of uncertainty for organizations engaging in the transnational transfer of personal data and in particular when those transfers are to entities in the United States. This post will investigate the enforcement issues on which the Schrems II reasoning is based, and discuss the potential effects that the decision has for General Data Protection Regulation (GDPR) enforcement.
Schrems II is the most recent installation of an ongoing litigation that resulted from a complaint that Maximilian Schrems levied against Facebook with the Irish Data Protection Commissioner (DPC) in 2013. Schrems’ complaint objected to Facebook transferring personal data to the United States (US) as contrary to the protections provided by the GDPR. It was based in part on the US National Security Agency (NSA) documents leaked by Edward Snowden in the summer of 2013. These documents revealed a mass surveillance program run by the NSA under Sec. 702 of the Foreign Intelligence Surveillance Act (FISA). This surveillance included direct collection from major US telecommunication providers, internet service providers, and Internet content providers under a program code named PRISM. Schrems’ complaint was rejected by the DPC and Schrems sought judicial review. It eventually led to an assessment of data protection adequacy decisions specifically regarding transfers to the US. The CJEU twice in Schrems I and Schrems II struck down adequacy decisions with the United States.
GDPR and Transnational Transfers
Chapter V of the GDPR regulates transfers of personal data outside the EU, and lays out a number of mechanisms for legitimately executing third country transfers, including adequacy decision (Art. 45), implementation of appropriate safeguards including standard contractual clauses (SCC) (Art. 46), and binding corporate rules (Art. 47). Schrems II engages with both adequacy decisions and the SCCs.
GDPR Article 45 gives the European Commission the ability to make a determination that a third country or international organization “ensures an adequate level of protection” of personal data. When such a determination has been made, transfers under that decision do not require “specific authorisation.” Article 46 on the other hand allows transfers when the data controller “has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.” Such safeguards are generally defined in the contractual relationships between transferrers and the receiving parties. The Article also allows for SCC to be adopted at the Commission level and are implemented to provide adequate protections.
Schrems II and the Problem of Enforcement
As stated above, the CJEU set its sights on the adequacy decision that governed the third party transfers at question in Schrems’ original complaint. While this post is concerned with Schrems II, it should be noted that the 2016 Schrems I case invalidated the EU-US Safe Harbor Framework that was the legal basis for the adequacy decision governing transfers to the US. After the Safe Harbor Framework was invalidated, the EU and the US adopted a new framework called the Privacy Shield. In Schrems II the Court also invalidated this effort at designing an adequacy framework.
At the core of the CJEU judgement is its emphasis on enforcement of GDPR in the context of the US. While GDPR does give enforcement authority to national level data protection authorities (DPA), much of the enforcement of GDPR is tied up in an individual’s right to pursue grievances under GDPR through the local DPAs. Indeed, such a complaint is the genesis of the Schrems line of cases. The Court specifically finds that transfers must provide “essentially equivalent to that guaranteed within the European Union,” including “effective legal remedies“ (para. 105). These safeguards are applicable not just between the contracting parties, but also implicates “access by the public authorities of that third country to the personal data transferred” and “the relevant aspects of the legal system of that third country” (para. 105).
This final point becomes a sticking issue for the Court in its assessment of the Privacy Shield decision. The Court specifically finds that FISA Sec. 702 undermines the ability of US entities to provide adequate protection, stating that “It is thus apparent that Section 702 of the FISA does not indicate any limitations on the power it confers to implement surveillance programmes for the purposes of foreign intelligence or the existence of guarantees for non-US persons potentially targeted by those programmes” (para. 180). This is because FISA surveillance happens under the oversight of the Foreign Intelligence Surveillance Court (FISC), which does not allow for notice to be given to those surveilled and does not provide any means of challenging either the collection or processing of the data. As a result, when personal data is transferred to the US, the data subject loses control of that data to the US intelligence community. This strips the data subject of the ability to enforce rights guaranteed under the GDPR through relevant legal processes whether in the EU or the US. The CJEU held that this did not constitute equivalent protection.
Standard Contractual Clauses
Despite the Court’s concern with the lack of protections provided under US law and specifically, FISA Sec. 702, it did not go so far as invalidating transfers to the US altogether and explicitly left intact the SCC mechanism for such transfers. The Court’s stance was that these transfers must be evaluated on a case-by-case basis, and if adequate, equivalent protections can be assured and transfers may go forward.
However, the SCCs do not address the issues that the Court found fatal to Privacy Shield, namely the matter of US public authorities’ access to personal data without recourse for the data subject. As a response to this, the European Data Protection Board (EDPB) drafted and implemented a new set of modular SCCs that include contract clauses that can be used to ensure adequacy of transfers. For instance, a transferring entity may require the encryption of data in transit as a way to protect it from foreign intelligence surveillance.
The case-by-case evaluation of transfers is of course coherent in that the specifics of each transfer can change the nature of protections needed to ensure the proper processing of the data. At the same time, Schrems II has left data protection officers and their US counterparts scratching their heads as to what is and is not permissible. This is because contractual clauses are an effective way of managing rights and obligations of contract parties, but cannot change the laws of a country. According to the holding of Schrems II it is precisely US law that has undermined previous adequacy decisions. This is further complicated by the application of FISA, which applies specifically to electronic communication providers. From the Snowden leaks, we know that this includes programs collecting from companies such as Yahoo! and Microsoft as well as internet backbone providers. So, while FISA Sec. 702 does not directly apply to the majority of organizations in the US, it may very well apply to most of the data transiting US infrastructure.
Contracting for equivalent protections seems inadequate in light if the CJEU’s holding that US law does not adequately provide the necessary right to redress held by data subjects. If European data subjects’ personal data enters the US data ecosystem, they effectively lose oversight over their data and lack the ability to enforce their rights under GDPR. At the moment it is unclear how this can be reconciled in light of the Schrems II decision, which implies that transfers to the US are possible despite simultaneously finding that the US legal system itself is the source of inadequacy.
- Schrems II and the Data Protection Enforcement Gap - August 31, 2021