Reference: Case C-311/18
Date of judgment: 16 July 2020
Court: Court of Justice of the European Union (CJEU)
Maximillian Schrems, an Austrian national residing in Austria, has been a Facebook user since 2008. As with other users residing in the European Union (EU), some or all of Mr Schrems’ personal information is transferred by Facebook Ireland to servers belonging to Facebook Inc. that are located in the United States (US), where it undergoes processing. Such transfer has been carried out pursuant to the standard protection clauses set out in the Annex to Decision 2010/87.
Schrems lodged a complaint with the Irish supervisory authority seeking to prohibit those transfers. Schrems argued that the law and practices in the US failed to offer sufficient protection against access by the public authorities to the data transferred.
In response to the complaint, the Irish supervisory authority brought proceedings before the High Court in order for it to refer questions to the CJEU for a preliminary ruling. After the initiation of those proceedings, the European Commission adopted Decision 2016/1250 on the adequacy of the protection by the EU-US Privacy Shield.
Ruling by the CJEU
First, the CJEU held that EU law, and in particular the General Data Protection Regulation (GDPR), applied to the transfer of personal information for commercial purposes by an economic operator established in a member state to another economic operator established in a third country, even if that personal information may be processed by the authorities of the third country for the purposes of public security, defence and state security. According to the CJEU, this type of data processing by the authorities of a third country did not preclude such a transfer from the scope of the GDPR.
Regarding the level of protection required in respect of such a transfer, the CJEU held that data subjects whose personal information was transferred to a third country pursuant to standard data protection clauses must be afforded an “essentially equivalent” level of protection as that guaranteed by the GDPR. In assessing the level of protection, regard should be had to both the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country. Further, in respect of any access by the public authorities of the third country to the data transferred, regard should also be had to the relevant aspects of the legal system of the third country.
Regarding a supervisory authority’s obligations in connection with such a transfer, the CJEU held that, unless there is a valid adequacy decision by the European Commission, the supervisory authority must suspend or prohibit a transfer of personal information to a third country where the standard data protection clauses are not or cannot be complied within that country, and that the protection of the data transferred cannot be ensured by other means.
Regarding the validity of Decision 2010/87, the CJEU noted that the validity of that decision was not called into question by the mere fact that the standard data protection clauses did not bind the authorities of the third country to which data may be transferred. Rather, the validity depended on whether the decision included effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law. According to the CJEU, Decision 2010/87 established such mechanisms, as it imposed an obligation on a data exporter and the recipient of the data to verify, prior to any transfer, whether that level of protection would be respected in the third country concerned. Furthermore, Decision 2010/87 required the recipient to inform the data exporter of any inability to comply with the standard data protection clauses, which in turn required the data exporter to suspend the transfer of data and/or to terminate the contract with the recipient.
Regarding the validity of Decision 2016/1250, the CJEU held that the requirements of US national security, public interest and law enforcement have primacy, and therefore condoned interference with the fundamental rights of persons whose personal information was transferred to that third country. In the view of the CJEU, the limitations on the protection of personal information arising from the domestic law of the US were not circumscribed in a way that was essentially equivalent to those required under EU law. Moreover, regarding the requirement of judicial protection, the CJEU held that the ombudsman mechanism failed to provide data subjects with any cause of action before a body that offered guarantees substantially equivalent to those required by EU law.
Accordingly, the CJEU declared Decision 2016/1250 on the adequacy of the protection by the EU-US Privacy Shield to be invalid.
The judgment of the CJEU is accessible here.
The media summary prepared by the CJEU is accessible here.
Please note: The information contained in this note is for general guidance on matters of interest, and does not constitute legal advice. For any enquiries, please contact us at [email protected].