The European Court of Justice today handed down a remarkable ruling in the long-running lawsuit by Austrian lawyer Schrems regarding the transfer of personal data from Facebook Ireland to the USA. The USA is no longer granted a standardised appropriate level of protection for personal data – a ruling with relevance for all economic connections to the USA.
Today’s ECJ ruling brings more clarity to the application of the European General Data Protection Regulation (GDPR) and the protection of personal data.
According to the ECJ ruling, the GDPR applies to the transfer of personal data to a third country for commercial purposes, even if they are used by the country’s secret services. Above all, however, the US level of protection of personal data has today been declared invalid in accordance with the adequacy of the protection provided by the EU-US data protection shield (DSS Decision). The USA is thus deprived of a standardised adequate level of protection for personal data.
Schrems vs. Facebook Ireland lawsuit that has attracted public attention
Seven years ago, a high-profile lawsuit between Mr. Schrems and Facebook began, in which Mr. Schrems essentially demanded that Facebook Ireland be prohibited from transferring its personal data to the United States.
He argued that Facebook Inc. was obliged under American law to make the personal data it had transferred available to American authorities such as the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI).
Facebook Ireland stated that a large part of the personal data is transferred to Facebook Inc. on the basis of the standard privacy clauses contained in the Annex to the SCC Decision. The SCC Decision (Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46) has been in force since 2010 and governs the transfer of personal data to third countries.
Mr. Schrems objected to this and referred to the Charter of Fundamental Rights of the European Union, on the basis of which the SCC decision could not justify the transfer of personal data to the United States.
In its judgment today, the European Court of Justice (ECJ) therefore ruled on the interpretation and validity of the SCC Decision in the context of the EU Decision on the Adequacy of the Protection afforded by the EU-US Data Protection Shield of 2016 (DSS Decision). This is because, according to the DSS Decision, the United States ensures an adequate level of protection for personal data.
The legal situation is also complicated by the European Basic Regulation on Data Protection (GDPR), which has now entered into force. This is because Directive 95/46 was actually repealed and replaced by the DSGVO with effect from 25 May 2018. Therefore, the ECJ stated today, the questions referred for a preliminary ruling must be answered on the basis of the provisions of the DSGVO and not of Directive 95/46, even if they refer to the provisions of Directive 95/46.
Questions referred: Validity of the SCC decision and the DSS decision under GDPR
In particular, the question had to be answered as to whether personal data could also be transferred on the basis of the SCC Decision from a private company from a Member State of the Union to a private company in a third country for a commercial purpose – and this also under the provisions of the GDPR. Today’s ruling is all the more important because the national supervisory authorities of the EU Member States are empowered to check whether the requirements laid down in the GDPR are complied with when personal data are transferred from their Member State to a third country.
The questions referred for a preliminary ruling therefore also concerned the question of the level of protection afforded by Articles 46(1) and 46(2) of the GDPR when personal data are transferred to a third country on the basis of standard data protection clauses. The court should also decide whether the competent national supervisory authority is obliged to suspend or prohibit a transfer of personal data to a third country based on standard data protection clauses (such as the SCC and DSS Decisions) if it finds that there has been a breach of the requirements under the GDPR.
ECJ: Third countries must ensure an adequate level of protection
The ECJ confirmed the latter question. National supervisory authorities would have to take action and prohibit the transfer of personal data if the requirements of the GDPR were violated. But this only applies to third countries that do not offer an adequate level of protection. And according to the DSS Decision, the United States ensures an adequate level of protection for personal data.
There must be a level of protection of enforceable rights that is equivalent in substance to the level guaranteed in the Union by the GDPR in the light of the Charter, the ECJ explained. In practice, it may not be possible to ensure the effective protection of personal data transferred to the third country in question if the law of that third country allows its authorities to interfere with the rights of data subjects with regard to those data.
SCC decision is valid
However, this is regulated by the SCC Decision. The controller established in the Union and the recipient of the transfer of personal data is obliged to check in advance whether the level of protection required by Union law is respected in the third country concerned. Under clause 5(b) of the Annex to the SCC Decision, the recipient of the transfer may be obliged to notify the controller that he cannot comply with the clauses, whereupon the controller must suspend the data transfer and/or withdraw from the contract. The SCC Decision therefore provides effective mechanisms for dealing with violations of the requirements of the GDPR.
The SCC Decision is therefore valid, also in relation to the Charter of Fundamental Rights and the GDPR in the EU, the ECJ ruled.
ECJ declares DSS decision invalid
In contrast, the ECJ assessed the DSS Decision differently. The court confirmed that the practice of the USA to pass on a collective collection of personal data to its secret services did not in fact correspond to the European level of protection. On the other hand, the U.S. ombudsman mechanism gives each individual the possibility of appealing to an independent and impartial court to obtain access to personal data concerning him or her or to have such data corrected or deleted – in the USA.
However, this would not provide guarantees equivalent to those required under Article 47 of the Charter. Therefore, the ECJ annulled the DSS Decision, which has so far confirmed to the United States an adequate level of protection for personal data.