by Ishita Mattoo, LL.M. 2021
In its opinion delivered on July 16, 2020, in Data Protection v. Facebook Ireland Limited and Maximillian Schrems,1 the European Court of Justice (CJEU) invalidated the EU–U.S. Privacy Shield2 while upholding Standard Contractual Clauses (SCCs). The case was brought before the CJEU by Maximillian Schrems, a Facebook user who claimed that the Privacy Shield and SCCs did not provide adequate protection for personal data under the GDPR.3 Schrems argued that under U.S. law, Facebook Inc. was obligated to “make the personal data transferred to it available to certain United States Authorities,” including the NSA and FBI, in a way that was inconsistent with the fundamental rights guaranteed by the E.U. Charter of Human Rights.4 Schrems thus requested that his data not be transferred to Facebook Inc.5
The CJEU first considered whether the GDPR applies to the transfer of personal data from an economic operator6 in a Member State to an economic operator in a third country, where the data could be processed by authorities for “public security, defence and State security.”7 The Court concluded that Article 45 of the GDPR directly discusses the processing of personal data for public security purposes and, thus, the GDPR is applicable in this case.8 Further, the Court held that pursuant to Articles 46(1) and 46(2)(c) of the GDPR, data subjects whose personal data is transferred to a third country under standard data protection clauses must be offered a standard of protection on par with that guaranteed under the GDPR and the Charter of Human Rights.9
Next, the Court considered whether these GDPR guarantees invalidated SCCs.10 The Court upheld their validity with a caveat, reasoning that, because SCCs are non-binding on supervising authorities in third countries, SCCs may require “supplementary measures” by a processor or controller11 of the data to ensure the adequate level of protection that the GDPR requires.12 As a result, if a controller or processor cannot take sufficient “additional measures” to ensure such protection, the controller or processor would need to end the transfer of personal data to the third country at issue.13 Thus, any controller or processor in the European Union would be “required to verify, prior to any transfer, whether the level of protection required by EU law is respected in the third country concerned.”14
Finally, the Court considered whether the EU–U.S. Privacy Shield provided sufficient protection for E.U. data subjects.15 The Court held that it did not.16 It noted that the adequacy decision of the European Commission on the Privacy Shield (“The Privacy Shield Decision”)17 allowed U.S. organizations to limit their adherence to the EU–U.S. Privacy Shield Framework Principles to the degree necessary for “national security, public interest, or law enforcement” objectives.18 Thus, the Privacy Shield Decision allowed for “interference” with the “fundamental rights” of E.U. data subjects.19 The Court therefore had to consider whether U.S. law provided an “adequate level of protection” under the GDPR, concluding that it did not conform with Article 45 of the GDPR, in the context of the fundamental freedoms guaranteed by the Charter.20
In reaching its decision invalidating the EU–U.S. Privacy Shield, the Court first emphasized that a limitation on the fundamental rights enshrined in the Charter must be pursuant to a law which “define[s] the scope of the limitation” on those rights.21 Further, to accord with the principle of proportionality, such a law should “lay down clear and precise rules” regarding its scope, along with providing “minimum safeguards.”22 The Court found that the Foreign Intelligence Surveillance Act (FISA)23 neither imposed any limitations on the powers granted under it to execute surveillance programs nor provided any guarantees for non-U.S. individuals who were targeted.24 Similarly, surveillance programs under Executive Order (E.O.) 12333 did not provide remedies for E.U. data subjects in courts against U.S. authorities.25 The Privacy Shield Ombudsperson could not provide the necessary judicial protection under Article 47 of the Charter,26 as they did not have the requisite independence from the U.S. executive,27 nor did they have the power to make decisions binding on U.S. intelligence services.28 The Court thus held the Privacy Shield to be invalid,29 finding that it was “incompatible with Article 45(1) of the GDPR,” understood in the context of the fundamental rights in the Charter.30
