CyberLex
CyberLex Insights on cybersecurity, privacy and data protection law

Here We Go Again: Schrems 2 Puts the Model Clauses for Transfer of EU Personal Data in Doubt

Posted in European Union, Privacy
Keith Rose

On October 3, 2017, the High Court of Ireland rendered a decision in The Data Protection Commissioner v. Facebook Ireland Limited & anor, [2017] IEHC 545.  This decision, which could well be labeled Schrems 2,  is effectively a sequel to the original Schrems decision, based on the same underlying facts and issues.  In this most recent decision, the High Court has granted a request from the Irish Data Protection Commissioner (“DPC”) for a reference to the CJEU for a ruling on the validity of the so-called “Model Clauses” (or “Standard Contractual Clauses”) for transfer of EU personal data to the US.  In so doing, it has set in motion a potentially drastic shake-up of the existing order for export of EU personal data, which could ultimately have far broader consequences than the first Schrems decision.

Background

Under EU law, an organization may only transfer “personal data” about an individual to a non-EU country for processing if the destination country “ensures an adequate level of protection”.  The European Commission has the authority to make a determination of whether the protections afforded to personal data in a given third country are or are not “adequate” in this regard.

In some cases “adequacy” decisions apply broadly.  In the case of Canada, for example, the Commission concluded that Canadian privacy laws were sufficiently similar to European laws that they were inherently adequate.[1]  But the US has a very different legal regime in this regard.  As a result, the Commission has taken a more circumstantial approach, considering incremental measures that can be applied by the exporting and importing organizations.

The Commission has recognized three bases for lawful transfer of EU personal data to the US:

  • A voluntary arrangement, originally known as “Safe Harbour”, by which U.S. organizations self-certify compliance with certain privacy principles;
  • Standardized contractual commitments between the data controller and data processor, based on approved “Model Clauses”; and
  • Similar commitments adopted in binding non-contractual rules applicable within a corporate group (so-called “Binding Corporate Rules”).

In the wake of the 2013 Snowden revelations about US data surveillance programs, Austrian law student Max Schrems brought a complaint against Facebook in Ireland, arguing that Facebook’s transfer of his personal information to the US was unlawful under both Irish and EU law.  This case was eventually referred to the Court of Justice of the European Union (“CJEU”), which struck down the Safe Harbour regime.  (See previous posts detailing this decision and its fallout here, here, here, and here.)

Following this decision, Facebook purported to rely on contractual commitments as the basis for its transfer of personal data to the US.  Mr. Schrems renewed and reformulated his original complaint, alleging both that Facebook’s specific contracts did not meet the obligations of EU law and that, in any case, the contracts could not provide adequate protection where national laws of the third country would override them.

The Decision

The fundamental issue before the Irish High Court was whether to refer the Commission’s decisions on the adequacy of the Model Clauses to the CJEU.  The decision is long and complex.  It canvasses a number of threshold issues before engaging in a methodical assessment of the law applicable to US state access to personal data in the hands of data processors, for national security purposes.

The court’s principal findings and conclusions include the following.

  • The exclusion from the EU directive of data processing for national security purposes did not put the entire matter outside of the competence of the CJEU: the court concluded that the existing jurisprudence clearly contemplated that US national security surveillance programs were open to scrutiny and challenge under EU law.
  • The Commission’s Privacy Shield decision did not close the subject. On the contrary, the first Schrems decision made it clear that national data protection authorities and courts had an obligation to refer “well founded” doubts as to the validity of a Commission decision to the CJEU for a preliminary ruling.
  • The adequacy of the Model Clauses cannot be assessed in a vacuum. If there are fundamental inadequacies in US laws, from the perspective of EU law, the Model Clauses cannot compensate for them because they cannot bind the sovereign authority of the US and its agencies.
  • Many of the statutory protections and remedies that would apply to US persons are not available to EU citizens who are not US citizens or residents.
  • The legal effect of the Trump administration’s executive order directing agencies to ensure that their privacy policies exclude persons who were not US citizens or lawful permanent residents from the protections of the Privacy Act is uncertain; however it signals a change in policy from the previous administration which had expanded administrative protections of non-US personal information.
  • There are “a variety of very significant barriers to individual EU citizens obtaining any remedy for unlawful processing of their personal data by US intelligence agencies”. In particular, under US case law, an objectively reasonable likelihood that one has been subjected to surveillance is not sufficient to establish legal standing.  Actual evidence that one has been the subject of a secret surveillance program will necessarily be difficult to come by.
  • The right to an effective remedy under Article 47 of the Charter of Fundamental Rights of the European Union had to be considered in a systematic way, without a threshold need to prove a specific violation of some other Charter right.
  • On this fundamental point, the court’s conclusion was damning: “To my mind the arguments of the DPC that the laws – and indeed the practices – of the United States do not respect the essence of the right to an effective remedy before an independent tribunal as guaranteed by Article 47 of the Charter, which applies to the data of all EU data subjects transferred to the United States, are well founded.” [See para. 298.]
  • Furthermore, the introduction of the Ombudsperson mechanism established by the US as part of the negotiations leading to the adoption of the Privacy Shield program did not fill the gap. The court had significant concerns about the independence of this office and, in any case, it could not offer any remedy to the individual concerned.  Indeed, it could not even confirm whether or not the individual had been subject to any electronic surveillance.

Implications

While not entirely unexpected, this decision may potentially be a game-changer, which could easily turn out to be even more significant than the first Schrems decision.  If confirmed by the CJEU, the logic of the High Court’s analysis of US and EU law carries far beyond Facebook’s data processing agreement, or even the Model Clauses themselves.  The High Court’s interpretation and application of Article 47 of the EU Charter makes it hard to imagine that any of the recognized bases for lawful transfer of EU personal data to the US could survive without fundamental changes to US law, which the US already rejected under a political climate that was more open to international cooperation.  While the original Schrems decision only affected the Safe Harbour regime, this decision may pull out all of the legs of the stool at once.

The High Court has not yet determined the precise questions that will be referred to the CJEU.  All of the parties had requested the opportunity to make further submissions on that point in the event that the court determined to make a reference and the court has agreed to hear those submissions.  Once the reference is made, it will likely be about two years before the CJEU renders a decision.  During that time, the GDPR will come into force, increasing the substantive divide between EU and US privacy law.

Furthermore, the US is by no means the only country with secretive national security programs that are largely shielded from public oversight or individual accountability.  If the CJEU confirms that Article 47 of the EU Charter requires individual remedies for EU data subjects against foreign national security agencies, as a precondition for any transfer of personal data, practical consequences will be dramatic.

[1] This assessment  is currently under review.  Some have questioned whether it will remain valid, particularly after the General Data Protection Regulation (“GDPR”) comes into force in May 2018.