Europe’s top court strikes down flagship EU-US data transfer mechanism

A highly anticipated ruling by Europe’s top court has just landed — striking down a flagship EU-US data flows arrangement called Privacy Shield.

The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield,” it wrote in a press release.

The CJEU’s finding is that “the requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country”, and that mechanisms in the EU-US Privacy Shield ostensibly intended to mitigate this interference (such as an ombudsperson role to handle EU citizens’ complaints) are not up the required legal standard of ‘essential equivalence’ with EU law.

In short, boom.

The case — known colloquially as Schrems II (in reference to privacy activist and lawyer, Max Schrems, whose original complaints underpin the saga) — has a long and convoluted history. In a nutshell it concerns the clash of two very different legal regimes related to people’s digital data: On the one hand US surveillance law and on the other European data protection and privacy.

Putting a little more meat on the bones, the US’ prioritizing of digital surveillance — as revealed by the 2013 revelations of NSA whistleblower, Edward Snowden; and writ large in the breadth of data capture powers allowed by Section 702 of FISA (Foreign Intelligence Surveillance Act) and executive order 12,333 (which sanctions bulks collection) — collides directly with European fundamental rights which give citizens rights to privacy and data protection, as set out in the EU Charter of Fundamental Rights, the European Convention on Human Rights and specific pieces of pan-EU legislation (such as the General Data Protection Regulation).

The Schrems II case also directly concerns Facebook, while having much broader implications for how large scale data processing of EU citizens data can be done.

It’s worth noting that today’s decision does not concern so called ‘necessary’ data transfers — such as being able to send an email to book a hotel room. Rather this is about the bulk outsourcing of data processing from the EU to the US (typically undertaken for cost/ease reasons). So one knock on effect of today’s ruling might be that more companies switch to regional data processing for European users.

The original case raised specific questions of legality around a European data transfer mechanism used by Facebook (and many other companies) for processing regional users’ data in the US — called Standard Contractual Clauses (SCCs). That mechanism has not been struck down by today’s ruling, though judges have made it clear that third country context around the use of SCCs is king and EU regulators must step in when they suspect data is flowing to unsafe locations outside the bloc.

Schrems challenged Facebook’s use of SCCs at the end of 2015, when he updated an earlier complaint on the same data transfer issue related to US government mass surveillance practices with Ireland’s data watchdog.

He asked the Irish Data Protection Commission (DPC) to suspend Facebook’s use of SCCs. Instead the regulator decided to take him and Facebook to court, saying it had concerns about the legality of the whole mechanism. Irish judges then referred a large number of nuanced legal questions to Europe’s top court, which brings us to today. Facebook, meanwhile, repeatedly tried and failed to block the reference to the Court of Justice. And you can now see exactly why they were so keen to derail this train.

The referral by the Irish High Court ended up looping in questions over the European Commission’s flagship data transfer agreement, the EU-US Privacy Shield. This replaced a long standing EU-US data transfer agreement, called Safe Harbor, which was struck down by the CJEU in 2015 after an earlier challenge also lodged by Schrems. (Hence Schrems II — and now strike two for Schrems.)

So part of the anticipation associated with this case has been related to whether Europe’s top judges would choose to weigh in on the legality of Privacy Shield — a data transfer framework that’s being used by more than 5,300 companies at this point. And which the European Commission only put in place a handful of years ago.

Critics of the arrangement have maintained from the start that it does not resolve the fundamental clash between US surveillance and EU data protection. While, in recent years, with the advent of the privacy- and rights-hostile Trump administration, Privacy Shield has looked increasingly precariously placed, as we’ve reported. An influential advisor to the court had also raised a raft of concerns over the mechanism in an opinion which prefigured today’s ruling.

In the event, the CJEU has waded in and sided with Privacy Shield critics who have always said the framework is the equivalent of lipstick on a pig. Today is certainly not a good day for the European Commission (which also had a very bad day in court yesterday on a separate matter).

The Commission convened a brief press briefing at noon to offer an initial response to the bombshell judgement on their flagship transatlantic data transfer mechanism. During the session Věra Jourova, the commissioner with responsibility for trust and transparency, emphasized that legal mechanisms for transatlantic data transfers do still exist for businesses to use.

“The Court of Justice declared the Privacy Shield decision invalid but also confirmed that the Standard Contractual Clauses remain a valid tool for the transfer of personal data to processors established in the third countries. This means that the transatlantic data flows can continue based on the broad toolbox for international transfers provided by the GDPR,” she said, naming “binding corporate rules” and SCCs as available options.

She also said the executive is continuing its work on modernizing SCCs (i.e. to bring them into alignment with the GDPR) — but without providing any firm timeline for that update of the tool, which was developed under the prior EU data protection directive.

“I know citizens and businesses are seeking reassurance today on both sides of the Atlantic so let me be clear we will continue our work to ensure the continuity of safe data flows,” she said. “Today’s ruling provides further valuable guidance for us and we will make sure that the updated tool will be fully in line with it.”

She said the Commission has already contacted US counterparts to begin the process of discussing a way forward now that Privacy Shield lies in pieces.

On this issue her comments were at times blunt, as she chose to highlight “certain deficiencies” the Commission had raised with US counterparts during the annual Privacy Shield review process, while eliding the fact it had nonetheless rubberstamped the arrangement anyway, ignoring repeat warnings (including from EU privacy regulators and the EU parliament) that the framework was flawed and would not stand up to legal challenge.

“In its judgement today the Court of Justice of the EU once again underlined that the right of European citizens to data protection is absolutely fundamental,” she said. “It confirms also what the Commission has said many times that what we have been working on when personal data travels abroad from Europe it must remain safe.”

While pledging to work “closely” with American counterparts to try to chart a course towards a replacement for the now defunct Privacy Shield, Jourova was clear where the movement would need to come from. “We have never hidden that we would like to see more convergence,” she said. “We would like to see on American side the federal law on data protection which would be equivalent or very similar to the GDPR which would stipulate equivalent and strong safeguards for the protection of private data of the citizens.

“We have also actively lobbied — for instance for changes in the FISA law. Or in some other items of the American laws but we cannot do the magic and change the American laws from Europe. It’s for the American partners to reflect on that.”

In a response statement put out around the same time, U.S. secretary of commerce, Wilbur Ross, expressed deep disappointment at the ruling — but said the department would continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification and to maintain the current list (which has previously included the disgraced data hijacker, Cambridge Analytica).

Today’s decision does not relieve participating organizations of their Privacy Shield “obligations”, the statement further claimed.

“While the Department of Commerce is deeply disappointed that the court appears to have invalidated the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield, we are still studying the decision to fully understand its practical impacts,” said Ross. “We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments. Data flows are essential not just to tech companies — but to businesses of all sizes in every sector. As our economies continue their post-COVID-19 recovery, it is critical that companies — including the 5,300+ current Privacy Shield participants — be able to transfer data without interruption, consistent with the strong protections offered by Privacy Shield.”

As well as finding itself looped into Schrems’ Facebook SCCs challenge, Privacy Shield has also been under separate legal challenge — with the complainant in that case (La Quadrature du Net) arguing the mechanism breaches fundamental EU rights and does not provide adequate protection for EU citizens’ data. That case now looks moot.

On SCCs, the CJEU has not taken issue with the mechanism itself — which, unlike Privacy Shield, does not contain an assessment on the quality of the protections offered by any third country; it’s merely a tool which may be available to use if the right legal conditions exist to guarantee EU citizens’ data rights (and one that importantly includes a regulatory kill switch) — but judges asserted the obligation on data controllers to carry out an assessment of the data protection afforded by the country where the data is to be taken.

If the level is not equivalent to that offered by EU law then the controller has a legal obligation to suspend the data transfers. This also means that EU regulators — such as Ireland’s DPC — have a clear obligation to act on complaints and suspend data transfers which are taking place via SCCs to third countries where data protections are not adequate (such as, as the CJEU has made clear, the US). Which was exactly what Schrems had asked the Irish regulator to do in the first place.

It’s not immediately clear what alternative exists for companies such as Facebook — which do fall under US surveillance laws and are using SCCs to take EU citizens’ data to the US — given judges have invalidated Privacy Shield on the grounds of the lack of protections afforded to EU citizens data in the country. As it stands the NSA is standing in the way of their EU data flows via even the remaining mechanisms.

“In the absence of an adequacy decision, such transfer may take place only if the personal data exporter established in the EU has provided appropriate safeguards, which may arise, in particular, from standard data protection clauses adopted by the Commission, and if data subjects have enforceable rights and effective legal remedies,” the court notes in today’s press release — pointing to Article 49 of the GDPR, which sets out conditions “under which such a transfer may take place in the absence of an adequacy decision or appropriate safeguards”. (These conditions are narrow — and include the explicit consent of the data subject; or for necessary transfers or transfers in the public interest or the interest of the data subject.)

However in initial responses to the judgement some large tech companies were seeking to reassure customers that data transfers would be unaffected.

In a blog post on the ruling, Microsoft’s corporate VP for privacy, Julie Brill, wrote: “For years we have provided customers with overlapping protections under both the Standard Contractual Clauses (SCCs) and Privacy Shield frameworks for data transfers. Although today’s ruling invalidated the use of Privacy Shield moving forward, the SCCs remain valid. Our commercial customers are already protected under SCCs.”

While it’s right to say that SCCs as a data transfer mechanism remain valid, the specific context of where exactly data is being taken is key — and could open companies to legal risk if, for example, they’re processing data in the US where it may be subject to surveillance.

Here’s more on the court’s overall reasoning from the press release:

The Court considers, first of all, that EU law, and in particular the GDPR, applies to the transfer of personal data for commercial purposes by an economic operator established in a Member State to another economic operator established in a third country, even if, at the time of that transfer or thereafter, that data may be processed by the authorities of the third country in question for the purposes of public security, defence and State security. The Court adds that this type of data processing by the authorities of a third country cannot preclude such a transfer from the scope of the GDPR.

Regarding the level of protection required in respect of such a transfer, the Court holds that the requirements laid down for such purposes by the GDPR concerning appropriate safeguards, enforceable rights and effective legal remedies must be interpreted as meaning that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses must be afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR, read in the light of the Charter. In those circumstances, the Court specifies that the assessment of that level of protection must take into consideration both the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the data transferred, the relevant aspects of the legal system of that third country.

Regarding the supervisory authorities’ obligations in connection with such a transfer, the Court holds that, unless there is a valid Commission adequacy decision, those competent supervisory authorities are required to suspend or prohibit a transfer of personal data to a third country where they take the view, in the light of all the circumstances of that transfer, that the standard data protection clauses are not or cannot be complied with in that country and that the protection of the data transferred that is required by EU law cannot be ensured by other means, where the data exporter established in the EU has not itself suspended or put an end to such a transfer.

Commenting on the ruling in a statement, a jubilant Schrems said: “I am very happy about the judgment. At first sight it seems the Court has followed us in all aspects. This is a total blow to the Irish DPC and Facebook. It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a role on the EU market.”

“The Court clarified for a second time now that there is a clash of EU privacy law and US surveillance law. As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people — including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley,” he added.

“This judgment is not the cause of a limit to data transfers, but the consequence of US surveillance laws. You can’t blame the Court to say the unavoidable — when shit hits the fan, you can’t blame the fan.”

A link to the full CJEU judgement can be found here.

In further comments on the implications today put out by Schrems’ privacy rights NGO noyb, it wrote: “The CJEU has made it clear in its ruling that even within the SCCs a data flow must be stopped if a US company falls under this surveillance law. This applies to practically all IT companies (such as Microsoft, Appel, Google or Facebook) that all fall under FISA 702.

“Just because there is this ‘stop’ within the SCCs that makes it impossible to use them in such cases, the SCCs were not declared invalid. The statement that a data flow to the USA under the SCCs remains legal is therefore wrong. This would only be possible if a US company is not subject to any monitoring laws (e.g. an airline, a bank or a retail business).”

“Consequently this is also not a ‘half win’, as 100% of the outsourcing that may be subject to US surveillance is not allowed — no matter if under Privacy Shield or SCCs,” noyb’s statement added.

We reached out to the Irish DPC for comment — and to ask the regulator whether it will now suspend Facebook’s use of SCCs. Deputy commissioner, Graham Doyle, initially told us it’s studying the judgement and would respond “shortly”, before sending a lengthy statement in which the regulator welcomes the ruling, saying it vindicates its decision to raise wider concerns in court rather than acting on the complaint by suspending Facebook’s data flows.

“Today’s judgment… firmly endors[es] the substance of the concerns expressed by the DPC (and by the Irish High Court) to the effect that EU citizens do not enjoy the level of protection demanded by EU law when their data is transferred to the United States. In that regard, while the judgment most obviously captures Facebook’s transfers of data relating to Mr Schrems, it is of course the case that its scope extends far beyond that, addressing the position of EU citizens generally,” it writes.

“The Court also agreed with the DPC’s view that, whatever mechanism is used to transfer data to a third country, the protection afforded to EU citizens in respect of that data must be essentially equivalent to that which it enjoys within the EU.”

However anyone expecting immediate action from the regulator on the long standing Schrems complaint against Facebook’s use of SCCs should brace themselves for — uh — further delay.

“Reflecting the complexity of many of the legal issues it addresses, the judgment (and, indeed, the case as a whole) has many layers, each of which will require careful consideration in the coming days and weeks,” the regulator warns, before adding: “[I]t is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable. This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis.”

Its statement also talks about “developing a common position with our European colleagues to give meaningful and practical effect to today’s judgment”.

Facebook has also emailed us a statement attributed to its associate general counsel, Eva Nagle, who writes: “We welcome the decision of the Court of Justice of the European Union to confirm the validity of Standard Contractual Clauses for transfers of data to non-EU countries. These are used by Facebook and thousands of businesses in Europe and provide important safeguards to protect the data of EU citizens.

“Like many businesses, we are carefully considering the findings and implications of the decision of the Court of Justice in relation to the use of Privacy Shield and we look forward to regulatory guidance in this regard. We will ensure that our advertisers, customers and partners can continue to enjoy Facebook services while keeping their data safe and secure.”

Commenting on the general business implications of the ruling in statement, Tanguy Van Overstraeten, partner and global head of privacy and data protection law at the law firm Linklaters said: “This leaves a huge question mark over data transfers to the U.S. The Court has struck down the EU-U.S. Privacy Shield because it considers the U.S. state surveillance powers are excessive. For the thousands of businesses registered with the US Privacy Shield, this will be groundhog day; this is the second time the FTC operated scheme has been struck down after the Shields predecessor — the Safe Harbor — was struck down in 2015. Businesses will now look to EU regulators to propose some form of transition to allow them to move away from Privacy Shield without the threat of significant sanctions and civil compensation claims.”

“This does not just affect data transfers to the US. Other jurisdictions, such as India or China, also have strong state surveillance powers so transfers to those jurisdictions may also need careful examination,” he added, suggesting the ruling may encourage data protection regulators to clamp down on international transfers “more aggressively” — “with the possibility of transfers to jurisdictions with strong state surveillance powers becoming increasingly difficult”.

That in turn suggests significant implications for the UK — which, as a result of Brexit, will shortly be seeking to gain its own adequacy decision with the EU to enable continued smooth flows of data.

UK surveillance law has also faced repeated challenges under EU human rights law so the prospects for the country not to fall into the ‘third country’ hole the US now finds itself in, post-today’s CJEU ruling, do not look entirely rosy.

Asked about the UK’s prospects of an adequacy agreement with the EU in light of today’s ruling, Peter Church, counsel at Linklaters, said an assessment of domestic surveillance powers under the Investigatory Powers Act 2016 will have to be undertaken — but he pointed out the government has been forced to make a number of amendments following earlier legal challenges to bring the act into line with EU law. He also highlighted key differences vis-a-vis US law.

“The CJEU’s judgment could have implications for the UK’s prospects of gaining adequacy at the end of the Brexit transition period,” he told us. “This will necessarily involve an assessment of the UK’s surveillance powers under the Investigatory Powers Act 2016. However, there are a number of differences between the UK and U.S. regimes. For example, the UK regime has already been reviewed by the European courts and a number of amendments have been made to bring it into line with European law. In addition, the UK regime does not have the same distinction between UK and foreign nationals, unlike US law which does not grant the same rights to non-US citizens. ”

European commissioners were also asked directly about this issue during today’s hastily convened press conference. Justice commissioner Didier Reynders said it would have to study the judgement in detail to see how it might affect the UK’s prospects.

“We have a lot of adequacy decisions with different partners so it will be very important to analyze the situation to see if there are some improvements needed in different processes that we have in different third countries,” he said in response to a journalist’s question. “In the discussions with the UK… we try to [better] understand for the moment what should be or could be the situation about the data protection after the first of January next year — and there are discussion on this. We want to receive more information about that,” he said.

Reynders added that the Commission would, in due course, discuss its analysis of the CJEU judgement with UK counterparts — including considering what he couched as “possible consequence[s]”.

“The adequacy decision is a unilateral decision of the Commission but we need to receive information and to share or analyze information with our colleagues from the UK, and it’s normal that of course we will have maybe some elements coming from the judgement — but again you will let us maybe in the next hours and days have the time to analyze in detail the decision of the court,” he added.