Introduction -

Have you ever thought about how is personal data from European countries transferred to the US or other countries and is there reasonable security practiced while doing so? After all, it is the personal data of the common man. The EU practiced security practices such as the Privacy Shield and Safe Harbor Agreement. It was the norm for transferring personal data to other countries. The main objective was to keep the data being transferred outside the jurisdiction of the EU protected. But all of this changed when the Schrems Judgments made Safe Harbor and Privacy shield’s legitimacy to be put into serious doubt after the highest European court invalidated it. Before we get into the judgement let's clear out a few important terms in the context of GDPR.

1. Transfer of Data under GDPR The transfer is not explicitly defined under GDPR but it is implicitly defined thoroughly. Under the EU GDPR and the UK GDPR (After Brexit UK got its GDPR), it is stated as follows -

“When personal is being transferred from EU jurisdiction to processors, controllers or other recipients in any other country or an international organisation, the protection level is given to a natural person in EU by GDPR should not be disregarded.”

1. Other Country - Any country that is not a member of the EEA (European Economic Area) is considered another country. After the Brexit, the UK is considered another country.

1. International Organisation (IO) Luckily it is defined. And IO doesn’t mean MNCs (Multinational Corporations) such as Google, Microsoft or Apple. But it means organisations and their subordinate bodies are governed by Public International Law or a body set up on basis of an agreement between two or more countries. E.g. – Red Cross, INTERPOL, UN, UNHCR, European Space Agency, CERN and WIPO, etc

1. Safe – Harbour Agreement It is the agreement between the US government and the European Commission that provides to protect EU citizens’ data that will be transferred to the US. E.g - Facebook transfers a person's data to the US.

1. Privacy Shield Agreement It is in some ways similar to Safe – Harbour and it replaced it as the compliance mechanism for the the the transfer of personal data from the EU to the USA.

1. Standard Contracting Clauses (SCC) It is the mechanism ensuring appropriate data protection safeguards for Data transfer of EU and EEA members to third countries using SCCs

Now onto the first judgement -

Schrems I

Background – This case is regarding how while the plaintiff Maximilian Schrems was still getting his Law degree from the University of Vienna, he went to California for half a year where he heard on Facebook how they treat European data. The gist is they stated that “how violating European law doesn’t affect them and nothing gonna happens if we don’t comply with the laws”.

This was the next series of events –

a. The plaintiff filed a complaint to the Irish Data Protection Commissioner (DPC).

b. This complaint challenged the application of the Safe Harbour Agreement by Facebook for approving data transfers between the EU and the USA, it was also approved by the EU.

c. A The DPC straight-up declined to investigate by stating that it was bound to follow EU laws.

d. The plaintiff appealed before the Irish High Court. The court referred to the Court of Justice of the European Union (CJEU) for a preliminary ruling.

e.The court was presented with the following questions - Does DPC is bound by the Safe Harbour Decision of EC (by Article 7, 8 and 47 of ECFR and Article 25(6) of the Directive 95/46 ) While investigating inadequate protection of an individual's data while it is being transferred to another country?

Courts Judgement -

The CJEU on the 6^th of October 2015 ruled that the DPC has the right to investigate an individual's complaint relating to the EC decision. But also held that only CJEU has authority to declare an EC decision as void.

Meaning of the Judgement -

The ruling though not specifically mentioning Safe Harbour made this agreement invalid. Now as Safe Harbour was invalidated there had to be the implementation of another mechanism to replace it that’s where came the Privacy Shield which was an instrument that would facilitate the EU data transfers to the USA.

On 6^th October 2015, Safe Harbour was made invalid and on 12 ^th July 2016 Privacy Shield was formally implemented as the new standard for Data protection after it was incorporated into the EEA Joint Committee on 7 ^th July 2017 .

Schrems II

Background -

After the invalidation of the Safe-Harbour Agreement, a self-certification mechanism designed by the Department of the USA and EU called the Privacy Shield was produced for ensuring compliance with data protection requirements for data transfers.

The following events entailed –

a. Maximilian Schrem resubmitted his complaint to DPC alleging that Facebook was continuing to transfer personal data from the EU to the USA using SCC.

b. The Irish High Court again referred the case to CJEU with 11 issues to be addressed.

Judgement of CJEU -

The court put the validity of Privacy-Shield under scrutiny as per the requirements of GDPR and the court found that due to the domestic law in the USA which allowed US public authorities to access the transferred personal data from the U the protection of that personal data had serious limitations.

The court ruled that the standards of the USA laws regarding data protection were not equivalent to that of the EU laws about SCC the court emphasized that two things have to be considered in an SCC –

a. Views of the third country regarding its legal system providing access to and usability of EU data by public authorities.
b. A The court upheld the use of SCC provided necessary safeguards for data protection are being maintained.

Questions raised were as follow –

Most of the questions referred to CJEU were generic questions regarding issues of Personal Data Transfer to countries other than countries in EEA and some questions were particularly about the US.

But the most quintessential among the questions was whether the decision given by EC regarding SCC violated ECFR?

The Generic questions were as follows –

1. Will the EU law apply to transferring and processing of personal data by the security services of that a Third Country? The court previously had stated that EU law applies to any personal data transferred to the USA. And EU laws also apply even when the country where the data is being transferred is not a member state.

2. If there is a violation of rights of individuals due to SCC transfer of personal data will it be regulated by EU or Member state Law?Specifically, it wanted clarification does it violate Article 7 (regarding privacy) and Article 8 (regarding data protection). The Court held that the application of US statutory remedies was difficult and not practical. Hence the DPA of that country should be sought for any guidance.

3. Should the administrative rules and executive order also have to be considered including the domestic laws of a Third country while accessing its level of data protection?

The DPC argued that it should only consider domestic laws But Facebook disagreed and stated that one has to look at the entire laws. As DPC did not perform a complete analysis on restrictions regarding Data protections

4. What should be the level of protection implemented under EU data protection laws or the ECFR and specifically what matters have to be considered while transferring data under SCC to Third countries?

It was held that SCC was mere contractual and did not emphasise the Data protection aspect of the receiving country. The court stated that the data subject should be entitled to data protection as required by the DPD or Charter.

5.If a data transfer I found to be violative of SCC’s EU data protection or/and ECFR, Does the Third countries national DPA have authority to suspend such transfers?

The national DPA does have the authority to suspend any data transfers it finds to violate ECFR or Charter.

US Specific Questions

1. Does the relevant Articles of ECFR get violated if data is transferred to the US under SCC? Even if there was a violation the court found that the US security service processed data indiscriminately and such government surveillance was not available to the EU and the road for any EU citizen to obtain legal remedy against unlawful processing of data was filled with obstacles.

2. Is the Schrems II judgement invalidating Privacy Shield binding on national DPA and the courts of member states of EEA?

In regards to the US, it was held that the decision regarding Privacy Shield was a binding decision on data transfers. Further, the court stated that the Privacy Shield was an agreement between US and EU under Article 25(6). And thus it cannot be held as national adequacy under Article 25(2).

3. Does the Privacy Shield ombudsperson provide a sufficient remedy for the ECFR?

Specifically for Facebook ombudsman mechanism proved to be an efficient remedy for EU data subjects. And the DPC held and the court agreed that the ombudsman was not independent and also cannot be scrutinized for judicial review.

Conclusion

CJEU has confirmed and has also endorsed the use of SCC after the invalidation of the Privacy Shield and Safe Harbour Agreements. But irrespective of the mechanism the court has emphasized the need for due diligence by any entity that wishes to transfer data internationally. And compliance with EU GDPR for any such mechanism is non-negotiable. Ultimately this will positively affect the data security and integrity of the personal data of EU individuals.