IPOL | Policy Department for Citizens’ Rights and Constitutional Affairs
1 INTRODUCTION KEY FINDINGS On 16 July 2020 the Court of Justice of the European Union (CJEU) invalidated the Commission Decision 2016/1250 on the adequacy of the protection provided by the EU-US “Privacy Shield” agreement, concerned US government surveillance powers are not limited as required by EU law, and that EU persons do not have effective means of redress.
1.1
Background
On 6 October 2015, the Court of Justice of the European Union (CJEU) declared invalid the European Commission’s July 2000 decision on the legal adequacy of the EU-US Safe Harbour Framework (Schrems I). 1 On 12 July 2016, the European Commission issued an adequacy decision on the successor EU-US “Privacy Shield” Framework, 2 which provided a legal mechanism for companies to transfer personal data from the EU to the United States under the General Data Protection Regulation (GDPR). But on 16 July 2020 the CJEU delivered a judgment (known as Schrems II) 3 invalidating this adequacy decision, too. The Court was concerned that the Fourth Amendment to the United States Constitution does not apply to EEA citizens; that the relevant legal regimes under the US Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333 (E.O. 12333) and Presidential Policy Directive 28 (PPD-28) were not limited as required by EU law; and that EU persons do not have effective means of redress against the US government in relation to unfair or unlawful processing under these US instruments. The CJEU also found out that the appointment of the Ombudsperson (as required under the Privacy Shield certification) did not meet the requirements of an official tribunal under European law, therefore EEA citizens did not have an adequate judicial remedy for complaints regarding processing of their personal data. The Court upheld the validity of Decision 2010/87 on standard contractual clauses (SCCs), deeming them in principle an effective mechanism to ensure compliance with the level of protection provided in EU law. However, it indicated data controllers must assess the level of data protection in the recipient’s country and must adopt “supplementary measures” if needed to protect transferred data against undue access by a third country’s authorities – or suspend transfer if the data could not be adequately protected. The CJEU underlined an obligation on the part of each data protection authority in all EU Member States to suspend transfers of personal data if they deem that EU levels of protection are not met in the third country. Two years before the Schrems II judgement, the European Parliament issued a resolution on Privacy Shield. 4 Given the revelations of misuse of personal data by companies certified, such as Facebook and 1
CJEU, Grand Chamber judgment of 6 October 2015 in Case C-362/14, Maximillian Schrems v Data Protection Commissioner (“Schrems I”), ECLI:EU:C:2015:650
2
Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield, OJ L 207, 1.8.2016, p. 1–112. CJEU Grand Chamber judgment of 16 July 2020 in Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (“Schrems II”), ECLI:EU:C:2020:559.
3
4
European Parliament resolution of 5 July 2018 on the adequacy of the protection afforded by the EU-US Privacy Shield (2018/2645(RSP)), at: https://www.europarl.europa.eu/doceo/document/TA-8-2018-0315_EN.html
14
PE 694.678
