5 minute read
1 INTRODUCTION
KEY FINDINGS
On 16 July 2020 the Court of Justice of the European Union (CJEU) invalidated the Commission Decision 2016/1250 on the adequacy of the protection provided by the EU-US “Privacy Shield” agreement, concerned US government surveillance powers are notlimited as required by EU law, and that EU persons do not have effective means of redress.
Advertisement
1.1 Background
On 6 October 2015, the Court of Justice of the European Union (CJEU) declared invalid the European Commission’s July 2000 decision on the legal adequacy of the EU-US Safe HarbourFramework(Schrems I). 1 On 12 July 2016, the European Commission issued an adequacy decision on the successor EU-US “Privacy Shield” Framework, 2 which provided a legal mechanism for companies to transfer personal data from the EU to the United States under the General Data Protection Regulation (GDPR). But on 16 July 2020 the CJEU delivered a judgment (known as Schrems II)3 invalidating this adequacy decision, too.
The Court was concerned that the Fourth Amendment to the United States Constitution does not apply to EEA citizens; that the relevant legal regimes under the US Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333 (E.O. 12333) and Presidential Policy Directive 28 (PPD-28) were not limited as required by EU law; and that EU persons do not have effective means of redress against the US government in relation to unfair or unlawful processing under these US instruments. The CJEU also found out that the appointment of the Ombudsperson (as required under the Privacy Shield certification) did not meet the requirements of an official tribunal under European law, therefore EEA citizens did not have an adequate judicial remedy for complaints regarding processing of their personal data.
The Court upheld the validity of Decision 2010/87 on standard contractual clauses (SCCs), deeming them in principle an effective mechanism to ensure compliance with the level of protection provided in EU law. However, it indicated data controllers must assess the level of data protection in the recipient’s country and must adopt “supplementary measures” if needed to protect transferred data against undue access by a third country’s authorities – or suspend transfer if the data could not be adequately protected. The CJEU underlined an obligation on the part of each data protection authority in all EU Member States to suspend transfersof personal data if they deem that EU levels of protection are not met in the third country. Two years before the Schrems II judgement, the European Parliament issued a resolution on Privacy Shield. 4 Given the revelations of misuse of personal data by companies certified, such as Facebook and
1 CJEU, Grand Chamber judgment of 6 October 2015 in Case C-362/14, Maximillian Schrems v Data Protection Commissioner (“Schrems I”), ECLI:EU:C:2015:650 2 Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European
Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield, OJ L 207, 1.8.2016, p. 1–112. 3 CJEU Grand Chamber judgment of 16 July 2020 in Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (“Schrems II”), ECLI:EU:C:2020:559. 4 European Parliament resolution of 5 July 2018 on the adequacy of the protection afforded by the EU-US Privacy Shield (2018/2645(RSP)), at: https://www.europarl.europa.eu/doceo/document/TA-8-2018-0315_EN.html
Cambridge Analytica, it called on the US authorities to act without delay in full compliance with the assurances and commitments given and, if needed, to remove such companies from the Privacy Shield list. Parliament called also on the competent EU data protection authorities to investigate such revelations and, if appropriate, suspend or prohibit data transfers. Most importantly, Parliament considered the revelations clearly showedthe mechanism did not provide adequate protection of the right to data protection. It noted concern at that time about the consequences of Executive Order 13768 on ‘Enhancing Public Safety in the Interior of the United States’ for judicial and administrative remedies available to individuals in the US, because the protections of the Privacy Act no longer applied to non-US citizens.
Overall, transfers of personal data from the EU to the USA were carried out for more than a decade (at least since 2000) without respecting European standards for data protection, resulting in irreversible harm to EU citizens and companies; yet the European Commission has ignored during this period numerous calls from the European Parliament and human and digital rights organisations. This underlines the gravity of the situation and the importance of taking remedial steps to guarantee protection for EU citizens and companies in the future. More specifically, in the aftermath of the Schrems II judgement the LIBE Committee took up work on a resolution reaffirming the CJEU ruling has significant implications for adequacy decisions concerning all third countries and pointing at the need for legal clarity and certainty. In this context the Committee requested this study in order to become acquainted with expert opinion on reforms to the legal framework for the exchange of personal and other data between the EU and the USA necessary to ensure the requirements of EU law are satisfied and the rights of EU citizens are respected.
1.2 Scope and objectives of the research and structure of the study
In chapter 2, we discuss the European view of data protection as a fundamental sui generis right, and the national security exemption in the EU Treaties, and the implications in particular in relation to transfers of personal data from the EU to non-EU countries or territories (so-called “third countries”). This is done with reference to the relevant case law of the CJEU, including notably the Court’s Schrems I and Schrems II judgments, in relation to the flows of personal data that are subject to the GDPR from the EU to a third country, and the USA in particular; to the European Data Protection Board’s (EDPB) updated Adequacy Referential; and to the Board’s European Essential Guarantees (EEGs) for surveillance (in relation to the issue of access to EU data by authorities of third countries). Chapter 3 summarises (a) US constitutional and common law on privacy, (b) US federal and state privacy laws and (c) US surveillance laws with reference to the main EU issues and standardsidentified in chapter 2. Chapter 4 provides a deeper analysis of standards that must be met for the USA to provide for an adequate level of data protection, indicates the changes that would have to be made to US law in order for it to satisfy those EU requirements, and explores policy and legal options for the future, in relation to the exchange of personal and other data between the EU and “third countries” outside the European Economic Area.
- o – O – o -
