Information Technology Law – Andrew Murray 2019
Chapter 24
It is a widely reported aphorism that ‘data is the new oil’. No one is quite sure who first said this but it may have been the man behind the Tesco Clubcard scheme, Clive Humby, who in 2006 said ‘Data is just like crude. It’s valuable, but if unrefined it cannot really be used. It has to be changed into gas, plastic, chemicals, etc to create a valuable entity that drives profitable activity; so must data be broken down, analyzed for it to have value.’1 Whoever first said it, it is clear that in the modern economy data driven transactions are essential. The OECD estimated that in 2015, the global volume of data stood at 8 zettabytes (8 trillion gigabytes), an eight-fold increase on 2010. By 2020, that volume is forecast to increase up to 40 times over, as technologies including the Internet of Things create vast new data sets.2 According to the McKinsey Global Institute, cross-border flows of data grew 45 times from 2005 to 2014, and accounted for $2.8 trillion (approx. 3.3 per cent) of global GDP in 2014; again this is a figure rapidly rising.3 To get an idea of the future value of data the Boston Consulting Group has estimated that across Europe, the quantifiable benefit from personal data applications could reach €1 trillion annually by 2020—with two-thirds of that benefit accruing to consumers, and one-third to businesses.4 All of these reports and predictions point to the same conclusion: a modern economy must trade data. This is potentially a problem for data protection laws. As data is today mostly a purely digital item it is, as John Perry Barlow explained in 1994, and discussed in chapter 1, merely a ‘highly liquid pattern of ones and zeros’.5 The flow of personal data across borders unchecked is the common theme throughout this book. It is this unchecked flow that makes the policing of illegal content, including obscene content and content in support of terrorism, difficult to police. It is the flow that effects copyright and trademark enforcement and it is the same flow that undermines local enforcement of data protection and data privacy provisions.
This is a major challenge for the European data protection regime. If all a data controller had to do was to transfer personal data from a controller in Germany, who is subject to the European data protection regime, to one in Chile, who is not, then European data protection law would not be worth a candle. We have already touched p. 621↵upon the tension between a local legal framework and a global trade in personal data at 22.1.2 where we saw that reg. 3 of the GDPR provides that its geographical scope reaches far beyond the borders of the EU to both non-EU established organizations who process personal data about EU data subjects in connection with the offering of goods or services; and to non-EU established organizations who process personal data about EU data subjects in connection with monitoring their behaviour within the EU. That though is about the territorial scope of the GDPR when the data controller may be beyond the geographical borders of the EU. What about the more direct issue of data exportation (data transfers) from within the EU to ouside it? This is a practice that goes on all the time. Think how much of your personal data is likely to end up in servers operated from 1 Infinite Loop; Cupertino, California (Apple), 410 Terry Avenue North, Seattle, Washington (Amazon), or 129 Samsung-ro, Yeongtong-gu, Suwon-si, Gyeonggi-do, Korea (Samsung). To deal with this the European data protection framework has developed complex provisions to regulate the transfer of data outside the European Economic Area (EEA).
24.1 Transfers of personal data to third countries
The transfer of personal data to states outside the EEA was regulated by the 1995 Data Protection Directive and the 1998 Act and continues to be regulated by the GDPR and the 2018 Act. To fully understand the legal framework requires a working knowledge of both the old framework and the new framework. This is because vital case law under the old framework remains authoritative and informs our understanding of the GDPR framework.
Article 25 of the Data Protection Directive provided that ‘Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection’. This was reinforced by the eight data protection principle: ‘Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.’ The reasoning behind the Article and Principle were that, as already noted, without some form of transfer limitation unscrupulous data controllers could simply export data to a state which offers a lower level of protection to data subjects for processing, then transfer the results back into the EU for action.
The first question was what qualified as a ‘transfer to a third country of personal data’? For example could the placing of data on an internationally accessible web page qualify as a transfer of data? This was examined in the case of Bodil Lindqvist6 which was discussed in depth in chapter 22. As was discussed there, one of the issues which attracted the attention of the Swedish data protection authority was that Mrs Lindqvist, in placing the data on a publicly accessible web page which was accessible from any p. 622↵part of the world had transferred processed personal data to a third country without authorization. The court received a number of competing observations on this point. The European Commission and the Swedish Government considered that:
the loading, using a computer, of personal data onto an internet page, so that they become accessible to nationals of third countries, constitutes a transfer of data to third countries, and that the answer would be the same if no one from the third country had in fact accessed the data or if the server where it was stored was physically in a third country.7
A different view was put forward by the government of the Netherlands who argued that ‘the term, [transfer], must be understood to refer to the act of intentionally transferring personal data from the territory of a Member State to a third country and, [accordingly] loading personal data onto an internet page using a computer cannot be considered to be a transfer of personal data to a third country’.8 The UK government took a similar but slightly different approach to the Dutch approach arguing that the Directive ‘concerns the transfer of data to third countries and not their accessibility from third countries. The term transfer connotes the transmission of personal data from one place and person to another place and person.’9
The court considered these alternatives before coming down in favour of the UK interpretation, finding that ‘personal data which appear on the computer of a person in a third country, coming from a person who has loaded them onto an internet site, were not directly transferred between those two people but through the computer infrastructure of the hosting provider where the page is stored’.10 On this basis the court concluded that ‘there is no transfer [of data] to a third country within the meaning of [the] Directive where an individual in a Member State loads personal data onto an internet page which is stored with his hosting provider which is established in that State or in another Member State, thereby making those data accessible to anyone who connects to the internet, including people in a third country’.11 The placing of data on a web page therefore is not a transfer of data. Before leaving Lindqvist we should note that the court observed that:
given the state of development of the internet at the time [the] Directive was drawn up and the absence of criteria applicable to use of the internet, one cannot presume that the Community legislature intended the expression transfer [of data] to a third country to cover the loading, by an individual in Mrs Lindqvist’s position, of data onto an internet page, even if those data are thereby made accessible to persons in third countries with the technical means to access them.12
The lawmaking institutions of the EU have, of course, now had a second opportunity to review the application of the data protection framework to the internet and the placing of content on web pages in the drafting of the GDPR. In terms of data transfers, the GDPR makes no significant changes on the previous law as found in the directive, suggesting that the EU institutions are satisfied with the settlement found in Lindqvist. p. 623↵Data transfers are covered by Chapter 5 (Articles 44–50) but for the purposes of the immediate analysis we need to look to Art. 44. This provides that:
any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation.
This is not dissimilar to the old wording of Art. 25(1) of the 1995 Directive ‘Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.’ The main distinction between the 1995 wording and the 2018 wording is not around the definition of the transfer itself but rather the addition of ‘international organisations’ defined in Art. 4(26) as ‘an organisation and its subordinate bodies governed by public international law’ to the classification of ‘third country’. The GDPR specifically does not seek to define transfer, suggesting that Lindqvist remains the applicable law in this area.
24.1.1 The data exportation framework
It is clear from the wording of Art. 44 that there is a framework for the legal exportation of data outside the EEA. This is necessary as data transfers occur continually; data is after all the oil that lubricates our modern economies. Article 44 says ‘any transfer of personal data … shall take place only if the conditions laid down in this Chapter are complied with’. The framework for effective legal transfers of data is therefore fully contained within Chapter 5 (Articles 44–50) of the GDPR.
An examination of Chapter 5 reveals three frameworks for the exportation of data from the EEA to a non-EEA state. These are particularly important for us in the UK post-Brexit when the UK ceases to be an EEA state. It means that as you are reading this all transfers from the EEA to the UK are regulated in accordance with Chapter 5. At the time of writing it is unclear what form of settlement has been reached to allow transfers of data to the UK from the EEA. If the UK has managed to negotiate a withdrawal agreement based on the Prime Minister’s Chequers plan, as agreed by the European Council on 25 November 2018, the UK government and the EU will be negotiating a deal based on so-called ‘adequacy plus’, a formal recognition that UK data protection law meets EU standards.13 However, I have written elsewhere that the current UK law may not meet formal adequacy requirements.14 Whatever the final legal position, the two sides (the UK and the EU) are given until 31 December 2020 to negotiate an agreement by Art. 71 of the agreed text of the withdrawal agreement, which states that during the transition p. 624↵period EU law will apply in the UK ‘in respect of the processing of personal data of data subjects outside the United Kingdom’.15
If the UK has ‘crashed out’ without a deal being in place, emergency measures will have had to be implemented. This will be based on the guidance note prepared by the Department for Digital, Culture, Media and Sport in September 2018.16 This notes that there is no change in domestic law (no doubt a relief to all of you who have read chapters 22 and 23) as ‘the Data Protection Act 2018 would remain in place and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside it’. The note observes, however, that ‘the legal framework governing transfers of personal data from organisations (or subsidiaries) established in the EU to organisations established in the UK would change on exit’. The advice from DDCMS is the UK government would hope to get an adequacy decision, but as these take time to agree at the point of Brexit organizations should have standard contractual clauses (discussed at 24.4) in place to allow them to continue to transfer data from the EEA to the UK. Although this might seem odd to you reading this text in late 2019, or later, at the time of writing (30 November 2018) it is not clear at all if the UK will leave the EU in an orderly fashion or will simply crash out.
Already you have read the word ‘adequacy’ several times. This is the ‘Rolls-Royce’ system for data transfers from within the EEA to outside it. The framework for adequacy is found in Art. 45 GDPR. This states that ‘a transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.’ Thus if your country or organization is deemed to be ‘adequate’ by the Commission you may transfer data into and out of the EU as if your country or organization was an EEA member state, this is the settlement the UK government hopes to achieve post-Brexit. How do you receive adequacy recognition? Article 45(2) gives a framework checklist for the Commission to follow. To find adequacy they must find:
a.
rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;
b.
the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation p. 625is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States; and
c.
international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.
In practice this means an extensive period of negotiation between the Commission and the country seeking adequacy, followed by the publication in the Official Journal of the text of the adequacy decision. Currently there are full adequacy decisions in place for eleven countries17 and limited adequacy decisions for two: Canada which has an adequacy decision only in relation to data held or processed by commercial organizations, not public bodies or non-commercial organizations, and the United States Privacy Shield (which will be discussed at 24.3). In addition, negotiations are ongoing with South Korea for recognition.
Adequacy decisions are open-ended but the Commission is required by Art. 45(3) to review the country (or organization) at least every four years to ensure that they continue to meet the standards required for adequacy. In addition, by Art. 45(4) the Commission is tasked to continually monitor developments in the country or organization. If at any time the Commission finds the country or organization no longer meets the adequacy standard, they may repeal, amend, or suspend the original decision by Art. 45(5). If they do so they are required by Art. 45(6) to re-enter negotiations with the country or organization in question ‘with a view to remedying the situation’.
Probably the most controversial adequacy decision is the one between the EU and the United States. When the 1995 Directive was passed, it required adequate levels of data protection from third countries before data could be exported to them.18 This was a problem for EU–US data flows which are the backbone of data transfers globally. To remedy this, the Commission and the US State Department and Department of Commerce negotiated an agreement, called the ‘safe harbour agreement’ which would allow the Commission to issue an adequacy decision in favour of the United States. The EU eventually formally recognized the agreement in July 2000 and it took effect.19 However, the agreement was unlike any adequacy decision which was to follow. Essentially, it allowed US organizations to voluntarily agree to abide by seven principles and to register with the US Department of Commerce.20 As a self-certification scheme, it was clear p. 626↵to observers that it did not strictly meet the standards of Art. 25 DPD and it was extensively criticized.21 Eventually the safe harbour settlement was legally challenged by privacy activist Max Schrems (in a case discussed in detail at 24.2) and was struck out. It has been replaced with a new agreement, the so-called ‘privacy shield’ agreement.22 In essence, this is a beefed-up version of the safe harbour agreement. As with safe harbour, US-based corporations can self-certify to the Department of Commerce that it complies with the Privacy Shield Principles.23 What is different about privacy shield is that enforcement and data subject rights are strengthened with, inter alia, requirement that US organizations respond to data subject complaints within 45 days. They must have a data protection policy which includes statements regarding the enforcement body, arbitration rights, disclosures to public authorities, and the company’s liability for onward transfers; limitations on access rights to data by US public authorities; and a stronger enforcement and oversight procedure operated by the Federal Trade Commission. The privacy shield agreement has since also been challenged, and these challenges will be discussed at 24.3.
If a country or organization does not hold an adequacy decision then data transfers must be legitimized in some other way: this means appropriate safeguards under Art. 46 GDPR. Article 46(2) lists a menu of safeguards which may be ‘appropriate’. These include ‘a legally binding and enforceable instrument between public authorities or bodies’; transfers subject to binding corporate rules; standard contractual clauses; and an approved code of conduct together with binding and enforceable commitments of the receiver outside the EEA. These appropriate safeguards ensure that both the EEA-based data controller and the receiver of the transfer are legally required to protect individuals’ rights and freedoms for their personal data.
The most common form of appropriate safeguard is binding corporate rules (BCRs) under Art. 47. These are internal codes of conduct operating within a multinational group, which applies to restricted transfers of personal data from the group’s EEA entities to non-EEA group entities. They can be rules for a single corporate group or rules for a group of undertakings or enterprises engaged in a joint economic activity, such as franchises or joint ventures. According to Art. 47 these rules must:
(a)
be legally binding and apply to and are enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees; and
(b)
expressly confer enforceable rights on data subjects with regard to the processing of their personal data. In addition, they must meet the extensive requirements of Art. 47(2).
p. 627↵Before taking effect BCRs must be submitted for approval to an EEA supervisory authority in an EEA country where one of the companies is based. An alternative for an organization that does not want to seek formal BCRs, or who cannot use them as they are transferring data not within their corporation or group but to third parties, is to use standard contractual clauses under Art. 46(2)(c) and (d).
Standard contractual clauses (SCCs) are four sets of model contractual clauses adopted by the Commission under the 1995 Directive (no new clauses for the GDPR have been issued yet but they are planned).24 The clauses contain contractual obligations on the data exporter and the data importer, and rights for the individuals whose personal data is transferred. Individuals can directly enforce those rights against the data importer and the data exporter. There are two sets of standard contractual clauses for restricted transfers between one controller and another controller, and two sets between a controller and processor. SCCs must be adopted in the contractual agreement between the data exporter and the data importer in their entirety and without amendment. The parties are allowed to include additional clauses on business-related issues, provided that they do not contradict the SCCs. SCCs may offer a tantalizing alternative to BCRs as they do not need to be approved by a supervisory authority and they can be used to export data to unconnected third parties. However, they are subject to a current challenge from privacy advocate Max Schrems which makes the current adoption of SCCs risky as they may be ruled invalid by the CJEU in 2019.
24.2 Challenging the data exportation framework: Schrems v Data Protection Commissioner
As already noted, to comply with EU data exportation rules, originally in Art. 25 DPD and now in Art. 44 GDPR a number of countries have adopted data protection laws and principles which have been found to be ‘adequate’ by the Commission. One particular sticking point over the years though has been data exportation to the United States. The United States takes a philosophically different view to the EU on how data protection should be effected. Whereas the EU supports a holistic, rights-based approach which protects all data of the data subject, the United States favours a sectoral and self-regulatory approach.25 To allow for the free flow of data from the EU to the United States a legal fiction was created: the safe harbour agreement. I call it a legal fiction for as we have seen it was a self-certification scheme which did not appear to strictly meet the standards of Art. 25 DPD. However, it was an effective fiction that allowed for the massive volumes of international transfers of data between the EU and the US, transfers p. 628↵which are the lifeblood of technology companies such as Apple, Facebook, Google, and Microsoft.
In summer 2013, though, the Edward Snowden revelations threatened to undermine the safe harbour agreement. Among the many revelations in the Snowden documents, discussed in full in chapter 25, was the exposure of a program known as Prism. Prism is a large-scale state data-gathering program in which the US National Security Agency gathers and stores large volumes of internet communications data from technology and telecommunications companies based in the United States, such as Google, Microsoft, Facebook, and Apple. The data is requested under a warrant obtained under the FISA Amendments Act of 2008.26 The disclosure of the Prism program suggested the safe harbour agreement was unable to provide the level of protection needed to meet the requirements of Art. 25 for although other EU states, including the UK, have parallel data-gathering programs at state level, the EU member states are bound by the principles of the EU Charter, whereas the United States Federal Government is not.
One man who took this view was Maximilian Schrems, an Austrian privacy activist and founder of civil society group Europe v Facebook.27 He had been campaigning against Facebook’s data-gathering program before the Snowden revelations. He first became interested in Facebook’s data privacy program when studying law during a semester abroad at Santa Clara University in Silicon Valley. It is reported that Schrems decided to write a paper on Facebook’s lack of awareness of European privacy law, after being surprised by what the company’s privacy lawyer, Ed Palmieri, said to his class on the subject.28 He later made a request under Art. 12 to receive what information Facebook held on him and received a CD containing over 1,200 pages of data, which he published at Europe v Facebook with personal information redacted. In summer 2013 he filed a complaint with the Irish Data Protection Commissioner alleging that Facebook’s policy of exporting data to the United States was unlawful under Art. 25 due to its role in and compliance with the Prism program.29 When the Data Protection Commissioner ruled that Facebook had no case to answer, Schrems filed an application for judicial review in the Irish High Court. When the case was heard in June 2014 the court immediately referred the case to the CJEU.
The High Court sent two questions to the CJEU:
(1)
Whether in the course of determining a complaint which has been made to an independent office holder who has been vested by statute with the functions of administering and enforcing data protection legislation that personal data is being transferred to another third country (in this case, the United States of America) the laws and practices of which, it is claimed, do not contain adequate protections for the data subject, that office holder is absolutely bound by the Community finding to the contrary contained in [Decision 2000/520] having regard to Article 7, Article 8 and Article 47 of [the Charter], the provisions of Article 25(6) of Directive [95/46] notwithstanding?
(2)
Or, alternatively, may and/or must the office holder conduct his or her own investigation of the matter in the light of factual developments in the meantime since that Commission decision was first published?
p. 629↵The first question essentially asks whether the Irish Data Protection Commissioner is bound by the safe harbour agreement and must find data transfers which comply with it to be lawful, notwithstanding the rights to privacy, data privacy, and an effective remedy found in the EU Charter. The second asks whether the Commissioner may by his own investigation find that the export does not comply with the Directive, notwithstanding the safe harbour agreement.
The court gave its decision on 6 October 2015 and in so doing perhaps went further than the High Court had envisaged when it referred the case.30 The court first answered the questions referred. It noted that the very act of transferring data was a data process in and of itself31 and that by Art. 8(3) of the Charter and Art. 28 of the Directive
national supervisory authorities are responsible for monitoring compliance with the EU rules concerning the protection of individuals with regard to the processing of personal data, each of them is therefore vested with the power to check whether a transfer of personal data from its own Member State to a third country complies with the requirements laid down by Directive 95/46.32
This means that national supervisory authorities such as the Irish Data Protection Commissioner have a general supervisory authority which they can use to block data transfers. However, as Art. 25(6) allows the Commission to adopt a decision finding that a third country ensures an adequate level of protection, as is the case with the safe harbour, in these cases:
until such time as the Commission decision is declared invalid by the Court, the Member States and their organs, which include their independent supervisory authorities, … cannot adopt measures contrary to that decision, such as acts intended to determine with binding effect that the third country covered by it does not ensure an adequate level of protection. Measures of the EU institutions are in principle presumed to be lawful and accordingly produce legal effects until such time as they are withdrawn, annulled in an action for annulment or declared invalid following a reference for a preliminary ruling or a plea of illegality.33
As such the answer to the first question is that the Irish Data Protection Commissioner is bound by Decision 2000/520 (the safe harbour decision) until it is declared invalid. What happened next though was a powerful message from the court. It found that it would be:
contrary to the system set up by the Directive and to the objective of Articles 25 and 28 for a Commission decision adopted pursuant to Article 25(6) to have the effect of preventing a national supervisory authority from examining a person’s claim concerning the protection of his rights and freedoms in regard to the processing of his personal data which has been or could be transferred from a Member State to the third country covered by that decision.34
As a result, the court found that state supervisory bodies such as the Irish Data Protection Commissioner do have the right to review the transfer of data under a decision such as the safe harbour decision, notwithstanding the normal principle.35
p. 630↵This was only the appetizer though; the main course was to come. The court noted that:
as is apparent from the referring court’s explanations relating to the questions submitted, Mr Schrems contends in the main proceedings that United States law and practice do not ensure an adequate level of protection within the meaning of Article 25 of the Directive. As the Advocate General has observed in points 123 and 124 of his Opinion, Mr Schrems expresses doubts, which the referring court indeed seems essentially to share, concerning the validity of Decision 2000/520.
As a result, the court declared that ‘in such circumstances, having regard to what has been held in paragraphs 60 to 63 of the present judgment and in order to give the referring court a full answer, it should be examined whether that decision complies with the requirements stemming from Directive 95/46 read in the light of the Charter.’36
This was what Mr Schrems had hoped for but was strictly beyond what the referring court had asked. The court now was going to examine the legality of the safe harbour agreement itself. Remember, at this point, that the safe harbour agreement was the only thing which permitted the safe transfer of personal data from the EU to the US under Art. 25. Should the court find the agreement to be unlawful, it had a direct impact upon a multibillion-dollar industry.p. 631↵
Highlight The decision of the CJEU in Schrems
(1)
Decision 2000/520 does not contain any finding regarding the existence, in the United States, of rules adopted by the State intended to limit any interference with the fundamental rights of the persons whose data is transferred from the European Union to the United States, interference which the State entities of that country would be authorised to engage in when they pursue legitimate objectives, such as national security.
(2)
Nor does Decision 2000/520 refer to the existence of effective legal protection against interference of that kind.
(3)
The Commission’s own analysis of Decision 2000/520 shows that the United States authorities were able to access the personal data transferred from the Member States to the United States and process it in a way incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security.
(4)
Data subjects had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased.
(5)
Legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter
(6)
Legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter.
(7)
Consequently, without there being any need to examine the content of the safe harbour principles, it is to be concluded that Article 1 of Decision 2000/520 fails to comply with the requirements laid down in Article 25(6) of Directive 95/46, read in the light of the Charter, and that it is accordingly invalid.
As may be expected, the fallout from the Schrems decision was great. On the European side of the Atlantic the decision was greeted as a strong vindication of the fundamental right of privacy. The European Commission37 and the Article 29 working party38 made bullish statements about how this protected fundamental rights. Meanwhile, US regulators were understandably less enthusiastic. Federal Trade Commissioner Julie Brill admitted that ‘although I and other close observers of the European privacy scene have been discussing the potential implications of the Schrems case for some time, the decision clearly came as a shock to many policy makers and companies in the United States’, and that:
during a discussion held just last week in the heart of Silicon Valley, a Member of the US House of Representatives who hails from that area of California stated that the Schrems decision measured 7.8 on the Richter scale. For those of you not as familiar with earthquakes as they are in California, that is an enormous shock that would seriously test most bridges. It also makes the need for building stronger and more durable bridges that much clearer.39
Unsurprisingly, both sides were quick to mobilize to try and find a replacement for the safe harbour agreement. A communication from the Commission committed it to developing a ‘renewed and sound framework for transfers of personal data to the United States’.40
24.3p. 632 Challenging privacy shield
The negotiations led in time to the adoption of the privacy shield agreement.41 As already noted, privacy shield replicates much of the framework of the safe harbour but with added protection for EU data subjects. The key issue in Schrems was the ability of US law enforcement and security bodies to access locally held data using FISA warrants or similar without any form of redress for EU data subjects under US Federal or State Law. Privacy shield attempts to plug these problems. Part III of the agreement covers access and use of personal data transferred under the privacy shield by US public authorities. This requires written assurance from the US Federal Government that any access of public authorities to personal data will be subject to clear limitations, safeguards, and oversight mechanisms. US Federal authorities, as part of the agreement, had to affirm the absence of indiscriminate or mass surveillance,42 and companies who hold data on EU data subjects in the US will be able to report approximate number of access requests; a move from the previous position where they were not allowed to reveal if requests had been made.
Most importantly, though, a new system of redress is created through the EU–US Privacy Shield Ombudsperson.43 The ombudsperson is an office created by the US government but who by the terms of the agreement must be ‘independent from, and thus free from instructions by, the US Intelligence Community.’44 The ombudsperson is tasked with ensuring ‘that individual complaints are properly investigated and addressed, and that individuals receive independent confirmation that US laws have been complied with or, in case of a violation of such laws, the non-compliance has been remedied’.45 The current ombudsperson is Acting Under Secretary of State for Economic Growth, Energy, and the Environment, Manisha Singh, who was appointed to the role in on 28 September 2018. Her appointment was only confirmed after a number of delays and following a letter from a number of US technology and business groups to US Secretary of State Pompeo calling for the urgent appointment of the ombudsperson.46
There is currently considerable concern in Europe that the US Federal Government is not meeting its side of the agreement. In addition to a protracted period with no ombudsperson in place, now resolved, the European Parliament resolved in June 2018 for privacy shield to be suspended if the US Federal Government had not fully complied with it by 1 September 2018, although no such suspension has yet been announced.47 This followed a Commission review in October 2017 which concluded that although:
overall Privacy Shield continues to ensure an adequate level of protection for the personal data transferred from the EU to participating companies in the US, at the same time, the Commission considers that the practical implementation of the Privacy Shield framework can be further improved in order to ensure that the guarantees and safeguards provided therein continue to function as intended.48
p. 633↵It was further reported that in July 2018 Věra Jourová, the EU Commissioner for Justice, wrote to US Commerce Secretary Wilbur Ross, warning that the US had three months to comply with the EU’s demands that they meet privacy shield requirements.49 The report suggests the protectionist approach to trade prevalent in Washington along with the passing of the Clarifying Lawful Overseas Use of Data Act or CLOUD Act of 201850 had caused concerns in Brussels.
In addition to these political concerns, the privacy shield agreement has been the subject of two separate legal challenges. The first brought by the privacy group Digital Rights Ireland (DRI).51 They brought an action before the General Court of the CJEU arguing that under Art. 263 of the Treaty on the Functioning of the European Union (TFEU) ‘[a]ny natural or legal person may, under the conditions laid down in the first and second paragraphs, institute proceedings against an act addressed to that person or which is of direct and individual concern to them, and against a regulatory act which is of direct concern to them and does not entail implementing measures’.52 They argued both that DRI had standing to bring an action in its own name, or, as an alternative, in the name of its members, its supporters, and the general public.
The claim in DRI’s own name rested on three claims:
(1)
that, given that it possesses a mobile phone and a computer, its own personal data are liable to be transferred to the United States pursuant to the contested decision;53
(2)
that privacy shield decision affects its situation as controller of the personal data of its supporters;54 and
(3)
that there is a risk that the use of electronic communication services to process the data of which it is controller will result in their transfer to the United States by a provider of those services.55
Unfortunately the court struck out all three claims. The first was summarily dismissed as ‘the applicant is a legal person and its official title does not identify any natural person, it cannot avail of the protection of personal data’.56 The second was dismissed as ‘recital 14 of the contested decision specifies that the Privacy Shield applies to American organisations, whether they act as controller or as processor. It is also apparent from recital 15 of that decision that the principles of the Privacy Shield apply to the processing of personal data by an American organisation only if that processing does not fall within the scope of EU legislation, and that the Privacy Shield does not affect the application of EU legislation governing the processing of personal data in the Member States.’57 The third because ‘the applicant could not be criticised for having breached p. 634↵its obligation of lawful processing by having carried out a transfer of personal data in accordance with the applicable rules’.58 As a result DRI did not have personal standing.
The court then examined whether DRI could stand in for ‘its members, its supporters and the general public’. The court found, and DRI did not dispute, that DRI was a company not a member association,59 that Art. 263 TFEU does not, in principle, allow for the possibility of an applicant to bring an actio popularis in the public interest,60 and that an attempt to find standing under Art. 80(2) of GDPR which allows a not-for-profit body, organization, or association to make a representative complaint was impossible because GDPR was not in force at the time the complaint was made.61 As a result the court found DRI had no standing and dismissed the complaint.
Moreover, the DRI complaint was not the only challenge to privacy shield. Max Schrems, flush from his success in the safe harbour litigation had started a second round of litigation against Facebook Ireland. The focus of that litigation was initially standard contractual clauses and the case will be discussed in more detail at 24.4, with specific reference to SCCs. However, when the Irish High Court referred eleven questions to the CJEU in April 2018 a number of them were specifically on the operation of privacy shield. The first question is quite procedural. It asks whether for the purposes of Art. 25(6) of the DPD (and presumably by extension for Art. 46(2) GDPR) the privacy shield decision constitutes a finding of general application binding on data protection authorities and the courts of the member states to the effect that the US ensures an adequate level of protection. If it does not, what relevance, if any, does the privacy shield decision have in the assessment conducted into the adequacy of the safeguards provided to data transferred to the United States which is transferred pursuant to the SCC Decision? This, in essence, determines the limits of the authority of the Irish Data Protection Commission. If privacy shield is the equivalent of a full adequacy decision it means it would not be possible for the Irish Data Protection Commission to intervene. If, however, it is less than a full adequacy decision, it gives them leeway to intervene in individual cases.
More interesting, however, is the following question. This is:
given the findings of the High Court in relation to US law, does the provision of the Privacy Shield ombudsperson under Annex A to Annex III of the Privacy Shield Decision when taken in conjunction with the existing regime in the United States ensure that the US provides a remedy to data subjects whose personal data is transferred to the US under the SCC Decision that is compatible with Article 47 of the Charter?’62
This question is extremely provocative. In her earlier determination of the case Costello J was quite forthright, stating:
it seems to me that there is a well-founded argument that the Ombudsperson mechanism does not respect the essence of that fundamental right. It does not afford EU citizens judicial protection. The Ombudsperson is not a judge and she is not on the face of it independent of the executive. The office arguably does not meet the indicia of a tribunal established the ECJ in Denuit [2005] ECR I-923 at para 12 that the body is established by law, is permanent, whether its p. 635↵jurisdiction is compulsory, whether its procedure is inter partes, whether it applies rules of law and whether it is independent. Critically, her decisions are not subject to judicial review. It is also arguable that the remedy is not an effective remedy as required by Article 47.63
If the CJEU agrees with her assessment, this would render the privacy shield agreement deficient of a procedure for an individual to pursue legal remedies in order to have effective judicial protection, as enshrined in Art. 47 of the Charter, which as we know from Schrems, was one of the major reasons safe harbour was ruled illegal. It is not impossible that some time in 2019 the CJEU could strike out privacy shield completely on this basis.
24.4 Challenging standard contractual clauses
The Schrems II challenge was not originated as a direct challenge to privacy shield, although, as we have just seen, it may ultimately provide a killer blow to the operation of the agreement. It originated as a challenge to the use of SCCs. This is because, in the immediate aftermath to the Schrems decision and the striking down of safe harbour, Facebook (and others) continued to export personal data from the EU to the US under SCCs. Max Schrems believed, not unreasonably, that if the United States was not felt to be a safe enough trading partner for personal data under the safe harbour, then data transfers on SCCs should equally be stopped for the reasons given in the Schrems decision, in particular, data-gathering programs such as Prism continue to be operated by the NSA and under a FISA warrant Facebook and others would still be compelled to hand over personal data of EU data subjects, whether that data were transferred to them under the safe harbour agreement (now defunct) or SCCs. Additionally, as SCCs do not allow the data subject administrative or judicial means of redress, enabling the data relating to them to be accessed, rectified, or erased, SCCs demonstrate identical flaws to the safe harbour agreement.
Schrems raised his claim with the Irish Data Protection Commission as a result of the outcome of the Schrems case at the CJEU. He claimed that the fact that data held in the US remains subject to surveillance under a number of legal provisions, many of which afford no judicial remedy that would allow the data subject to take appropriate action, means that transfers under SCCs were in breach of Art. 8 of the EU Charter. The Data Protection Commissioner then made an application to the Irish High Court to refer a number of questions to the CJEU to assist it in making its decision, or, in the alternative, to issue a judgment answering these questions if they were acte claire. The court issued its judgment in October 2017 referring eleven questions to the CJEU. In her judgment, Costello J outlined that in her view ‘SCCs alone cannot ensure an adequate level of protection in the third country for data protection rights and freedoms. Despite the provisions of the SCCs, nonetheless data transferred pursuant to the SCCs to third countries may not enjoy the adequate level of protection mandated by reason of the laws of the individual third country.’64 She went on ‘it follows therefore that the provisions of the law of that third country may provide the basis for concluding that data transfers p. 636↵effected pursuant to SCCs under Article 26 (2) do not provide adequate safeguards for the personal data of data subjects.’65 This led her to conclude:
if there are inadequacies in the laws of the United States within the meaning of Union law, the SCCs cannot and do not remedy or compensate for these inadequacies. The private contractual clauses cannot bind the sovereign authority of the United States and its agencies. This conclusion means that the terms of the SCCs themselves does not provide an answer to the concerns raised by the DPC in relation to the existence of effective remedies for individual EU citizens in respect of possible infringement of their data privacy protection rights if their data are subject to unlawful interference.66
Eleven questions were referred to the CJEU in May 2018. As we have already seen, some refer to the privacy shield agreement. In relation to SCCs, the key questions are probably questions 3, 4, and 8. Question 3 asks:
when assessing whether a third country ensures the level of protection required by EU law to personal data transferred to that country for the purposes of Article 26 of the Directive, ought the level of protection in the third country be assessed by reference to:
(a)
the applicable rules in the third country resulting from its domestic law or international commitments, and the practice designed to ensure compliance with those rules, to include the professional rules and security measures which are complied with in the third country; or
(b)
the rules referred to in (a) together with such administrative, regulatory and compliance practices and policy safeguards, procedures, protocols, oversight mechanisms and non judicial remedies as are in place in the third country?
This invites the CJEU to state whether rules for the protection of personal data are enough to allow data transfers or whether effective enforcement procedures are also required. Question 4 asks quite bluntly, ‘Given the facts found by the High Court in relation to US law, if personal data is transferred from the EU to the US under the SCC Decision does this violate the rights of individuals under Articles 7 and/or 8 of the Charter?’ This is self-explanatory. Finally, question 8 asks:
if a third country data importer is subject to surveillance laws that in the view of a data protection authority conflict with the clauses of the Annex to the SCC Decision or Article 25 and 26 of the Directive and/or the Charter, is a data protection authority required to use its enforcement powers under Article 28(3) of the Directive to suspend data flows or is the exercise of those powers limited to exceptional cases only, in light of Recital 11 of the Directive, or can a data protection authority use its discretion not to suspend data flows?
This is inviting the CJEU to rule in a similar fashion to Schrems that the EU Charter is superior to the remainder of the legal acquis and that subject to this, supervisory authorities are required to step in to protect the rights of data subjects where they are aware of risks of harm.
As can be seen, the possible impact of this case is as great as that of the original Schrems case. However, there is a rub; well, two actually. The first is that many people believe the case to be moot. The law upon which the case is being argued, the 1995 DPD, has now been repealed and replaced by GDPR. The Commission will soon issue p. 637↵new standard contractual clauses under Art. 46 so is there any mileage in this claim? Well, possibly. Facebook made a request in April 2018 to have the reference to the CJEU delayed as there was a risk of unquantifiable potential loss, which they argued was incapable of being remedied if the court ultimately found against them. In that reference they argued, in the words of Costello J ‘obliquely’ that the Directive having been replaced by GDPR means ‘the legal basis for the SCCs will be fundamentally altered, and the question in respect of the Directive will be moot’.67 In dismissing this request, Costello J noted that she felt Facebook was deliberately ‘running out the clock’ so as to make the application of the Data Protection Commission moot, noting ‘the existing delays have already potentially gravely prejudiced the DPC and Mr Schrems. I do not propose to exacerbate this potential prejudice any further.’68 In a further twist, after initially refusing leave to appeal, the Irish Supreme Court allowed Facebook leave to appeal on 31 July 2018 against both the findings of fact and law at the High Court.69 A hearing in that case has now been fixed for 21 January 2019. With no hearing yet fixed for the CJEU case, it is the intention of Facebook to ask the Supreme Court to halt the referral to the CJEU. However, it is not clear if legally it is possible for a superior court to withdraw a referral once it has been made by an inferior court.
The outcome of this case is as difficult to predict as the Brexit settlement. At one end of the spectrum it could rule both the privacy shield agreement and the use of SCCs incompatible with Art. 8 of the EU Charter and have both struck out. At the other end the Irish Supreme Court could withdraw the reference (if possible) or the CJEU could find most of the questions to be moot given that GDPR has replaced DPD 1995. It is another example of the current lack of certainty in data protection law.
24.5 Conclusions
This chapter opened with a modern aphorism ‘data is the new oil’. We might conclude with reference to a reportedly ancient curse ‘may you live in interesting times’.70 With data flows and data exportation now essential to just about every commercial transaction globally (even if you buy a piece of commercial real estate there will be the name of company officers, email addresses, and telephone numbers exchanged to service the transaction), it is vital we keep data flowing. EU data protection law in this area is, however, necessarily complex and while some, possibly the Trump White House in Washington, may view the laws on data transference as economically protectionist, from this side of the Atlantic the need for strong data protection and data transference rules are clear, from the fundamental rights principle enshrined in Art. 8 of the EU Charter. The actions of, in particular, Max Schrems but also other data activists have arguably complicated the political and economic position but have helped the CJEU to set out the legal position. It might be argued that to be a member state of the EU (or the p. 638↵EEA) in these ‘interesting times’ is valuable for you are protected from the buffeting of the winds of the data exportation framework, and there is no doubt that for many years the UK has benefited from this protection. However, at 11pm on 29 March 2019 we will suddenly find ourselves outside the protective harbour of EU membership, either in the relatively calm waters of having secured a withdrawal agreement or perhaps in the stormy and unwelcoming waters of a no-deal Brexit. Should we find ourselves there, it may prove to be most uncomfortable.
