Covered topics:

  • the applicability of EU law to data transfers made for commercial purposes, but further processed for national security and law enforcement purposes
  • the relevant legislation for determining whether there has been a violation of individual rights
  • how to assess the level of protection in a third country
  • whether data transfers to the US violate the Charter
  • whether the level of protection offered in the US respects or limits an individual’s right to a judicial remedy
  • what level of protection is required to be afforded to personal data that is transferred under SCCs
  • whether the SCCs can even be adequate as safeguards given they do not bind national authorities
  • whether there is an obligation to suspend data flows if a data importer is subject to surveillance law
  • what the relevance of the Privacy Shield decision is with regards to assessing safeguards
  • whether the presence of an ombudsperson can ensure that the US provides an effective remedy to data subjects
  • whether the SCCs violate the Charter

Abstract

CJEU invalidated Commission Decision 2016/1250 (the EU-US Privacy Shield), affirmed the validity of standard contractual clauses (SCCs) if they include effective mechanisms to ensure compliance in practice with the “essentially equivalent” level of protection guaranteed by the GDPR

  • Schrems alleged that US law required Facebook Inc. to disclose his personal data to certain United States authorities in the context of various monitoring programs (in particular, the FISA 702 and the Executive Order 12.333)

    • Section 702 of the FISA permitted the Attorney General and the Director of National Intelligence to authorize jointly, following FISA approval, the surveillance of individuals who are not US citizens and who are located outside of the US in order to obtain foreign intelligence information
    • Section 702 of the FISA provided the basis for the PRISM and UPSTREAM surveillance programs
    • PRISM in particular ISPs to supply the NSA with all communications to and from a ‘selector’
    • UPSTREAM permitted the NSA to copy and filter Internet traffic flows from the ‘backbone’ of the internet, granting it access to both the content of communications and their metadata
    • Executive Order 12.333 (E.O. 12333) allowed the NSA to access data in transit by accessing underwater cables on the floor of the Atlantic
    • High Court stated that the only limit on US surveillance activities was found in the Presidential Policy Directive (PPD-28), and even this only stated that intelligence activities should be ‘tailored as feasible’ High Court considered that the US carried out mass processing of personal data without ensuring a level of protection that was essentially equivalent to that which was guaranteed by Articles 7 and 8 of the Charter; EU citizens don’t have the same remedies available to them as US citizens because the Fourth Amendment doesn’t apply to non-US citizens; activities based on E.O. 12333 also not subject to judicial oversight and not justiciable
  • Decision 2016/1250 (“Privacy Shield”): the self-certification scheme in place for controllers based in the US

  • Principle of proportionality was not satisfied, as US surveillance programs are not limited to what is strictly necessary

  • Following this, Court examined the validity of the SCCs (Decision 2010/87)

  • more: Schrems II

Related: C-362 14 Schrems I