by Bitthal Sharma
Here, Bitthal Sharma, a 4th year student at RGNUL, Patiala, analyses the recent CJEU decision pertaining to trans-atlantic transfer of personal data, concluding how it is a positive step towards user data protection.
A historical judgement was pronounced by the Court of Justice of the European Union (“CJEU”) in the case of Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (“Schrems II”) in which the privacy shield, which regulated the transatlantic data transfers, was held invalid. It was laid by the European Union’s (“EU”) Highest Court that the privacy shield did not provide adequate protection to the data of millions of data subjects, thereby jeopardising their personal data which could be misused by the companies at their will. The court invalidated the Commission Decision 2016/1250 which established the validity of privacy shield which succeeded the Safe Harbour. The same ruling asserted the validity of the Standard Contractual Clauses (“SCCs”) which are the sets of contractual terms and conditions which have to be complied with in accordance with the guidelines provided by General Data Protection Regulation (“GDPR”) for data protection.It is evidently clear that this decision would cause a variety of problems for the companies outside EU, provided that transfer of data from EU countries won’t be as smooth and easy as it used to be. However, the most important question arising after the monumental judgement is: What does it augur for the rights of the citizens in EU and does it adequately protect their personal data from getting exploited at the hand of the recipients?
Causes Behind Invalidating Privacy Shield
The case is the result of suit brought by Maximillian Schrems, an Austrian lawyer, against Facebook Ireland, concerning transfer of his personal data by Facebook Ireland to Facebook Inc. He submitted that the United States (“US”) being a mass surveillance state, the data collected by US based companies was not safe as the country did not have adequate measures to protect the personal information collected by the companies in accordance with privacy shield, thus questioning the enforcement of data privacy mechanism provided in GDPR in US.
According to Art. 45 (1) of GDPR, a transfer of personal data to a third country or an international organization may take place only if the country or the organization in question ensures an adequate level of protection to the personal data of the data subjects. Furthermore, Art. 45 (2)(a) mentions respect for human rights as one of the factors to be taken under consideration while assessing the adequacy of level of protection. These provisions are further substantiated by the recitals which provide further protection to the human rights of the data subjects from being misused by third countries. Recital 103 substantiates upon Art. 45 laying down the responsibility of the third country or organization to provide adequate level of data protection. Similarly, Recital 104 provides how the third country ought to respect the international human rights norms and standards to protect the data of the citizens.
CJEU invalidated the privacy shield as it failed to pass the test of ‘adequate protection’ provided under the above provisions of GDPR. The court held that the inability of the privacy shield mechanism to provide adequate data protection to the data subjects in EU nations interfered with their fundamental rights by transfer of personal data to US. Moreover, the US domestic laws were not secure enough to be effective against illegal snooping of personal information of the EU citizens being transferred to US as any such data could be exploited and misused under Section 702 of the Foreign Intelligence Surveillance Act, 1978 (“FISA”) which enables the government to access data of individuals outside US. FISA violated Art. 45 (2) of the GDPR due to its inability to provide ‘effective and enforceable remedy’ to the data subjects in EU nations. In case of any data breach of personal data of an individual residing in EU, he/she does not have the right to any kind of judicial redress under FISA as opposed to Art. 47 of the EU Charter of Fundamental Rights which provides for an effective remedy to everyone whose rights and freedoms have been violated. CJEU also opined that the surveillance programs in US do not meet the ‘necessary and proportional’ criteria under Art. 52 of the Charter. Moreover, FISA gives unbridled and unrestricted power to the US surveillance agencies to have access to an individual’s personal info, thus violating Art. 5 (1) (f) of GDPR which holds that the data of subjects must be processed in a manner which ensures security of the personal data, including protection against any unauthorized and unlawful processing.
The Way Forward
In light of the violations of the mentioned provisions in GDPR and EU Charter, the court decided to strike down the privacy shield in order to safely regulate data transfer between EU and US. This would cause the companies in US to adjust their policies in consonance with the GDPR framework. But this would not impede the transfer of data from EU countries to US as the SCCs have not been invalidated by the CJEU as it rejected the argument that they do not bind the public authorities of the third country to provide effective redress to the EU citizens. But a condition precedent has been laid down by the court which would protect the data being transferred from EU through SCCs. It would be mandatory for the Data Controllers and other authorities regulating the transfer of data to suspend or prohibit such transfer in case of conflict between SCCs and GDPR. Thus, it would be their responsibility to make sure that the recipient complies with the SCCs and give adequate protection to the data of the individuals, failure of which would invalidate the transfer of any form of personal data obtained by the recipient including companies and organizations based in US. The Supervisory Authority would be called into action in case the Data Controller fails to take cognizance of such compliance breach.
The judgement pronounced by the court is nothing short of monumental. It augurs well not only for the transfer of data between EU and US but also between EU and other countries outside of European Economic Area (“EEA”). Even if the recipients in the third country are unable to comply with the SCCs, they’d be under the duty to inform the same to the data regulation authorities in EU who would then take appropriate measures to protect data of citizens, thus making sure that such transfer is not used for any unauthorized or illegal objective in contravention to the provisions of GDPR. The decision is a positive step towards strengthening the data transfer standards. By making sure that the third countries comply with the GDPR, it would go a long way in ensuring that the process of transfer is made more thorough and stringent, thereby protecting the personal data of the EU citizens along the way.
About the author – Bitthal has indulged in research work, having been a member of various organizations such as International Review of Human Rights law, Journal of Intersectional Analysis, Legal Foxes, Enhelion Ventures and Subkculture. His research work was also acknowledged when he was awarded the 2nd Best Researcher prize in the D.M Harish International Moot Court Competition.