THE JUDGEMENT OF THE ECJ OF 16 JULY 2020 – “SCHREMS II”

1. Precedents and factual framework

Max Schrems, an Austrian citizen, Facebook user, signed a contract with Meta Platforms Ireland Ltd., European branch of Meta Platforms Inc (US). This company transfers personal data of their many users to the latter in the US, where they process them.

Mr. Schrems, concerned by the use of this data by US authorities, formulated a complaint to the Data Protection Commissioner (DPC or Commissioner[21]) seeking for the prohibition for Facebook to send data to the US since, he considered, “the law and practice in force in that country did not ensure adequate protection of the personal data held in its territory against the surveillance activities in which the public authorities were engaged”[22]. Concerns for Mr.

Schrems arose after the well-known revelations of Mr. Edward Snowden in regarding the global surveillance programs of the NSA (National Security Agency of the US) could get access to these data with legal authorisation.

The DPC rejected the complaint considering that EU authorities granted an adequate protection level in the aforementioned Decision 2000/520[23] (Safe Harbour Principles). Mr. Schrems initiated judicial proceedings before The High Court of Ireland that requested for preliminary ruling to the ECJ. As we have previously indicated, the Decision was considered invalid by the Court in its 6 October 2015 judgment (Schrems I)[24] and consequently the rejection to Mr.

Schrems complaint was also annulled. With this first judgment, the ECJs figure gets strengthened, by establishing that certain red lines cannot be crossed even by the European Commission's legislative acts[25].

After that, the Commissioner asked Mr. Schrems to reformulate his complaint, in which the claimant insisted on the prohibition of data transfer to the US, referring to the monitoring programmes followed by US authorities (NSA and FBI) and the incompatibility of those with the Charter of Fundamental Rights of the European Union, specifically articles 7, 8 and 47.

Those articles guarantee “respect for private and family life” (art. 7), “protection of personal

188

data” (art. 8) and “Right to an effective remedy and to a fair trial” for the citizens of contracting states of the Charter.

In this second procedure a deeper investigation was conducted by the Commissioner and conclusions were aligned with Mr. Schrems´ arguments, confirming the incompatibility of US authorities´ legal power to intervene EU citizens´ personal data with the rights introduced by the Charter[26]. Additionally, the legal framework provided by the SCCs, that only affect the contractual parties, did not bind US authorities, not giving an effective solution to the issue.

Back to the US authorities´ power to intervene personal data, as stated by the European Court[27], is introduced in the US legislation by section 702 of the FISA (Foreign Intelligence Surveillance Act of 1978) Amendments Acts 2008 and the Executive Order 12333[28]. The first one, for instance, explicitly enables the US government to conduct “targeted surveillance”

of foreign persons located outside the US to get intelligence information. The EO 12333 grants the NSA access to underwater cables on the floor of the Atlantic to collect and retain data flowing to the US before even arriving. Moreover, the fourth amendment of the US Constitution[29], does not cover non-US citizens, creating a scenario in which EU citizens are more vulnerable to these intromissions in their privacy.

In this context, the High Court formulates a series of questions to the ECJ[30] in order to determine if, in short, the privacy rights of EU citizens are jeopardised by the free transference of data of a private company to the US. In the following pages we will analyse the main arguments of the Court responding to these questions focusing on those that might have an effect on European users-consumers of social media.

2. Arguments of the European Court and legal framework applicable to the case 2.1. Applicability of the General Data Protection Regulation (GDPR)

The first important issue is the potential applicability of the European GDPR to cases like the one we are analysing in this paper.

Specifically, articles 2.1 and 2.2 of the Regulation describe the situations in which the Regulation shall not apply. According to article 2.1, the Regulation applies to “the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system”. Excluded matters, according to article 2.2., consist of the processing of personal data:

a. in the course of an activity which falls outside the scope of Union law;

b. by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;

c. by a natural person in the course of a purely personal or household activity;

189

d. by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

Moreover, article 4.2. defines “processing” in a way that coincides, according to the European Court[31], with transferring data from a member state to a non-member state the way Facebook and other companies do. Indeed, the definition of processing is the following: “operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;”. The operation of Meta and Facebook Ireland do no fall either in the exclusion clauses of article 2, so the Court states the applicability of the European Regulation to the case.[32]

The second, and essential questions, refer to the level of protection required by the GDPR to data transfers like the one in question, based on articles 45, 46.1 and 46.2.

Well, the text of article 45 referring to data transfers to third countries establishes that these may only take place “where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection”. Moreover, this article should be read in combination with article 44 that confirms that in international transfers “the level of protection of natural persons guaranteed by this Regulation '' cannot be undermined. In other words, European standards regarding the processing of personal data of EU citizens must always prevail, even when these data are not processed on European soil. With this provision the European legislator provides the EU with a strong legislative instrument to assure privacy for its citizens.

To make sure that these standards are met, the Commission has the sole power to authorise the data transfer when it considers that the third country in question provides “a level of protection essentially equivalent to that which is guaranteed within the European Union[33]”, system that, as we will see, has received some criticism.

At this point, the Charter enters an appearance since its applicability is also in question before the Court and the Court does confirm[34] the applicability of the rights guaranteed by the Charter as a basic principle applicable to situations like the one in question in the present case.

In conclusion, the ECJ considers that cited European provisions regarding personal data processing, that should be “read in the light of the Charter”[35], in third countries can be applied by the referring court to the case.

2.2. Powers of the Data Protection Commissioner and the validity of “Privacy Shield Decision”

and the “SCC”s.