A few words about the “Schrems I and II” case and the way the Court of Justice of the European Union has dealt with it in terms of the “safe harbor” status established between the EU and the US as far as the processing and transfer of data for commercial purposes is concerned.
First things first, the general data protection regulation – GDPR – provides for the transfer of personal data to a third country as long as the third country meets the necessary criteria in terms of the protection of such data. Therefore, it is for the EU Commission to rule whether the third country meets such criteria by, in essence, going through the third country’s legislation and the initiatives it has undertaken on an international level. If there is no such thing in place, i.e. neither respective legislation nor international agreements of any sort, the only way for a transfer of personal data to take place is possible only if the exporter of data provides guarantee of the sort that is to be founded on standard data protection clauses as issued by the Commission, and on condition that the subjects of the data reserve for themselves enforceable rights and effective measures of legal protection. In addition, it is only for the GDPR to set the exact terms of such a transfer, in case there is no relevant decision in place nor any sufficient guarantees.
Maximillian Schrems, an Austrian national and resident of Austria as well, had been a Facebook user since 2008. His personal data had been transferring from Facebook Ireland to Facebook Inc. where they have been undergoing the relevant and usual process, the same way this has been happening of all of us Facebook users out there. Mr. Schrems lodged a petition against the Irish Data Protection Authority asking in essence for all such transfers to cease occurring. He presented a case according to which the legislation and the practices of the US are not sufficient in order to be able to offer protection enough against all those US public authorities that seem to have access to all the personal data transferred to the country. The petition had been found unsubstantiated on grounds that the EU Commission had concluded in terms of decision 2000/520, also known as “safe harbor” decision, that the US could ensure an effective protection environment. However on October 6, 2015 a decision was published by the Court of Justice of the European Union following a pre-judicial query posed by the High Court of Ireland that the aforementioned decision of the Commission had been contested and found invalid.
As a follow up to the aforementioned developments, the Irish Data Protection Authority called Mr. Schrems to re-lodge his petition given that the 2000/520 decision had by then found invalid. In his anew petition Mr. Schrems stated that US had not been able to offer protection sufficient enough in terms of the data transferred therein. He had been, then, asking for a postponement or even more, a cancellation of such transfers undertaken by Facebook Ireland which were primarily founded on the annex of the iconic decision 2010/87. The Irish DP Authority was, thus, prompted to also re-examine the status of decision 2010/87, and as a result it initiated and presented a case and a relevant process before the High Court of Ireland in order for the latter to submit a query of pre-judicial decision. While this whole thing had been underway, the EU Commission launched decision 2016/1250 with regards to the extent of protection the so-called “shield of protection” forged between the EU and the US had been offering to their respective nationals.
The High Court of Ireland posed the “million-dollar” question to the Court of Justice of the European Union, i.e. whether the preconditions set by the clauses described in the 2010/87 decision meet the criteria the way they have been heralded by the GDPR in the EU with regards to the protection status which has to be guaranteed when a personal data transfer is to take place, and the obligations that need to be met by the relevant control authorities in each side of the Atlantic. In addition, the High Court of Ireland posed the question of the actual validity of both decisions, i.e. 2010/87 and 2016/1250 as well.
The Court of Justice of the European Union had no option but to provide a solid response according to which, apparently, the under thorough and scientific investigation decision 2010/87 was to be recognized as utterly and unconditionally valid especially under the prism of the Charter of Fundamental Rights of the European Union, WHEREAS, and at the same time, decision 2016/1250 had to be considered as completely invalid.
In a nutshell, the Court of Justice of the EU argued that the GDPR is to be applied in all those occasions where the transfer of personal data is to be taking place for commercial purposes from an actor situated in an EU country to another actor situated in a third country such as the US, regardless of whether that sort of data is to undergo a process of a sort by state authorities in terms of public safety reasons, or national security and safety reasons; these kinds of processes are also to be taken very seriously and not to be excluded by the GDP Regulation as such. According to that same line of reasoning, there have to be certain standard protection clauses of the sort agreed and signed between the EU countries and the third country in question that will literally guarantee that all necessary provisions described in the GDP Regulation shall be in effect and shall contribute to the application of necessary safety guarantees, enforceable rights and effective means of protection in terms of the personal data as this is described in the EU GDPR.
On top of all that, the Court of Justice of the EU made it clear that it is not only a matter of agreed upon clauses, terms and conditions, but even more so, an evaluation of a larger and wider extent has to be taking place where upon further details need to go under scrutiny with regards to the way the public authorities of the state work and, in general , how the legal system/ organism overall works.
Especially so it is crucial to see how the controlling authorities operate, the way they impose their fines and penalties, the way they have been taking into consideration the relevant clauses regarding data protection, and – in relation to what it is here actually at stake – how the situated data exporters here in the EU manage their business by properly -or not- safeguarding all transferable data when such transfers take place.
The Court of Justice of the EU concluded that decision 2010/87 does indeed provide for such mechanisms while also offering appropriate theoretical backbone. However and in terms of decision 2016/1250 and the way this latter one has been ensuring the respect to private and family life, the protection of personal data and the right to effective judicial safeguarding, the Court made the following distinction:
It is well-established that all issues related closely to national security, public interest and law-compliance have been evaluated significant enough in a way that all deviations in terms of fundamental personal rights can be justified when data is already transferred in a third jurisdiction.
However, though, it has been admittedly argued that the checks and balances provided for in terms of US legislation when apparently a US authority gets access to data transferred from EU and the way this data is treated by such an authority have not been sufficient enough, thus of not of the same caliber as those provided for by the EU legal standards. In that sense, the Court of Justice of the EU underlined the fact that the rights recognized both to US nationals as well as to EU nationals are not enforceable in a way that could practically be brought forward in terms of a judicial case before any Court of Law in the US, while the very nature of decision 2016/1250 does not provide any proper legal tool or justification of a kind that the EU can and should rely upon; especially so, in terms of mediation, neither the framework nor the people backing it up seem to be independent enough in order for the US Intelligence Services to be properly guided and monitored in the way they make use of personal data. It is for all those reasons that the Court of Justice of the EU has declared decision 2016/1250 invalid.