Warning… I am about to write a blog post about Standard Contract Clauses. This may be tedious for some, and it will be a long read, so I am interweaving it with selected lyrics from the Rocky Horror Picture Show.[Updated 2019/07/10 to include reference to Facebook’s appeal against ICO]
It’s just a step to the left…. and then a circuitous path via the Commercial Division of the High Court for a referral to the CJEU.
I’ve been critical of the Data Protection Commission in the past regarding their strategy in taking a case against Facebook and Max Schrems to the Commercial Court simply to get an Article 267 referral to the CJEU. To summarise my previous criticisms: “It’s the most expensive court in the land, why drag everyone there just because the word ‘contract’ is in the subject line of the email?”
However, today we arrived at the CJEU for the hearings in to the status of Standard Contract Clauses.
Put your hands on your hips…. and read the questions filed.
To understand what is to be determined here, it’s important to look at the original questions that were posed by the Irish High Court to the CJEU as these are the points of law that the DPC wants clarifed by the referral (and there are 13 of them approx, and I’m paraphrasing some of them slightly – you can find the originals here).
- What is the benchmark against which to judge whether, when data is transfered outside the EU/EEA and there may be secondary processing for national security purposes? Is it the Charter of Fundamental Rights, EU Treaty obligations, Directive 95/46/EC, or the European Charter of Human Rights? Or is the correct benchmark the legislation in a Member State? This is an important question to help ensure that decisions taken are taken in a consistent way, and it would avoid fragmentation of SCC application by setting a benchmark no matter what the answers to the other questions might be.
- If we’re using national laws as the benchmark, do we need to consider the domestic national security practices and frameworks in that Member State? Again, this is an important question from a standardisation and consistency perspective as there can be a lot of variation even within EU on oversight of intelligence agencies.
- When assessing the equivalence of protection in the 3rd country to EU law, should the assessment be based on local laws and/or treaty obligations and any associated governance regime, or should the assessment also consider “such administrative, regulatory and compliance practices and policy safeguards, procedures, protocols, oversight mechanisms and non judicial remedies as are in place in the third country”. From a consistency perspective this a good question to ask as it frames any assessment decision and ensure consistency between decisions. This, in turn, ensures that Regulators can execute their functions with fair and transparent processes.
- Given the facts found by the Irish High Court, does the use of SCC to transfer data to the US from the EU violate an individual’s rights under Article 7 and/or Article 8 of the Charter? Pretty direct, no need to elaborate on this one.. but remember Question 1 about whether the Charter is the appropriate benchmark…
- Given the facts found by the Irish High Court (and bear in mind that at the time of the High Court ruling, the State Dept still had a “Help Wanted” advert out for the Independent Ombudsman role), does the level of protection in the US respect the essence of an individual’s right to a judicial remedy for breach of his or her data privacy rights guaranteed by Article 47 of the Charter? Again, this is probing the standards and level of protection that need to be considered and has its roots in the 2015 Schrems case ruling which sought “equivalence” of protections.
- If the benchmark for equivalence is local laws, are the limitations imposed on rights to judicial remedies in the context of US National Security proportionate and not excessive, with reference to Article 52 of the European Charter of Fundamental Rights? Here we’re back to testing the scope of the decision making that can be done and ensuring a structured and transparent test can be applied consistently.
- What is the level of protection required to be afforded in a 3rd Country when SCC’s (which are a Commission Decision) are being relied on, particularly when read in conjunction with the Charter? Another prudent question seeking clarification on what is the test to be applied when assessing effectiveness/appropriateness of SCCs.
- What matters should be taken into account when assessing whether the level of protection afforded to data transferred to a third country under the SCC Decision satisfies the requirements of the Directive and the Charter? Again, another prudent question if one is trying to establish a procedural base for taking action in the future. It pays to have the checklist of things you need to be thinking about written down. And it’s doubly good if it’s been written down by the CJEU.
- [This is a verbatim quote as it’s a doozy of a question]. “Does the fact that the standard contractual clauses apply as between the data exporter and the data importer and do not bind the national authorities of a third country who may require the data importer to make available to its security services for further processing the personal data transferred pursuant to the clauses provided for in the SCC Decision preclude the clauses from adducing adequate safeguards as envisaged by Article 26(2) of the Directive?” This simply asks what I’ve been asking for a couple of years. Given that the SCC’s require the importing party to attest that there are no local laws or other restrictions that would reduce the level of protection to personal data transferred, and given that there often are such laws (e.g. FISA etc. in US), doesn’t that make the whole thing a bit of a chocolate teapot? A sensible question to ask the Court to give a statement of the bleedin’ obvious on in my view.
- This question basically asks: “If a Supervisory Authority determines that the application of SCCs might be invalid for some reason, can they suspend data flows, are they limited to suspending only in exceptional circumstances, or can they just let things slide?” This is a key question in relation to testing the actual scope of a Supervisory Authority’s powers, bearing in mind that pre Safe Harbor case many commentators were of the view that the DPC had the power to act unilaterally on Safe Harbor, but the CJEU was clear that a Commission decision was something only the CJEU could over-rule. This is inviting the Court to clarify that point further. Again, a prudent thing to do.
- Does the Privacy Shield ruling have general application and does it bind Supervisory authorities, and if it doesn’t, what relevance does it have in making an assessment in respect of Standard Contract Clauses? Again, this is a question that is nudging for the test to apply, and also asking for clarification on whether the different mechanisms for transfer are silo’d from each other or are tied at the waist. The answer to this would inevitably have a bearing on the decision making process in respect of any suspension of transfers…
- Does the US Ombudsman introduced under Privacy Shield provide a remedy to affected Data Subjects that is compatible with their right to a judicial decision under Article 47 of the Charter? Another question that would affect the consistency of decision making. The DPC here has asked whether an ombudsman would be considered equivalent to a judge or a court setting in the context of remedial action in the event of rights being infringed. This boils down to: What teeth does the Ombudsman have and are they meaningful enough?
- [A very blunt one to end] Does the SCC Decision violate Articles 7, 8 and/or 47 of the Charter? Arguably, DPC here is front-loading exactly the question that would be asked if she unilaterally suspended processing under SCC’s, and it’s a question that ONLY the CJEU can answer as a result of the Schrems I case. If they answer “Yes” to this… the ball is back in the Commission’s court to fix a problem essentially of their creation.
It’s noteworthy that one of the points of dispute between the parties when the case was at the High Court was whether there was a systemic issue relating to all transfer mechanisms to be considered (DPC’s position), whether a targetted prohibition for one company to one country was appropriate (the Schrems position), or whether everyone should just go home and forget the whole thing (a paraphrase of the Facebook position). The questions filed are aimed at determining the scope of those issues and what the actual role and powers of the DPC actually are in this context.
When you look at them through that lense, and consider the requirement for Irish public bodies to adopt fair and consistent procedures in decision making, and add in the decision of the CJEU in Schrems about their role in the decision making about EU Commission decisions, what we have here are a set of questions that are seeking clarification about where on that spectrum the DPC (and all supervisory authorities) need to sit.
- Are the SCC’s in violation of the Charter? (if so, CJEU decides that and over turns, per Schrems)
- Does the current existence of Privacy Shield prejudge things for SCC’s to US? (in which case…)
- If it is in the remit of a Supervisory Authority to decide to suspend transfers:
- What are the benchmarks that need to be applied to that decision making (for consistency etc.)?
- What limits (if any) can be applied to that power?
- What level of discretion can be applied (is a blind eye possible?)
- What procedural steps need to be determined?
- What other considerations need to be reviewed and assessed?
- What’s the national security oversight standard that is expected?
So… if it’s massively systemic, can we pass this to the CJEU to decide. If it’s not systemic and the DPC has to decide themselves, what are the procedureal aspects of that decision that need to be addressed to ensure a fair and transparent process and avoid an embarrassing (and expensive) judicial review that will likely trigger a referral with EXACTLY THESE QUESTIONS IF THEY’RE NOT ASKED NOW?
Then it’s the verbal submissions… that really drive you insane….
So today, we got the verbal submissions. They included (and I’m summarising here in places – @laukaya was livetweeting most of the session today for Politico so is worth a look):
- “National Security is outside scope of EU law so this is all moot” – (in the voice of Joss Ackland’s character in Lethal Weapon 2: “diplomatic immunity…”) – but note that the DPC’s questions re: Nat Sec related to the oversight provisions where national security impinges on the private citizen.
- “We need to keep Privacy Shield out of this discussion” (you can’t.. it’s literally one of the questions whether you can or not, and the judge made that clear today).
- “SCCs are an important backstop” (according to the UK, with no apparent sense of irony in the context of a case involving data transfers across borders to third countries).
- “Privacy Shield is a special Adequacy Decision because it doesn’t say US offers a similar level of protection” (that one is from the European Commission and could come back to bite them)
There was also quite a lot of submissions to the effect that the DPC should have just pulled the trigger and suspended SCC’s for just Facebook, or for just the US.
However, when we look back at the questions, it’s should be clear that what is being sought here is the baseline test for doing just that in a common law legal system with voluminous case law on decision makings in public bodies, (and also it should be clear that the DPC is also hedging that the decision would be taken out of their hands – perhaps to their relief). Because SCC’s are a Commission decision, the DPC is, one could argue, being prudent by pre-checking the parameters to be applied to their decision making rather than adopting the old adage of : “READY!!, FIRE!!, AIM!!”
Interesting, and not picked up on in the live tweeting, was a reference by the reporting judge to the Schrems decision in 2015 in the context to whether the DPC needed to make this referral at all. The judge, I am told, expressed a view that paragraph 65 of the Schrems judgement was clear that proceedings at national court level should be entered into if they had concerns about compatibility of Commission decisions with the Charter etc, and that a referral to CJEU was appropriate if the national court shared the Supervisory Authority’s concerns.
Let’s do the TIMEWARP again!!!!
We’re all back in December for the Advocate General’s report. So SCCs are still good for Brexit in October.
Simon McGarr (@tupp_ed on Twitter) has posted some musings based on his direct experience of the Court in the 2015 Schrems case and the arguments that were put forward then. He thinks it worth reminding ourselves of the arguments against striking down Safe Harbor as their genetic offspring were trotted out today.
We’re seeing people predicting the fall of civilisation as we know it if the DPC prevails (as we had with the Schrems Safe Harbor case).
But the DPC prevailing in this context covers the spectrum of possible outcomes set out by the various parties who have made submissions. “Prevailing” means either the decision becomes the CJEU’s (a fundamental question of compatibility of a Commission Decision with EU law as per the Schrems case), or the DPC has the procedural template for consistent local decisions by Supervisory Authorities, including their own offfice, which helps ensure an appropriate targetting of decision making in a manner which will be locally defensible against judicial review or appeal because the parameters of the decision will have been pre-defined.
Civilisation may fall, but it may fall gracefully.[updated 2019/07/10]
We learn today that the preliminary issue hearing in relation to Facebook’s appeal against the ICO’s headline grabbing £500,000 fine has been decided, and the judge held that there were grounds for an appeal to proceed on the basis of possible issues with the process by which the enforcement action was arrived at. The ruling can be found here. Strangely, I’m not seeing the media hordes descending on this one (yet).