European Court of Justice (Grand Chamber): Striking a blow on companies dependent upon the transfer of data between Europe and the US via the Privacy Shield Decision, the Court held that Privacy Shield Decision does not provide adequate data protection of European citizens from US surveillance activities. It was further observed that the Privacy Shield Decision is incompatible with Art. 45(1) of the General Data Protection Regulation (GDPR) read in the light of Arts. 7, 8 and 47 of the Charter of Fundamental Rights of the European Union and is therefore invalid. Further examining the European Commission Decision 2010/87/EU dated 05-02-2010 on ‘standard contractual clauses’ (SCCs) for the transfer of personal data to processors established in third countries, the Court agreed with the Opinion delivered on the instant matter by the CJEU Advocate General on 19-12-2019 wherein it was stated that the SCCs offer adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights as required by Art. 26(2) of Directive 95/46/EC of the European Parliament and the Council.
As per the facts, any person residing in the European Union, who wishes to use Facebook is required to conclude, (at the time of registration) a contract with Facebook Ireland, a subsidiary of Facebook Inc., established in the United States. Some or all of the personal data of Facebook Ireland’s users residing in the European Union is transferred to servers belonging to Facebook Inc. that are located in the United States, where it undergoes processing. Max Schrems, an Austrian Facebook user since 2008, filed a complaint with the Commissioner whereby he requested that Facebook Ireland be prohibited from transferring his personal data to the United States, on the ground that the law and practice in force in that country did not ensure adequate protection of the personal data held in its territory against the surveillance activities in which the public authorities were engaged. Mr Schrems claimed, inter alia, that United States law requires Facebook Inc. to make the personal data transferred to it available to certain United States authorities, such as the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI).
Perusing the background of the case, the Court compared the legal mechanism of data protection vis-à-vis surveillance as prevalent in US and European Union. It was found that the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to the United States, as assessed in the Privacy Shield Decision, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required, under EU law under Art. 52(1) of the Charter of Fundamental Rights of the European Union. It was further observed that US Government accepted that Presidential Policy Directive-28 (which imposes a number of limitations for “signals intelligence” operations and has binding force for U.S. intelligence authorities, and if particular relevance for EU data subjects) does not grant data subjects actionable rights before the courts against the US authorities. Therefore, the Privacy Shield Decision cannot ensure a level of protection essentially equivalent to that arising from the Charter of Fundamental Rights of the European Union, contrary to the requirement in Art. 45(2)(a) of the GDPR that a finding of equivalence depends, inter alia, on whether data subjects whose personal data are being transferred to the third country in question have effective and enforceable rights. [Data Protection Commissioner v. Facebook, Ireland Ltd., C-311/18, decided on 16-07-2020]