CJEU DECISION PROVIDED IN CASE C-311/18
by Mugurel Olariu, RPD protectie date
On 16 July the Court of Justice of the European Union – hereinafter the CJEU – ruled in Case C-311/181, reference for a preliminary ruling under Article 267 TFEU from the High Court of Ireland by decision of 4 May 2018, received by the Court on 9 May 2018 – in its procedure, filed by the Data Protection Commissioner against Facebook Ireland Ltd, Maximillian Schrems, in connection with a complaint made by him regarding the transfer of his personal data by Facebook Ireland to Facebook Inc. in the United States. The United States of America, Electronic Privacy Information Center, BSA Business Software Alliance Inc., Digitaleurope, as well as Ireland, the Governments of Belgium, the Czech Republic, Germany, the Netherlands, Austria, Poland, Portugal, the United Kingdom, the European Parliament, the European Commission and the EDPB, also participated in solving the case.
The High Court of Ireland stayed the case and decided to refer no less than 11 questions to the EU supranational court, some of each with two options2. The reference for a preliminary ruling concerns, in essence:
– interpretation of the first indent of Article 3 (2), Articles 25 and 26 and Article 28 (3) of Directive 95/46 / EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to concerning the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31), interpreted in the light of Article 4 (2) TEU and Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union (hereinafter “the Charter”);
– interpretation and validity of Commission Decision 2010/87 / EU of 5 February 2010 on standard contractual terms for the transfer of personal data to persons established in third countries under Directive 95/46 (OJ 2010 L 39, p. 5), as amended by Commission Implementing Decision (EU) 2016/2297 of 16 December 2016 (OJ 2016 L 344, p. 100) (‘the Standard Clauses Decision’), and
– interpretation and validity of Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 under Directive 95/46 on the adequacy of the protection afforded by the EU EU Privacy Shield (OJ 2016 L 207, p. 1). , hereinafter referred to as the “Privacy Shield Decision”).
The Decision is particularly important in the field of data protection, as it invalidated Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 under Directive 95/46 / EC of the European Parliament and of the Council on the adequacy of data protection. Protection provided by the EU-US Privacy Shield. Please note that, pursuant to the above-mentioned decision, transfers of personal data between the EU and the US, following the issuance and publication of the CJEU judgment, can no longer be carried out. However, regarding the possibility to make data transfers, pursuant to art. 49 referred to in Article 45 paragraph (3) or Article 46 of the RGPD, the CJEU considered that:
As to whether the effects of that decision must be maintained in order to avoid creating a legal vacuum (see, to that effect, Case C 191/14 Borealis Polyolefine and Others  ECR I-0000, C 192/14, C 295/14, C 389/14 and C 391/14-C 393/14, EU: C: 2016: 311, paragraph 106), it should be noted that, whatever the situation, having regard to Article 49 of the RGPD, the annulment of a decision on the adequacy of the level of protection such as the Privacy Shield Decision is not likely to create such a legal vacuum. Thus, that article sets out precisely the conditions under which transfers of personal data to third countries may take place in the absence of a decision on the adequacy of the level of protection in accordance with Article 45 (3) of that Regulation or guarantees. Appropriate in accordance with Article 46 of the same Regulation.3
Thus, the CJEU analyzed both the content of the Privacy Shield Decision (creating the possibility to access and store personal data through surveillance programs of US public authorities for national security purposes, law enforcement and other public interest purposes) and the practical aspects. for the Appropriate level of protection (non-compliance with the principle of proportionality and lack of possibility to bring legal proceedings before an independent and impartial court to have access to personal data concerning them or to obtain rectification or deletion of such data), which he considered inappropriate from the perspective of the RGPD and the EU Charter of Fundamental Rights. Here are some of the decisive considerations of the CJEU judgment, on the two issues:
Regarding the content of the Privacy Shield Decision:
In view of its general nature, the derogation in point I.5. of Annex II to the Confidentiality Shield Decision thus makes possible interference, based on national security and public interest requirements or US domestic law, in the fundamental rights of persons whose personal data are or may be transferred from the Union to the United States (see by analogy with regard to Decision 2000/520, Case C-362/14 Schrems  ECR I-0000, paragraph 87). More specifically, and as stated in the Privacy Shield Decision, such interference may result from access to personal data transferred from the Union to the United States and from the use of such data by US public authorities in PRISM and UPSTREAM surveillance programs. Article 702 of the FISA and O. E. 12333. In this context, the Commission assessed, in recitals (67) to (135) of the Privacy Shield Decision, the limitations and safeguards available in US law, in particular in FISA Article 702, O. E. 12333 and PPD-28, regarding access to and use of personal data transferred under the European Union-United States Privacy Shield by US public authorities for national security purposes, law enforcement and other purposes of public interest.4
Regarding the finding regarding the appropriate level of protection:
It follows that neither Article 702 of the FISA nor O. E. 12333 in conjunction with PPD-28 complies with the minimum requirements relating to the principle of proportionality in European Union law, so that surveillance programs based on these provisions cannot be considered to be limited to what is strictly necessary. In these circumstances, the limitations on the protection of personal data arising from the United States’ domestic rules on access to and use by US public authorities of such data transferred from the Union to the United States and which the Commission assessed in the Shield Decision confidentiality are not circumscribed in such a way as to fulfill requirements essentially equivalent to those laid down in Union law in the second sentence of Article 52 (1) of the Charter.5
According to settled case-law, the very existence of effective judicial review designed to ensure compliance with the provisions of European Union law is inherent in the existence of the rule of law. Thus, a regulation which does not provide for any possibility for the litigant to exercise legal remedies in order to have access to personal data concerning him or to obtain rectification or erasure of such data does not respect the substance of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter (Judgment of 6 October 2015, Schrems, C 362/14, EU: C: 2015: 650, paragraph 95 and the case law cited). To that end, Article 45 (2) (a) of the RGPD requires the Commission, in its assessment of the adequacy of the level of protection provided by a third country, to take particular account of ‘actual repairs’. Administratively and judicially for the data subjects whose personal data are transferred”. Recital 104 of the RGPD emphasizes in this regard that the third country “should ensure effective independent data protection supervision and provide for mechanisms for cooperation with the data protection authorities of the Member States” and states that “data subjects should they must enjoy effective and enforceable rights and effective redress in administrative and judicial proceedings.”6
Furthermore, as regards both the surveillance programs based on Article 702 of the FISA and those based on O. E. 12333, it was stated in paragraphs 181 and 182 of this judgment that neither PPD-28 nor O. E. 12333 does not confer on persons concerned rights opposable to the United States authorities before the courts, so that those persons do not have a right to an effective remedy.7 Consequently, the Ombudsman mechanism provided for in the Confidentiality Shield Decision does not provide an appeal to a body which provides persons whose data are transferred to the United States with guarantees essentially equivalent to those provided for in Article 47 of the Charter.8
Therefore, by finding in Article 1 (1) of the Privacy Shield Decision that the United States guarantees an adequate level of protection of personal data transferred from the Union to organizations in that third country under the Privacy Shield In the European Union-United States, the Commission infringed the requirements of Article 45 (1) of the RGPD, interpreted in the light of Articles 7, 8 and 47 of the Charter. It follows that Article 1 of the Confidentiality Shield Decision is incompatible with Article 45 (1) of the RGPD, interpreted in the light of Articles 7, 8 and 47 of the Charter, and that it is therefore invalid. Since Article 1 of the Privacy Shield Decision is inseparable from Articles 2 to 6 and its Annexes, its invalidity has the effect of affecting the validity of that Decision as a whole. In the light of all the foregoing considerations, it must be held that the Shield of Confidentiality Decision is invalid.9
At European level – the EDPB adopted on 17 July 2020, a Declaration on the Decision under consideration10, as well as a number of clarifications, on 23 July 2020, in the form of possible 12 Frequently Asked Questions11.
Obviously, also at national level – ANSPDCP signaled the appearance of the CJEU Decision presented12, on 20 July 2020, being taken over and translated into Romanian13, on 28 July 2020, the EDPB document on Frequently Asked Questions.
1 See at http://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=RO&mode=lst&dir=&occ=first&part=1&cid=10304093
2 For the full form, see recital 68 of the judgment.
3 Recital 202 of the judgment.
4 Recitals 165 and 166 to the judgment.
5 Recitals 184 and 185 to the judgment.
6 Recitals 187 and 188 to the judgment.
7 Recital 192 of the judgment..
8 Recital 197 of the judgment.
9 Recitals 198-202 to the judgment..
10 See at https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statement_20200717_cjeujudgmentc-311_18_en.pdf
11 See at https://edpb.europa.eu/sites/edpb/files/files/file1/20200724_edpb_faqoncjeuc31118_en.pdf
12 See at https://www.dataprotection.ro/?page=Comunicat_20_07_20&lang=ro
13 See at https://www.dataprotection.ro/servlet/ViewDocument?id=1931