After the Schrems case: Validity of EU – US transfers of personal data on alternative grounds to the Safe Harbor

(1)

After the Schrems case: Validity of EU – US transfers of

personal data on alternative grounds to the Safe Harbor

Sam Meijer

Thesis submitted for the Masters of Law degree (LLM) in Information Law Supervised by Dr. Kristina Irion

University of Amsterdam Institute for Information Law

(2)

Preface

The Schrems judgment is another episode in a string of landmark European privacy cases. In April 2014 the CJEU struck down the Data Retention Directive for massive collection of personal telecom data. A month later, the CJEU emphasized the right to have personal data deleted from search engines on request in the Google Spain case. The Schrems judgment of October 2015 invalidated an important legal basis for personal data transfers to the US.

These cases are following the decade of the 2000s which is importantly characterized by an enormous growth in economic globalization through online communication and at the same time by a series of terrorist attacks against civilian populations. In respect of internet globalization, personal data is sometimes named the new oil. The mass amounts of personal data that are disseminated online are valuable if exploited correctly. Next to commercial exploitation, data is also a valuable asset for intelligence services in pinpointing terrorists and other (potential) wrongdoers. In light of these current events, privacy campaigners emphasize data protection as a right that is more than ever deserving of protection. Regulatory approaches to data protection are highly fragmented. Some jurisdictions protect privacy as a fundamental right, while others have adopted no privacy laws at all.

This study will focus on regulatory compliance with EU data protection law of legal tools that facilitate transfers of personal data from the EU to the US. The impact on international trade is substantial and the recent Schrems case is especially interesting because of the aperture between EU and US viewpoints towards privacy. It must be kept in mind that the challenges faced in this thesis do not uniquely apply to the US, the issues are at least as strong with other top trading partners of the EU like China and Russia. I will try not to oppose or favor either of the views, but to analyze the legal landscape as it is currently in place objectively. The question where the line will be drawn between economic benefits, the urgency of surveillance and the dangers to personal privacy is one for the decades to come.

Sam Meijer

(3)

Abbreviations

BCRs Binding corporate rules

Charter Charter of Fundamental Rights of the European Union CJEU Court of Justice of the European Union

CoE Council of Europe Commission European Commission DoC Department of Commerce DPA Data protection authority

DPD Data Protection Directive (Directive 95/46/EC) ECHR European Convention on Human Rights

ECtHR European Court of Human Rights EEA European Economic Area

EU European Union

FISA Foreign Intelligence Surveillance Act FTC Federal Trade Commission

GDPR General Data Protection Regulation PPD-28 Presidential Policy Directive 28 SCCs Standard contractual clauses

TFEU Treaty on the Functioning of the European Union UK United Kingdom

US United States

(6)

1. Introduction

1.1. Background

On 6 October 2015, the Court of Justice of the European Union (CJEU) invalidated the adequacy decision of European Commission (Commission) regarding the Safe Harbor agreement which enabled a base for transfers of personal data from the European Union (EU) to the United States (US).1 This case undeniably impacts the broader legal system in place for transatlantic personal data transfers in the digital era. The context of international trade and differences in data protection laws will first be introduced in order to present the research question for this thesis.

1.1.1. International trade and transborder flows of personal data

The 21st century is defined by the rise of a global economy involving enormous flows of data. From 2005 to 2014, global flows of data have grown 45 times larger.2 These global flows of data underpin and enable virtually all global trade.3_{However no numbers are available, it is clear that} the exchange of highly regulated personal data is central in this modern information-driven market.4 When transferring personal data across borders, companies may encounter various privacy and data protection laws. This can be challenging when data are transferred from the EU to the US because there is a regulatory gap between the regions. Regulatory barriers have to be minimized in order to maximize transatlantic commerce, but the level of protection of personal data that is required by fundamental rights may never be undermined.

1.1.2. Divergence of EU and US privacy attitudes

European data protection laws are fundamentally different from those in the US. The European approach is characterized by regarding privacy a fundamental human right, whereas the US approach to privacy is better described as market-based. In the EU, the fundamental rights to private and family life, home, communication and personal data are enshrined in the European

1_{CJEU 6 October 2015, C-362/14 (Maximilian Schrems v Data Protection Commissioner).}

2_{McKinsey Global Institute, ‘Digital Globalization: The New Era of Global Flows’, March 2016, Exhibit}

E2, page 4.

3_{Ibid. For example, container ships still move products to markets around the world, but now consumers}

order them online, track their movement using RFID codes, and pay for them via digital transactions.

4_{Neal Cohen, ‘The Privacy Follies: A Look Back at the CJEU’s Invalidation of the EU/US Safe Harbor}

(7)

Convention for Human Rights of 1950 (ECHR) and in the Charter of Fundamental Rights of the European Union of 2000 (Charter).5 _{The US Constitution does not recognize a general fundamental} right to privacy or personal data. The Fourth Amendment protects against unreasonable searches and seizures, but generally fails to protect individuals against government surveillance because of the third-party doctrine which limits protection of the Fourth Amendment when information is held by third parties.6

The different conceptual approaches regarding fundamental rights are clearly visible in the adopted regulations. The primary EU regulation on data protection is the Data Protection Directive 95/46/EC (DPD) which harmonizes data protection laws in the Member States. Pursuant to Article 1, the DPD has a dual objective. One objective is that Member States shall protect the fundamental rights of natural persons – “in particular their rights to privacy with respect to the processing of

their personal data”7 – and the other objective is the free movement of personal data between Member States.8 In contrast to the overarching DPD, US information privacy law is characterized by a sector-by-sector approach9, regulating privacy in certain sectors such as health and credit. There is no general comprehensive federal data protection law in the US. Data protection law in the US is commonly regulated by individual states, but the level of protection is far below that guaranteed by the DPD in the EU.

These different approaches towards privacy have provoked scholars to contend that there are two western cultures of privacy: one of dignity (in the EU) and one of liberty (in the US).10_The divergence towards privacy and data protection in the EU and the US can be unfavorable for establishing effective data flows between them. In the absence of universal standards, it can be

5_{These fundamental rights will be discussed in paragraph 2.1.}

6_{Joris Van Hoboken, Axel Arnbak & Nico Van Eijk, ‘Cloud Computing in Higher Education and}

Research Institutions and the USA Patriot Act’ (2012), Research Paper, page 12.

7_{Article 1(1) of the DPD.} 8_{Article 1(2) of the DPD.}

9_{Paul Schwartz, ‘The EU-US Privacy Collision: A Turn to Institutions and Procedures’ (2013), Vol. 126,}

Harvard Law Review, page 1974.

10_{Articulated by James Whitman in ‘The Two Western Cultures of Privacy: Dignity versus Liberty’}

(2004), Vol. 113, Yale Law Journal. See also David Cole & Federico Fabbrini, ‘Bridging the transatlantic divide? The United States, the European Union, and the protection of privacy across borders’ (2016), Vol. 14, International Journal of Constitutional Law, page 221.

(8)

challenging for the EU and the US to negotiate legal systems that respect the norms on both sides of the Atlantic.

1.1.3. Invalidation of the Safe Harbor decision

EU data protection laws prohibits transfers of personal data to countries outside the EU by default unless one of the limited legal mechanisms provided by the DPD is implemented.11 This is another firm distinction between legislation in the EU and the US: the US does not limit data exports to other countries whatsoever.12 One of these mechanisms was the EU – US Safe Harbor agreement which was concluded between the Commission and the US Department of Commerce (DoC) in 2000 to facilitate transfers to the US.13 The Commission issued an adequacy finding recognizing that adequate protection was provided by the Safe Harbor agreement.14 The validity of the Safe Harbor framework was called into question before the CJEU in the Schrems case. The CJEU declared the adequacy decision of the Commission invalid with immediate effect on 6 October 2015.15 Any transfer of personal data to the US based upon the Safe Harbor is now unlawful. Over 5,500 US companies have been certified under the Safe Harbor framework, including some of the world’s leading internet corporations like Facebook, Apple, Google, Microsoft and Amazon.16 Many of these companies are still using the Safe Harbor to transfer personal data to the US and some of these companies have still not implemented an alternative transfer mechanism.17 In June 2016, the first fines for unlawfully transferring personal data from the EU to the US on the basis of the Safe Harbor framework were issued by the privacy regulator in Hamburg, Germany.18

11_{Recital 57 of the DPD. The legal mechanisms are provided for in the Articles 25 and 26 of the DPD.}

They will each be discussed individually in the second chapter of this thesis.

12_{Paul Schwartz, ‘The EU-US Privacy Collision: A Turn to Institutions and Procedures’ (2013), Vol.}

126, Harvard Law Review, page 1977.

13_{Safe Harbor privacy principles of 21 July 2000.}

14_{European Commission, ‘Decision on the adequacy of the protection provided by the safe harbour}

privacy principles’ (C(2000) 2441), 26 July 2000.

15_{The Schrems case will be discussed in more detail in the third chapter of this thesis.}

16_{See the US – EU Safe Harbor List maintained by the US Department of Commerce which is available}

via: https://safeharbor.export.gov/list.aspx.

17_{See for example the TRUSTe research showing that 78% of the 248 researched companies still relied}

on the Safe Harbor and 53% are also using Model Contract Clauses in December 2015, available via:

http://www.truste.com/blog/2016/01/11/majority-companies-still-holding-safe-harbor-2-0/.

18_{Hamburg Commissioner for Data Protection and Freedom of Information, ‘Press release – Inadmissible}

(9)

Alternative mechanisms to transfer personal data to the US under EU data protection law are contractual clauses, binding corporate rules (BCRs), consent and contract performance. As these mechanisms were outside the scope of the Schrems dispute, they are still formally lawful. Taking into account the findings of the CJEU, it is desirable to review the validity of the alternative transfer mechanisms. Compliance is ultimately assessed by the data protection authorities (DPAs) of Member States. For the time being, the Article 29 Working Party (WP29) – an advisory body that brings together representatives of the DPAs19 – and the Commission have confirmed to allow companies to rely on alternative transfer mechanisms, namely standard contractual clauses (SCCs) and BCRs.20 The opinions whether the alternative transfer mechanisms should be considered to comply with EU data protection law after the Schrems decision are divided.21 The Irish DPA has already announced its intentions to bring SCCs before the CJEU next.22

1.2. Research question

The CJEU has invalidated the EU - US Safe Harbor which was adopted under Article 25 of the DPD because it compromised fundamental rights guaranteed by the Charter. Article 26 of the DPD lays down other legal mechanisms which can be used to transfer personal data from the EU to the US. The validity of Article 26 was not challenged in the Schrems case. This thesis will answer the following central research question:

19_{Article 29 of the DPD.}

20_{WP29, ‘Statement of the Article 29 Working Party’, 16 October 2015. European Commission,}

‘Communication on the Transfer of Personal Dara from the EU to the US following the Schrems Judgment’ (COM(2015) 566 final), 6 November 2015.

21_{See for example the position paper of the ULD (a German DPA) and the German article by Fabian}

Schuster and Sven Hunzinger, both concluding that data transfers on the basis of alternative mechanisms are no longer permitted versus the opinion of Lokke Moerel concluding that the Schrems decision has no impact on the lawfulness of the alternative mechanisms. ULD, ‘Position Paper on the Judgment of the Court of Justice of the European Union of 6 October 2015, 14 October 2015. Fabian Schuster & Sven Hunzinger (in German), ‘Zulässigkeit von Datenübertragungen in die USA nach dem Safe-Harbor-Urteil’ (2015), Vol. 12, Computer und Recht. Lokke Moerel, ‘An assessment of the impact of the Schrems judgment on the data transfer grounds available under EU data protection law for data transfers tot the US’ (2016), Memorandum.

22_{Office of the Irish Data Protection Commissioner, ‘Statement by the Office of the Data Protection}

Commissioner in respect of application for Declaratory Relief in the Irish High Court and Referral to the CJEU’, 25 May 2016.

(10)

“Can the alternative mechanisms for personal data transfers from the EU to the US provided for in Article 26 of the DPD, after the Schrems case, be considered to comply with the Charter?”

The research question is divided into the following three sub-questions that will respectively be discussed in the second, third and fourth chapter:

- How does EU data protection law apply to personal data transfers from the EU to the US? - What did the CJEU decide in the Schrems case and how is this ruling relevant for the

validity of the alternative mechanisms for personal data transfers from the EU to the US? - Can the alternative mechanisms be considered to comply with EU data protection law after

the Schrems case?

The fifth chapter will discuss the regulatory developments during the writing of this thesis. These developments are of lesser importance to answering the research question in light of the current legal situation, but they can potentially observe the legal challenges of this hot topic in the longer run. The thesis will be completed with a conclusion.

(11)

2. Application of EU data protection law

2.1. Fundamental rights to privacy and data protection

The fundamental right to protection of private life is protected in the ECHR, in the Charter and in the national constitutions of Member States. The ECtHR is an established guardian of the right to privacy and data protection23 but after the EU adopted its own constitution - the Charter - the CJEU also became strongly involved with these fundamental rights, which is for example illustrated by the data retention case24, the right to be forgotten case25 and the Schrems case. The Charter protects the right to respect for private and family life, home and communications,26 and the right to protection of personal data.27 EU law, such as the DPD, can be reviewed against the fundamental rights protected by the Charter through preliminary proceedings before the CJEU. The interpretation of the CJEU ensures the uniform application of EU law in Member States.

2.2. Introduction to the Data Protection Directive

The DPD is the principal legal instrument on data protection in the EU. The general principles of data protection law in the EU are harmonized by the DPD. The provisions of the DPD give substance to the right to protection of private life and must be interpreted in the light of fundamental rights.28 The DPD is binding to the Member States of the EU and to the EEA (Iceland, Lichtenstein and Norway).29 All Member States have implemented the provisions of the DPD in their national legislation in order to provide a minimum level of data protection throughout the EU. The DPD regulates the processing of personal data.30_{‘Personal data’ is a broad concept that} is defined in the DPD as “any information relating to an identified or identifiable natural

23_{See the factsheet on personal data protection of the ECtHR of April 2016 for an overview of the many}

cases on personal data protection, concerning for example DNA information and fingerprints, GPS data, health data, interception of communications, phone tapping and secret surveillance. Available via:

http://www.echr.coe.int/Documents/FS_Data_ENG.pdf

24_{CJEU 8 April 2014, C-293/12 and C-594/12 (Digital Rights Ireland).} 25_{CJEU 14 May 2014, C-131/12 (Google Spain).}

26_{Article 7 of the Charter.} 27_{Article 8 of the Charter}

28_{CJEU 20 May 2003, C-465/00 (Rechnungshof), paras. 68-69.}

29_{Further references tot the EU or its Member States should be understood also to concern the EEA}

countries.

(12)

person”.31_{‘Processing’ is also broadly defined to include any operation which is performed upon} personal data, including processing by automatic means.32_{‘Data transfer’ is not defined in the} DPD, but a transfer of personal data from one location to another is commonly considered to qualify as a kind of processing, in particular when the personal data are transferred on a large scale and for business purposes.33 Data transfers can for example take place between different companies or between subsidiaries of the same company and within a Member State, between Member States or between a Member State and a third country. A data transfer from a Member State to the US, either between companies or within a corporate group, constitutes ‘processing’ and is only in accordance with the DPD when there is a legal basis.

On 14 April 2016, after four years of negotiations, the final text of the General Data Protection Regulation 2016/679 (GDPR) was adopted by the European Parliament.34 The GDPR will replace the DPD with a pan-European law which will be directly applicable in the Member States after it enters into force on 25 May 2018. The GDPR continues to recognize the existing methods for transferring personal data to third countries under the DPD.35

2.3. Transatlantic transfers of personal data under the Data Protection Directive

Within Europe, the DPD has established a system of free flow of personal data that supports a strong internal market. But when personal data is transferred to a non-EU country, specific restrictions are applicable.

2.3.1. Free flow of data between Member States

A major achievement of the DPD is the rule of Article 1(2) that the free flow of personal data between Member States shall not be restricted by national laws for reasons connected with the protection afforded. This practically means that Member States are mutually prohibited to impose legal restrictions on data transfers on the basis of the levels of data protection they provide. This

31_{Article 2(a) of the DPD.} 32_{Article 2(b) of the DPD.}

33_{Christopher Kuner, European Data Protection Law: Corporate Compliance and Regulation (Oxford}

University Press: 2007), page 82.

34_{European Parliament, ‘Press release – Data protection reform – Parliament approves new rules fit for}

the digital era’, 14 April 2016.

(13)

system of internal free movement serves the purpose of economic integration and is made possible by the minimum level of data protection that all Member States have adopted pursuant to the harmonization by the DPD.36 The free flow of personal data only applies to transfers between Member States. Specific rules apply when personal data are transferred outside EU territory. Companies always need to comply with the basic regime of the DPD. For example, the processing of personal data always requires a legal basis in the first place.37 Transferring personal data to a third country additionally needs a basis in Chapter IV of the DPD. The WP29 has substantially contributed to the interpretation of these provisions38 and this chapter will refer to their opinions accordingly. The opinions of the WP29 are non-binding but generally considered influential. 2.3.2. Transfer to third countries with adequate level of protection

Article 25 of the DPD gives the general principles for transfers of personal data to third countries. Transfers to third countries are prohibited unless such countries provide an ‘adequate level of data protection’.39 This starting point was already considered a threat to international relations in the US before the DPD was adopted.40 The adequacy of the level of data protection provided by third countries shall be assessed in light of all the circumstances surrounding a data transfer.41 The adequacy depends on a wide variety of circumstances in the particular third country, including not just the content of applicable rules but also the system in place to ensure effective application of

36_{Lingjie Kong, ‘Data Protection and Transborder Data Flow in the European and Global Context’}

(2010), Vol. 21, European Journal of International Law, page 443.

37_{Personal data may only be processed on the basis of one of six exhaustive methods laid down in}

Article 7 of the DPD. Stricter rules apply to the processing of sensitive personal data under Article 8 of the DPD.

38_{Franziska Boehm, Information Sharing and Data Protection in the Area of Freedom, Security and} Justice (Springer-Verlag Berlin Heidelberg: 2012), page 148.

39_{Recital 57 and Article 25(1) of the DPD.}

40_{See George Trubow, ‘European Harmonization of Data Protection Laws Threatens U.S. Participation in}

Trans Border Data Flow’ (1992), Vol. 13, Northwestern Journal of International Law & Business, page 167.

41_{Article 25(2) of the DPD states as following: “The adequacy of the level of protection afforded by a}

third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.”

(14)

these rules.42_{The WP29 considers that the degree of risk that the transfer has for the data subject} is an important factor for determining adequacy in particular cases.43

2.3.2.1. Adequacy decisions

The Commission has the authority to determine if adequate protection is ensured by certain countries by adopting adequacy findings.44 The Commission has currently recognized adequate protection with the third countries of Andorra, Argentina, Canada (commercial organizations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.45 These 11 adequacy decisions are adopted by the Commission to provide legal certainty throughout all Member States. Data transfers to ‘white-listed’ countries generally require no approval by DPAs, but Member States can require formalities such as reporting. The Safe Harbor decision was an adequacy finding for the US until invalidation by the CJEU in the Schrems case.

2.3.3. Transfer to third countries without adequate level of protection

By way of derogation, Article 26 of the DPD also allows for personal data transfers to third countries without an adequacy decision. Article 26(1) of the DPD gives six derogations under specific circumstances.46 Only the first two derogations, consent and contract performance, are of

42_{WP29, ‘Working Document - Transfers of personal data to third countries: Applying Articles 25 and 26}

of the EU data protection directive’ (WP 12), 24 July 1998, page 5.

43_Ibid.

44_{Article 25(6) of the DPD.}

45_{See the list of Commission decisions on the adequacy of the protection of personal data in third}

countries maintained by the European Commission, available via: http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm.

46_{Article 26(1) of the DPD: “By way of derogation from Article 25 and save where otherwise provided}

by domestic law governing particular cases, Member States shall provide that a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25 (2) may take place on condition that:

(a) the data subject has given his consent unambiguously to the proposed transfer, or

(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject's request, or (c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party, or

(d) the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims, or

(e) the transfer is necessary in order to protect the vital interests of the data subject, or

(f) the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any

(15)

commercial relevance and therefore potentially an alternative to the Safe Harbor agreement for companies. All the derogations should be interpreted restrictively and applied with restraint.47 Article 26(2) of the DPD introduces contractual clauses as a means to provide ‘adequate safeguards’. The WP29 has recognized in its opinions that BCRs can also provide ‘adequate safeguards’ within the meaning of Article 26(2) of the DPD.48 BCRs are not explicitly mentioned in the Data Protection Directive, which means they lack a formal legal basis at present,49 but BCRs will become formal law when the GDPR enters into force.50

2.3.3.1. Consent

Article 26(1)(a) of the DPD allows for personal data transfers to a third country when the data subject has unambiguously given consent. The WP29 requires that four criteria are satisfied for transfers on the basis of consent. Consent must be (1) a clear and unambiguous indication of wishes, (2) freely given, (3) specific, and (4) informed.51 The essence of this definition is that data subjects must be clearly informed about what exactly they are consenting to in advance. The WP29 suggests that “consent is unlikely to provide an adequate long-term framework for data controllers

in cases of repeated or even structural transfers for the processing in question”.Consent may never be implied because this would lack a clear and unambiguous indication of wishes. Furthermore, there is very little room to obtain prior consent for a future transfer of which the exact details are unclear as this hinders the requirement that the consent must be specific and informed. Another concern is that the fact that consent is required to be freely given implies also that data subjects can revoke their consent at any time, which can be troublesome when the transfer intrinsically takes place in a systematic processing system carried out by the data controller.52

person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case.”

47_{WP29 ‘Working document on a common interpretation of Article 26(1)’ (WP 114), 25 November 2005,}

page 7.

48_{WP29, ‘Working Document: Transfers of personal data to third countries: Applying Article 26(2) of the}

EU Data Protection Directive to Binding Corporate Rules for International Data Transfers’ (WP 74), 3 June 2003.

49_{Lokke Moerel, Binding corporate rules: Fixing the regulatory patchwork of data protection (2011),}

page 434.

50_{Article 47 of the GDPR.}

pages 10-12.

(16)

2.3.3.2. Contract performance

Article 26(1)(b) of the DPD arranges that transfers may take place if necessary for the performance of a contract between the data subject and the controller. The scope of this derogation appears to be potentially broad for commercial situations, but the WP29 has stressed the requirement that transfers must be truly ‘necessary’ to the purpose of performance of the contract.53 For example, transferring personal employee data to a database in the US for employee payment and human resources management functions is not considered ‘necessary’ to perform employment contracts. Such interpretation of Article 26(1)(b) would be excessive “since it is highly questionable whether

the concept of an employment contract can be interpreted so broadly, as there is no direct and objective link between performance of an employment contract and such a transfer of data.” 54 An example of a legitimate transfer under this provision would be a travel agent in the EU transferring personal data of an individual client to a hotel in the US where this client will be staying.55 2.3.3.3. Contractual clauses

Contractual clauses can provide ‘adequate safeguards’ as a basis for data processing.56 In practice, Articles 26(2) and 26(4) of the DPD allow for two types of contractual clauses: SCCs and ‘ad hoc’ clauses. In order to effectively offer adequate safeguards, the WP29 has indicated that contractual clauses “must satisfactorily compensate for the absence of a general level of adequate protection,

by including the essential elements of protection which are missing in any given particular situation”.57_{SCCs are pre-approved by the Commission and should be adopted in unmodified} form. The Commission has approved three sets of SCCs. Two sets of SCCs are available for controller-to-controller transfers58_{and one set is available for controller-to-processor transfers.}59

53_{Christopher Kuner, European Data Protection Law: Corporate Compliance and Regulation (Oxford}

University Press: 2007), page 193.

page 13.

55_Ibid.

56_{Article 26(2) of the DPD.}

57_{WP29, ‘Working Document - Transfers of personal data to third countries: Applying Articles 25 and 26}

of the EU data protection directive’ (WP 12), 24 July 1998, page 16.

58_{European Commission, ‘Decision on standard contractual clauses for the transfer of personal data to}

third countries’ (C(2001) 1539), 15 June 2001 and European Commission, ‘Decision amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries’ (C(2004) 5271), 27 December 2014.

59_{European Commission, ‘Decision on standard contractual clauses for the transfer of personal data to}

(17)

The distinction between controller-to-controller transfers and controller-to-processor transfers is relevant because corporations controlling personal data have more responsibilities than corporations merely processing the data.60 An important benefit of using SCCs is that they can be used as a legal basis for personal data transfers without approval of DPAs. ‘Ad hoc’ contracts are custom made in specific cases. These clauses are not approved by the Commission under Article 26(4), but they can still provide ‘adequate safeguards’ under Article 26(2). Most Member States require DPA authorization for the use of ad hoc contracts.61

2.3.3.4. Binding corporate rules

The WP29 has created the possibility for BCRs to provide ‘adequate safeguards’ for personal data transfers to third countries. BCRs are sets of data processing rules applied within a corporate group. When BCRs are successfully implemented, the entire corporate group becomes a safe haven where personal data can be freely transferred between corporate members. This takes away the trouble of having to apply one of the mechanisms mentioned in Article 26 of the DPD when transferring data from one corporate entity to another. The corporate group still has to apply another legal basis (such as SCCs) when data is transferred to third parties in third countries. In order for BCRs to take effect, the corporate group must submit an application with a DPA in one of the Member States (the ‘lead DPA’). Applications for BCRs should include three items: (1) contact details and information justifying the chosen lead DPA, (2) a background paper summarizing how the required elements of WP7462_{are satisfied, and (3) relevant documents that actually constitute the BCRs} (such as internal policies or corporate codes).63_{Applicants are free to structure applications in their} own way. BCRs are currently implemented by more than 80 multinationals.64

60_{The distinction in the DPD between ‘controllers’ and ‘processors’ mostly serves to distinguish between}

those involved in the processing of personal data that are responsible for compliance with data protection rules as controllers and those that are only acting on their behalf as processors. See WP29, ‘Opinion 1/2010 on the concepts of “controller” and “processor”’ (WP 169), 16 February 2010, page 5.

61_{Ireland and the UK do not require authorization and act only upon complaints.}

62_{WP29, ‘Working Document: Transfers of personal data to third countries: Applying Article 26(2) of the}

EU Data Protection Directive to Binding Corporate Rules for International Data Transfers’ (WP 74), 3 June 2003.

63_{WP29, ‘Model Checklist: Application for approval of Binding Corporate Rules’ (WP 102), 25}

November 2004, page 3.

64_{See the list of companies for which the EU BCR cooperation procedure is closed maintained by the}

European Commission, available via: http://ec.europa.eu/justice/data-protection/international-transfers/binding-corporate-rules/bcr_cooperation/index_en.htm.

(18)

3. The Schrems ruling

The Safe Harbor decision and its invalidation in the Schrems ruling will be discussed below in order to determine how the Schrems ruling is relevant for the question of validity of the alternative mechanisms for personal data transfers from the EU to the US.

3.1. EU – US Safe Harbor

The Safe Harbor decision was adopted by the Commission in 2000 to provide adequate protection by means of Article 25(6) of the DPD65. The Safe Harbor decision related to a set of principles negotiated between the EU and the US to provide for US business companies a legal basis for personal data transfers.66 The decision was different from most other adequacy decisions in the sense that it did not determine that an entire country (the US) provides adequate protection but rather that certain US companies could provide adequate protection by complying with the Safe Harbor principles.67_{Participation in the Safe Harbor was based on a system of self-certification.} The Safe Harbor allowed US companies to register their commitment to the Safe Harbor principles with the DoC and implement the principles in its data processing practices, which means there was no review of actual compliance with the principles prior to certification.68 Monitoring and enforcing compliance with the principles in the US was the task of the Federal Trade Commission (FTC).69 The Safe Harbor was controversial since the beginning.70 Already in 2002 the Commission noticed that a substantial number of companies that had self-certified did not transparently commit to the principles through their privacy policies.71_{Enforcement by the FTC}

65_{European Commission, ‘Decision on the adequacy of the protection provided by the safe harbour}

privacy principles’ (C(2000) 2441), 26 July 2000.

66_{Safe Harbor privacy principles of 21 July 2000.}

67_{Ot Van Daalen, (in Dutch) ‘Het Schrems/Facebook-arrest en de gevolgen voor internationale doorgifte’}

(2016), Vol. 3, Nederlands Tijdschrift voor Europees Recht, page 75.

68_{See Articles 1(2) and 1(3) of the Safe Harbor decision and FAQ 6 set out in Annex II to the Safe}

Harbor decision.

69_{See FAQ 11 set out in Annex II to the Safe Harbor decision.}

70_{See for example Sylvia Mercado Kierkegaard, ‘Safe Harbor Agreement - Boon or Bane?’ (2005), Vol.}

1, Shidler Journal of Law, Commerce and Technology, para. 8.

71_{European Commission, ‘Commission Staff Working Paper on the Safe Harbour’ (SEC(2002) 196), 13}

(19)

was deemed insufficient by the Commission.72_{When whistleblower Edward Snowden disclosed} classified information on US surveillance programs in 2013, revealing among other things that the NSA intercepted through the PRISM program personal data held by Facebook in the US73, criticism took a flight in Europe. The detailed revelations regarding the NSA mass surveillance programs led the European Parliament to adopt a resolution disapproving the NSA’s collection of personal data because of the impact on EU citizens’ fundamental rights in 201474 and the disclosures were central to Schrems’ claim which resulted in invalidation of the Safe Harbor decision. When the CJEU invalidated the Safe Harbor agreement 15 years after its adoption by the Commission, this erased the legal fiction that the agreement provided an adequate level of protection under Article 25(1) of the DPD. This chapter will discuss the Schrems ruling which is central for answering the research question.

3.2. Facts of the Case

The Schrems case arose from proceedings brought against Facebook in Ireland by Austrian law student Maximillian Schrems. Schrems requested with Facebook access to the personal data concerning him and received over 1,200 pages of information. These personal data were transferred by Facebook to its servers in the US on the basis of the Safe Harbor agreement. Schrems asked the Irish DPA to prohibit Facebook Ireland from transferring his personal data to the US because according to him, as manifested by the Snowden revelations, these data were not adequately protected against surveillance by US intelligence services. The complaint was made in Ireland because this is the location of Facebook’s EU headquarters and all Facebook users sign a contract with the Irish subsidiary. The Irish DPA rejected the claim, stating that the adequacy decision issued by the Commission was binding. Schrems appealed to the Irish High Court for the refusal of the DPA to investigate the matter. The High Court strongly doubted if the Safe Harbor

72_{European Commission, ‘Communication on the Functioning of the Safe Harbour from the Perspective}

of EU Citizens and Companies Established in the EU’ (COM(2013) 847 final), 27 October 2013, page 19.

73_{Edward Snowden contacted The Guardian journalist Glenn Greenwald to share the classified}

documents with the public. This was one of the first published stories: Glenn Greenwald and Ewan MacAskill, ‘NSA Prism program taps in to user data of Apple, Google and others’, The Guardian, 7 June 2013. Available via: https://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data.

74_{European Parliament, ‘Resolution on the US NSA surveillance programme, surveillance bodies in}

various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs’ (2013/2188/INI), 12 March 2014.

(20)

decision was compatible with EU law and referred to the CJEU the following preliminary questions:

“Whether in the course of determining a complaint which has been made to an independent office holder who has been vested by statute with the functions of administering and enforcing data protection legislation that personal data is being transferred to another third country (in this case, the United States of America) the laws and practices of which, it is claimed, do not contain adequate protections for the data subject, that office holder is absolutely bound by the Community finding to the contrary contained in [Decision 2000/520] having regard to Article 7, Article 8 and Article 47 of [the Charter], the provisions of Article25(6) of Directive [95/46] notwithstanding?

Or, alternatively, may and/or must the office holder conduct his or her own investigation of the matter in the light of factual developments in the meantime since that Commission decision was first published?”75

3.3. Complete independence of DPAs

Part of the preliminary question is whether a DPA is absolutely bound by a Commission decision such as the Safe Harbor agreement. The CJEU starts by underlining that Member States are required by Article 28(1) of the DPD to set up DPAs responsible for monitoring, with complete independence, compliance with EU data protection rules.76_{The independence of DPAs is an} essential component of the protection of individuals as is stated in recital 62 of the DPD. The central thought underlying the requirement of complete independence is that DPAs must have sufficient means (such as workforce and capital) to perform their duties without interference of other public authorities.77 The Court considers that measures of EU institutions like the Commission are in principle presumed to be lawful until they are withdrawn, annulled or

75_{Schrems case (C-362/14), para. 36.} 76_{Ibid, para. 40.}

77_{Philip Schutz, ‘Comparing formal independence of data protection authorities in selected EU Member}

States’ (2012), Conference Paper for the 4th Biennial ECPR Standing Group for Regulatory Governance Conference, page 10.

(21)

invalidated by the CJEU.78_{However, the CJEU denies an absolute binding character of} Commission decisions such as proclaimed by the Irish DPA upon Schrems’ claim. The binding character of a Commission decision pursuant to Article 25(6) of the DPD cannot eliminate the right to file a claim regarding the processing of personal data with DPAs under Article 28(4) of the DPD79, as this would deny the fundamental right to control over protection of personal data by an independent authority assured by Article 8(1) and 8(3) of the Charter.80 In sum, only the CJEU has jurisdiction to invalidate EU acts, but DPAs have authority to examine claims of persons concerning the protection of their personal data in a third country also if the Commission has established an adequacy mechanism for that country. Both claimants before DPAs and DPAs themselves must always have access to national courts in order to reach the CJEU through preliminary proceedings.81

3.4. Invalidating the Safe Harbor

Having already answered the preliminary questions by explaining the relationship between binding adequacy decisions of the Commission and the freedom of DPAs to examine claims challenging the adequacy, the CJEU continues to invalidate the entire adequacy decision. The CJEU notes that the the Commission did not state in the Safe Harbor decision that US legislation ensures an adequate level of protection,82 and that Article 1 of the decision is for that reason invalid without there being the need to examine the actual substance of the Safe Harbor principles.83 The CJEU invalidates Article 3 of the Safe Harbor decision because of its limitations on the powers of DPAs.84_{As Articles 1 and 3 are inseparable from the rest of the Safe Harbor decision, the CJEU} invalidates the entire decision.85_{Despite the statement of the CJEU that there is no need to examine} the substance of the principles, the CJEU extensively objects to the actual substance of the Safe Harbor decision in the ruling.86 The substantive objections of the Court can implicitly be divided

78_{Schrems case (C-362/14), para. 52.} 79_{Ibid, paras. 53-56.} 80_{Ibid, para. 58.} 81_{Ibid, paras. 64-65.} 82_{Ibid, para. 97.} 83_{Ibid, para. 98.} 84_{Ibid, paras. 99-104.} 85_{Ibid, paras. 105-106.}

86_{Ot Van Daalen, (in Dutch) ‘Het Schrems/Facebook-arrest en de gevolgen voor internationale doorgifte’}

(22)

into three elements: (1) the system of self-certification, (2) massive surveillance by US intelligence, and (3) access of EU citizens to judicial protection.87_{This trichotomy will be used in} this chapter because it is helpful in order to separate the elements of the Schrems ruling that are relevant for the data transfers mechanisms of Article 26 of the DPD and those that are not. 3.4.1. The system of self-certification

The Safe Harbor is based on a system which gives companies the freedom to self-certify and implement the principles. This system of self-certification is not in itself contrary to Article 25(6) of the DPD, but the reliability of the system depends on the presence of effective supervision mechanisms enabling identification and punishment of companies which do not respect the Safe Harbor principles.88 The CJEU acknowledges that there is no such mechanism supervising the certifications in place.

3.4.2. Essence of the fundamental right to respect for private life compromised

US intelligence services have strong powers to collect personal data for purposes of national security and these powers are not limited in respect of personal data from EU citizens that are transferred to the US on the basis of the Safe Harbor decision. The Safe Harbor decision lays down that adherence to the principles may be limited “to the extent necessary to meet national security,

public interest, or law enforcement requirements”89 and that “clearly, where US law imposes a

conflicting obligation, US organizations whether in the Safe Harbor or not must comply with the law”.90_{The CJEU judges that the general nature of the limitations allowed on the basis of national} security enables interference with the fundamental rights of the persons whose personal data is or could be transferred from the EU to the US.91 This interference with fundamental rights of EU data subjects is not limited by any means in the Safe Harbor decision.92 According to the CJEU, the power of US authorities to access and process personal data transferred from the EU goes beyond

87_{See for example Bart van der Sloot, (in Dutch) ‘Machtsstrijd over persoonsgegevens, De zaak Schrems}

v. Data Protection Commissioner van het Europees Hof van Justitie’ (2016), Vol. 4, Ars Aequi.

88_{Schrems case (C-362/14), para. 81.}

89_{See the fourth paragraph of Annex I to the Safe Harbor decision.}

90_{See the second paragraph of Part B of Annex IV to the Safe Harbor decision.} 91_{Schrems case (C-362/14), para. 87.}

(23)

what is necessary and proportionate to the protection of national security.93_{In order to respect the} fundamental right to respect for private life at EU level, limitations to the protection of personal data are only acceptable in so far as is strictly necessary.94 This is not the case when “legislation

authorizes, on a generalized basis, storage of all the personal data of all persons whose data has been transferred from the EU to the US without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down by which to determine the limits of the access of the public authorities to the data, and of its subsequent use, for purposes which are specific, strictly restricted and capable of justifying the interference which both access to that data and its use entail”.95 The Safe Harbor decision does not prevent US intelligence services to access personal data transferred from the EU on such a generalized basis and therefore compromises the essence of the fundamental right to respect for private life as guaranteed by Article 7 of the Charter.96 Such access is hence per se unlawful under the Charter, without the need of a balancing test.97 In its statement following the Schrems decision, the WP29 emphasized that “it is absolutely essential to have a robust, collective and common

position on the implementation of the judgment” and underlined that “the question of massive and indiscriminate surveillance is a key element of the Court’s analysis”.98

3.4.3. Essence of the fundamental right to effective judicial protection compromised

The Safe Harbor decision offers no effective legal protection for EU data subjects in the US. Procedures before the FTC and the private dispute resolution mechanisms cannot be used to challenge access by US intelligence services to personal data.99_{The jurisdiction of the FTC is} limited to commercial disputes100_{and is therefore not comparable to the role of DPAs in the EU,} which is to ensure the protection of the right to privacy.101 This means that EU data subjects cannot

93_{Ibid, para. 90.}

94_{Ibid, para. 92 and Digital Rights Ireland case (C-293/12 and C-594/12), para. 52.} 95_{Ibid, para. 93.}

96_{Ibid, para. 94.}

97_{Christopher Kuner, ‘Reality and Illusion in EU Data Transfer Regulation Post Schrems’ (2016), Paper}

No. 14/2016, University of Cambridge Faculty of Law Research Paper Series, page 21.

98_{WP29, ‘Statement of the Article 29 Working Party’, 16 October 2015.} 99_{Schrems case (C-362/14), para. 89.}

100_{The jurisdiction of the FTC is limited to commercial disputes, it “covers unfair or deceptive acts and}

practices in commerce”, see FAQ 11 set out in Annex II to the Safe Harbor decision.

101_{See point 205 of the Opinion of Advocate General Bot on the Schrems case, delivered on 23}

(24)

challenge the activities in the US interfering with their fundamental right to protection of private life. Furthermore, EU data subjects have no access to means of redress enabling access, rectification or erasure of personal date relating to them. In its capacity of not providing these legal remedies, the Safe Harbor decision compromises the essence of the fundamental right to effective judicial protection as guaranteed by Article 47 of the Charter.102

3.5. Relevance of the ruling for validity of alternative data transfer mechanisms

Without concretely evaluating the level of data protection in the US itself, the CJEU has established with the Schrems ruling high standards for any data transfer to third countries and particularly to the US. The alternatives mechanisms to transfer personal data to the US as laid down in the DPD are protected from being formally invalidated by DPAs or national courts because only the CJEU has the authority to invalidate EU acts.103 DPAs should examine any claims with respect to the validity of specific personal data transfers to the US under EU data protection law with complete independence. If a DPA has doubts about the validity of an alternative mechanism it should appeal to a national court in order to reach the CJEU for a preliminary ruling.104

The considerations of the CJEU in the Schrems ruling should be taken into account by companies and DPAs in their assessments of compliance with EU data protection law. In particular, the concerns of the Court regarding access to personal data by US authorities can be raised against the alternative mechanisms. Massive surveillance by US intelligence agencies is carried out towards all personal data sent from the EU to the US. Looking at the alternative data transfer mechanisms, the disapproval of the CJEU regarding massive surveillance by US intelligence is threatening to their validity in the light of Article 7 of the Charter. This concern should be especially strong because the US seems to offer little willingness to limit its surveillance activities, which is for example visible from the draft ‘Privacy Shield’ adequacy decision which is the result of negotiations between the Commission and the US government following the Schrems decision. It

102_{Schrems case (C-362/14), para. 95.} 103_{Ibid, para. 61.}

(25)

is clear from the text of the draft Privacy Shield that the US effectively made no commitments to reform its surveillance activities in respect of the requirements of necessity and proportionality.105 The mechanisms of Article 26 of the DPD, by way of derogation from Article 25, are intended to allow transfers to jurisdictions that do not provide for ‘adequate protection’. Validity of the relevant derogations of Article 26(1) basically depends on whether (a) consent is unambiguously given or (b) contractual necessity exists.106 The validity of contractual clauses and BCRs depends on the presence of ‘adequate safeguards’ as required by Article 26(2) of the DPD. The considerations of the CJEU regarding ‘adequate protection’ provided by the Safe Harbor arrangement are not directly applicable in that sense. However, also Article 26 of the DPD has to comply with the fundamental rights protected by the Charter. In line with CJEU case law, the review of Article 26 of the DPD read in light of the Charter should be strict due to (1) the important role played by the protection of personal data in the light of the fundamental right to respect for private life and (2) the large number of persons whose fundamental rights are liable to be infringed where personal data is transferred to a third country.107 In light of the fundamental right to respect for private life ensured by the Charter, serious doubts should be raised on the validity of the alternative transfers mechanisms laid down in Article 26 of the DPD if these mechanisms in effect, like the Safe Harbor, permit public authorities in the US to have access on a generalized basis to personal data transferred from the EU.108

The critique of the CJEU regarding effective judicial protection under the Safe Harbor decision is not applicable to the alternative data transfer mechanisms. In contrast to the Safe Harbor – which was subject to supervision by the FTC – compliance with SCCs, BCRs and derogations of Article 26(1) is a task of DPAs and national courts.

105_{The draft Privacy Shield adequacy decision of the European Commission of 29 February 2016 will be}

further discussed in the fifth chapter of this thesis.

106_{Lokke Moerel, ‘An assessment of the impact of the Schrems judgment on the data transfer grounds}

available under EU data protection law for data transfers tot the US’ (2016), Memorandum, page 13.

107_{See by analogy Schrems case (362/14), para. 78; and Digital Rights Ireland case (293/12 and}

C-594/12), paras. 47 and 48.

(26)

4. Validity of transatlantic data transfer mechanisms alternative to the Safe

Harbor under EU data protection law in light of the Schrems case

After invalidation of the Safe Harbor, Article 26 of the DPD still provides for four alternative mechanisms on which transfers to the US can take place. The validity of these mechanisms under EU data protection law and in light of the Schrems case will be discussed below. The alternative mechanisms of Article 26 of the DPD that will be assessed are (1) consent, (2) contract performance, (3) contractual clauses and (4) BCRs. These mechanisms are both broader and narrower compared to adequacy decisions under Article 25 of the DPD. They are broader because they are not limited to one specific country and they are narrower because their scope is limited to specific data flows carried out by companies that have implemented them.109

4.1. Consent

The requirements of consent include not only that the data controller must obtain consent of the data subject, but also importantly that the consent was given on the basis of sufficiently precise information. The essence of the consent derogation is the autonomy of data subjects. This means that, in principle, the data subject is free to decide over the export of his personal data as long as he is sufficiently informed of the risks. The WP29 requires that the information which is required for consent must also include the particular risk regarding the lack of adequate protection in the third country.110 The lack of adequate protection in the US is stressed in the Schrems ruling and must be clearly communicated to data subjects by companies relying on their consent for personal data transfers to the US.

An interesting question is whether the autonomy of data subjects implies that the data subject can decide to accept the lack of adequate protection in a third country and an interference with his or her fundamental right to respect for private life on the basis of clear and sufficient information. The theory of ‘risk regulation’ of data protection allows that data subjects can consent to transfers

109_{See in these words European Commission, ‘Communication on the Transfer of Personal Dara from the}

EU to the US following the Schrems Judgment’ (COM(2015) 566 final), 6 November 2015, page 5.

110_{WP29, ‘Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26}

(27)

of personal data after they have been informed of the risks of such a transfer due to the absence of safeguards.111_{Such a risk regulation approach can perhaps be derived from the words of Article} 49(1)(a) of the forthcoming GDPR: “the data subject has explicitly consented to the proposed

transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards.”112 Surely even with sufficient information about the risks, the fundamental concerns of the CJEU regarding indiscriminate mass surveillance in the US persist. It is self-evident that consent of an individual to a data transfer can provide no protection against generalized access to the data by US public authorities113, and such access is unlawful under Article 7 of the Charter in view of the Schrems judgment.

Furthermore it must be kept in mind that, like indicated earlier, the WP29 has noted that consent is unlikely to provide an adequate framework for structural transfers.114 Consent must be given individually by data subjects and cannot be used for systematic processing operations. In practice, this means that very little room for personal data transfers to third countries on the basis of Article 26(1)(a) of the DPD is available even before the Schrems ruling. After the Schrems ruling, companies are required to clearly inform data subjects about the massive surveillance of their personal data that are transferred to the US. Considering the fundamental concerns raised by the CJEU, it must be concluded that the use of consent for transfers of personal data to the US is near to impossible after the Schrems case.

4.2. Contract performance

The scope of Article 26(1)(b) of the DPD is strongly limited by the requirement that transfers must be truly ‘necessary’ to the purpose of performance of the contract. By default, contracts must be performed without transferring personal data to third countries. The scope of application of this provision is very small even before the Schrems ruling, one of the rare applications is travel

111_{Alessandro Spina, ‘Risk Regulation of Big Data: Has the Time Arrived for a Paradigm Shift in EU}

Data Protection Law?’ (2014), Vol. 2, European Journal of Risk Regulation, page 252.

112_{Alessandro El Khoury, ‘The Safe Harbour is not a Legitimate Tool Anymore. What Lies in the Future}

of EU-USA Data Transfers?’ (2015), Vol. 4, European Journal of Risk Regulation, page 664.

No. 14/2016, University of Cambridge Faculty of Law Research Paper Series, page 25.

(28)

bookings. This provision has no authority to limit the massive and indiscriminate surveillance that will be conducted by US authorities once the personal data relating to, for example, a travel booking enters the US. The fundamental right to respect for private life of the EU data subject which is a client of the travel agent will then be compromised by the transfer on the basis of Article 26(1)(b). The small scope of this provision seems to be even further restricted after the Schrems ruling.

4.3. Contractual clauses

The resemblance between SCCs and adequacy decisions is that both mechanisms are Commission decisions. SCCs, like adequacy decisions, must be presumed to be lawful and can only be invalidated by the CJEU.115 SCCs provide more legal certainty compared to the derogations of Article 26(1) of the DPD because they are standardized and approved by the Commission beforehand. In comparison to the transfer mechanisms of consent and contract performance, which both have a small scope which is not suitable for structural business transfers, and BCRs, which can only be applied within a corporate group, SCCs are the most suitable alternative for companies to implement for data transfers to the US after invalidation of the Safe Harbor.116

Looking at the SCCs after the Schrems ruling, several legal duties of the data importers and exporters are triggered.117 The data importer is required by the SCCs to agree and warrant “that it

has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract”.118 US legislation allowing the massive indiscriminate surveillance by public authorities should be regarded to have a substantial adverse effect on the

115_{Schrems case (C-362/14), paras. 52 and 61.}

116_{See Jens Ambrock (in German), ‘Nach Safe Harbor: Schiffbruch des transatlantischen Datenverkehrs?‘}

(2015), Vol. 24, Neue Zeitschrift für Arbeitsrecht, page 1496.

117_{See Fabian Schuster & Sven Hunzinger (in German), ‘Zulässigkeit von Datenübertragungen in die}

USA nach dem Safe-Harbor-Urteil’ (2015), Vol. 12, Computer und Recht, page 788.

(29)

warranties and obligations provided in the SCCs as its puts under extreme scrutiny the basic element that the clauses provide ‘adequate safeguards’. This means that data importers must notify this ‘substantial adverse effect’ to the data exporter, who is then entitled to suspend the transfer of personal data and/or terminate the contract. Looking at the Schrems case, the data exporter should in these circumstances probably indeed decide to suspend the transfer and/or terminate the contract.119 If the data exporter decides to continue the transfer of personal data, it is required to forward the notification of the data importer to the DPA.120 The DPA then has the authority to examine this notification concerning the protection of personal data in the US with complete independence, and if the DPA doubts the validity of SCCs it should appeal to a national court in order to reach the CJEU for a preliminary ruling.121

It is hard to see how the use of SCCs can pass the strict test that the Schrems case required for the protection of the fundamental right to respect for private life. The SCCs do not provide for any exceptions to sharing personal data with governmental agencies outside of the EU, which means that the same deficiencies that the CJEU observed towards the Safe Harbor at this subject are also applicable to the SCCs.122 Like the Safe Harbor, the SCCs do not prevent US intelligence services to store and access personal data transferred from the EU on a generalized basis, which is a violation of Article 7 of the Charter in light of the Schrems case.123

Ad-hoc contracts are different in the sense that they are custom made and can therefore, in theory, include exceptions to sharing personal data with intelligence services in third countries. However, in a practical sense, the powers of intelligence agencies to store and access personal data exceed any protections that can be granted by contractual clauses.124 US legislation gives governmental agencies the ability to require disclosure of personal data regardless of contradicting laws in other

119_{See Fabian Schuster & Sven Hunzinger (in German), ‘Zulässigkeit von Datenübertragungen in die}

USA nach dem Safe-Harbor-Urteil’ (2015), Vol. 12, Computer und Recht, page 788.

120_{Clause 4(g) of the SCCs of 2010.} 121_{See Schrems case (C-362/14), para. 65.}

122_{Flemming Moos & Jens Schefzig, ‘Safe Harbor hat Schiffbruch erlitten’ (2015), Vol. 31, Computer}

und Recht, page 632.

123_{Schrems case (C-362/14), para. 94.}

(30)

jurisdictions.125_{This means that, even if contracts would contain exceptions to sharing personal} data with intelligence services in the US, it is hard to see how the requirements of Article 7 of the Charter posed by the CJEU in the Schrems ruling would be respected.

4.4. Binding corporate rules

The scope of BCRs is limited to transfers of personal data within a corporate group. Corporate groups are free to structure BCRs in their own way as long as they respect the required elements laid down in WP74. Similar to SCCs, BCRs are required to contain a provision indicating that when a member of the group has reasons to believe that the legislation applicable to it prevents the company from fulfilling its obligations under the BCR and has a substantial adverse effect on the guarantees provided by them, the member must promptly notify the EU headquarters.126 The EU headquarters then have to take a responsible decision and have to consult the competent DPAs. Additionally, BCRs must contain a provision designating that when there is conflict between national law and the commitments in the BCR, the company must take a responsible decision on what action to take and consult the competent DPAs in case of doubt.127 Informing the EU headquarters or DPAs about conflicts with US legislation can by itself provide no protection, and DPAs can merely suspend the data transfer, which does not provide effective protection on a large scale.128 Like the derogations and contractual clauses, BCRs are susceptible to storage and access on a generalized basis by US authorities and are therefore likely to violate the fundamental right to respect for private life guaranteed by Article 7 of the Charter.

125_{Joris Van Hoboken, Axel Arnbak & Nico Van Eijk, ‘Cloud Computing in Higher Education and}

Research Institutions and the USA Patriot Act’ (2012), Research Paper, page 16.

126_{WP29, ‘Working Document: Transfers of personal data to third countries: Applying Article 26(2) of}

the EU Data Protection Directive to Binding Corporate Rules for International Data Transfers’ (WP 74), 3 June 2003, page 13.

127_{WP29, ‘Working Document Setting up a framework for the structure of Binding Corporate Rules’}

(WP 154), 24 June 2008, page 8.

After the Schrems case: Validity of EU – US transfers of personal data on alternative grounds to the Safe Harbor