Dearer to us than a host of truths is an exalting illusion? EU Data Transfer Regulation after Schrems

10 October, 2016
| No Comments

Kuner & FennellyMy favourite Steve Jobs aphorism (and there are so many from which to choose) is

People who know what they’re talking about don’t need PowerPoint.

(see Steve Jobs by Walter Isaacson (Simon and Schuster, 2011) 337). Last Thursday, Chris Kuner elevated this from apothegm to axiom, resoundingly proving the truth of that insight, by providing a masterclass in compelling presentation without resort to the crutch of powerpoint or similar slides. Chris is pictured above left, chatting with David Fennelly, before delivering a powerful lecture on “Reality and Illusion in EU Data Transfer Regulation” in the light of the decision of the Court of Justice of the European Union in Case C-362/14 Schrems v Data Protection Commissioner [2015] ECR I-nyr (Grand Chamber, 6 October 2015) to a rapt audience in Trinity College Dublin. He began with a quote from Chekov:

Dearer to us than a host of truths is an exalting illusion.

This is from Chekov’s short story “Gooseberries” (see Richard Pevear and Larissa Volokhonsky (tr) Selected Stories of Anton Chekov (Random House, 2009) 311 at 317), where the Nikolai is deluding himself that his gooseberries – actually “hard and sour” – are in fact the succulent and luscious fruit which he had always dreamed of growing. So it is, Chris argued, with EU regulation of trans-border data flows, which is at present an exalting illusion running up against a host of political realities.

In Schrems, the CJEU held that national data protection authorities [DPAs] could independently make decisions on the adequacy of data protection regimes in countries to which EU data is exported, notwithstanding a Commission decision on such adequacy, and that the Commission Safe Harbour decision on the adequacy of the US data protection regime was invalid. Four themes can be discerned in the judgment. First, there is a strong affirmation of the right to data protection under the EU Charter of Fundamental Rights, building on the prior judgments in Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger (Grand Chamber, 8 April 2014) [and Case C-131/12 Google Spain (Grand Chamber, 13 May 2014)]. Second, EU data protection standards – and in particular, the Charter – apply to transfers to third countries. Third, the CJEU elevated the role of independent national DPAs (especially as against the EU Commission) and empowered individuals to complain to such DPAs. And, fourth, the CJEU held that the “adequate level protection” of international transfers of data required by EU law is equivalent to the level of data protection provided by EU law – Chris stressed that “equivalent” here is not necessarily “identical”, but that this is still a high bar.

The impact of the CJEU decision in Schrems goes far beyond the context of the invalid safe harbour. Chris gave four examples. First, data is leaving the EU and going not just to the US but to many other countries, including India and China, and the decision will constrain how data can validly flow to all of these other third countries too. Second, Schrems will also have an impact on the EU-US Privacy Shield which replaced the safe harbour. The degree of secrecy that marked the negotiations between the EU and the US was striking. It is based on the data protection standards in the current Data Protection Directive (DPD), and US compliance is policed by the US Fair Trade Commission. However, the Article 29 Working Party (pdf) and the European Data Protection Supervisor (pdf) have – after Schrems – both expressed concerns about its compliance with EU fundamental rights standards. There is a cloud over it, but it is up and running, and many US companies are signing up to it.

Third, Schrems raises questions about the impact of the General Data Protection Regulation (GDPR). It is a much more complicated framework than the DPD [which it will repeal; see Art 94 GDPR]; it goes further than the DPD [by providing additional user rights, such as data portability]; and it will be directly effective. All of this will require revision to national data protection laws [in Ireland, Heads of a Bill for this purpose are expected before Christmas (pdf), but I’m not holding my breath]. The question suggested by Schrems is this: given the more complex and extensive reach of the GDPR, can the current Privacy Shield based on Directive still be considered as essentially equivalent when GDPR comes in and changes the very basis of EU data protection standards. Indeed, in the Commission decision (pdf) on the adequacy of the Privacy Shield, recital 146 provides (emphasis added):

Therefore, the Commission will continuously monitor the overall framework for the transfer of personal data created by the EU-US Privacy Shield … In addition, since the adequacy finding may also be influenced by legal developments in Union law, the Commission will assess the level of protection provided by the Privacy Shield following the entry into application of the GDPR.

The fourth example of the impact of the CJEU decision in Schrems which Chris gave relates to its impact on other data transfer mechanisms. EU law currently envisages (and the GDPR will retain) three levels of compliance with data protection norms for trans-border data transfers. The first is adequacy decisions, where (as explained above) the standard of compliance is essential equivalence. As well as the EU-US Privacy Shield, the Commission has adopted 11 (why so few? especially since there are more than 100 financial services adequacy decisions) such adequacy decisions, including for Canada, New Zealand and Israel; and the reasoning in Schrems raises questions about their validity. The second is appropriate safeguards, such as standard contractual clauses and binding corporate rules. But it’s unreal to expect that a contract would stop the FBI or the NSA accessing data. And the third is derogation from the Directive’s protections (such as express consent to transfer data to a third country that has neither essential equivalence nor appropriate safeguards). The reasoning in Schrems raises questions about the validity of all three such data transfer mechanism.

[In the High Court in Dublin, Hogan J held that “the evidence suggests that personal data of data subjects is routinely accessed on a mass and undifferentiated basis by the US security authorities” ([2014] IEHC 310 (18 June 2014) [76]), and this finding of fact effectively bound the CJEU on the Article 267 TFEU reference. For so long as personal data continues to be routinely accessed by US security authorities, then the reasoning in Schrems raises serious questions about the efficacy of all three data transfer mechanism to validity the transfer of data from the EU to the US].

In his conclusions, Chris returned to his themes of reality and illusion. He emphasised that the reality of data protection right now is very hard, whilst the legal protection for data transfers are illusory. Nevertheless, although Schrems is now a year old, there are as yet only very few enforcement actions on foot of it. For so long as that persists, it is no more than a legal Potemkin village [deceiving us into believing the illusion, rather than perceiving than the reality]. There is at present a vast gulf between the illusion of strong rights protection and the reality of non-enforcement, not least because in the end a great deal this comes down to politics, where the law is often just post-facto window-dressing, and it is often difficult to separate each side’s legal arguments from their underlying political assumptions. Chris concluded that Schrems is a unilateral assertion of values by the EU, and it may be in this context that the law is given more weight than it can bear, but it can still make a valuable contribution. Nevertheless, it is important that EU data protection law must go beyond illusion, and move towards proper enforcement in reality.

The full text of the paper is available for download (SSRN). The Trinity Long Room Hub hosted the talk, and you can listen back to the talk via their podcast page (SoundCloud). David Fennelly organised the event on behalf of the Adapt Centre, and you can watch their video of Chris’s talk (coming soon to their YouTube channel) (but, remember, there’s no benighted PowerPoint to have to put on SlideShare). It was a cogent argument, and an eloquent and persuasive presentation, followed by a great question-and-answer session, and it ought to be checked out by everyone with an interest in the (sweet gooseberry) illusions and (tart gooseberry) realities of EU-US politics as much as in international data transfers from the EU.

ECJ, GDPR, PowerPoint, Privacy