On April 11, Justice Caroline Costello of the Irish High Court referred the Schrems 2.0 case to the Court of Justice of the European Union (ECJ) with 11 questions for the ECJ to answer. Per Justice Costello, the sole issue in the case is whether the European Commission’s Decisions regarding standard contractual clauses (SCCs) are valid, which is reflected in the 11 questions posed.
The reference asks the ECJ to determine:
- Whether provisions of EU law related to national security, public security, defense, and state security apply to transfers of data outside the EU under SCCs;
- Whether relevant EU law or EU Member State laws are the appropriate comparator for determining if a violation of individual rights occurred (and whether to include EU Member States’ national security practices in that comparator);
- Whether the assessment of a third country’s level of privacy protection should include administrative, regulatory and compliance practices, policy safeguards, procedures, protocols, oversight mechanisms, and non-judicial remedies;
- Whether transfer of personal data from the EU to the U.S. under valid SCCs violates the rights of individuals under Articles 7 and/or 8 of the Charter of Fundamental Rights of the European Union (the Charter) (note – these articles state the rights to data protection and privacy);
- Whether the level of protection afforded by the U.S. respects the essence of an individual’s right to a judicial remedy for breach of data privacy rights as guaranteed under the Charter, and if so, whether limitations imposed by U.S. law on access to judicial remedies are necessary and proportionate for national security in a democratic society according to Article 52 of the Charter;
- What level of protection is required for personal data transferred to a third country pursuant to SCCs in light of the Data Protection Directive and the Charter, and what factors should be reviewed in determining the adequacy of the level of protection offered by a third country;
- Whether the SCCs can include additional safeguards per Article 26(2) of the Data Protection Directive sufficient to cure any deficiencies for third countries where national authorities may require a data importer to make personal data received under an SCC available for national security purposes;
- Whether a data protection authority (DPA) can use its own discretion in determining whether to suspend data flows to a third country data importer if the DPA believes that country’s surveillance laws conflict with relevant EU law;
- Whether the Privacy Shield Decision constitutes a finding that the U.S. has an adequate level of privacy protection, and if not, what relevance the Privacy Shield Decision has in assessing the adequacy of U.S. privacy safeguards related to SCCs;
- Whether the provision of the Privacy Shield ombudsperson under the Privacy Shield Decision, in combination with existing U.S. law, ensures a remedy compatible with Article 47 of the Charter; and
- Whether the SCC Decision violates the Charter.
In addition to the questions posed in the referral, Justice Costello also included findings of fact based on the submitted expert testimonies and the parties’ arguments before the Court. Justice Costello found that Section 702 of the Foreign Intelligence Surveillance Act, which includes the PRISM and Upstream programs, conducts “mass indiscriminate processing of data by the United States government agencies” (Para. 33). Justice Costello also included a number of findings regarding the U.S. surveillance law, how the PRISM and Upstream programs operate, available privacy remedies for individuals whose privacy rights are impacted by U.S. surveillance, the limitations on those remedies, and U.S. systemic safeguards and oversight mechanisms.
Copies of expert testimonies provided in Schrems 2.0 are available at IAPP.org. A full copy of Professor Peter Swire’s (Holder Chair at the Georgia Tech Scheller College of Business and Senior Counsel at Alston & Bird) testimony, including a French translation of the summary chapter and a series of related essays, is available here.