A Weaponized Court of Justice in Schrems II

The U.S.-EU conflict over the application of the General Data Protection Regulation (GDPR) to U.S.-based digital platform companies is marked by a startling legal development: the insertion of a constitutional court squarely into the heart of the dispute. The engagement of the EU’s top court - the Court of Justice (CJEU) - in the Schrems I and Schrems II cases - has significantly inflamed the dispute. The CJEU has now twice struck down GDPR accommodations reached between the United States and the European Union. In doing so, the Court has rebuked both U.S. and EU officials. By transfiguring provisions of the GDPR with constitutional (that is, treaty-based) and human rights values, the Court has placed out of reach any accommodation that does not involve significant reform of U.S. privacy and national security provisions. Heated trans-Atlantic disputes involving assertions of extraterritorial extensions of regulatory power is an inappropriate place for a constitutional court like the CJEU to throw its declarative weight around.

National Security Concerns as an Exception to EU Standards on Data Protection

Discussions on the appropriate fundamental rights standards in the EU and the need to take into account conflicting interests are increasingly being reframed as debates on the conflict between the primacy of EU law and the constitutional standards of the Member States. One example of this reframing is the French administrative supreme court’s decision following the ECJ judgment in La Quadrature du Net. The Conseil ruled that the EU standards set in that judgment must be reviewed, at the national level, with regard to a national understanding of security concerns and the requirements of the fight against terrorism. Thus, constitutional requirements related to public security may be relied upon to argue for a lower standard of protection of personal data than those which the ECJ requires. As this decision shows, the ability of corporations and Governments to rely on litigation before national courts to challenge the standard of protection set at the EU level creates a significant risk, not only for the uniformity of EU law, but also for the protection of the rights of individuals.

Tolerating Ambiguity: Reflections on the Schrems II Ruling

This paper considers the European Court of Justice’s Schrems II ruling from a variety of angles. From a strictly legal point of view, considering the GDPR, the CJEU came to a logical conclusion. In this paper, I nevertheless try to think about other ways of understanding the dispute and the ruling. In addition to data protection law, the case is about surveillance, platform power, resistance, global politics, data territoriality and the Court’s competence. These sensitive issues come forth when the strict data protection issues are set aside and a slightly more open analysis undertaken. In the end, however, the ruling does bring about real-life problems that pertain to data protection law. Transfers of data to third countries are a pressing problem that no one seems to know how to solve.

EU Data Protection and the Principle of Proportionality

This paper explores the principle of proportionality in the context of EU data protection. The paper starts by setting out the basics of EU data protection at the EU level and explains why it is so interesting in the context of proportionality. The paper will briefly set out some of the main debate on proportionality before looking at some recent EU cases on data protection where the principle of proportionality has played a key role. The final part of the paper uses the Swedish derogations from the GDPR as a test case of a lack of proportionality.

A Reality Check of the Schrems Saga

From an enforcement point of view, the revocation of the European Commission’s two adequacy decisions on the federal US system of data protection raises many questions regarding the interrelations between the EU data protection regime and the Union’s legal frameworks for data ‘transfers’. Whereas data uploaded in the Union was once upon a time wired over the Atlantic to be downloaded in the US and vice versa, data packets are nowadays often exchanged over various radio spectra. As online resources around the world can be used to store data, and the data is made available and retrieved from domains rather than ‘exported’ and ‘imported’, the idea that the EU data protection regime would no longer apply when data is ‘transferred’ from the Union easily leads astray. In fact, the location of data or data processing equipment is irrelevant for the applicability of EU law as its territorial scope is determined by the location of the data subjects or undertakings concerned. Whereas the EU legislation applies with regard to legal entities overseas with affiliated undertakings in the Union, the Union seeks to guarantee the EU data subjects an adequate level of protection also in cases of onward transfers of data to non-affiliated organisations and unwarranted interceptions. Furthermore, the European Commission promotes a level of protection in non-EU Member States that is essentially equivalent to that enjoyed under the EU data protection regime since the authorities and courts may refrain from applying EU law pursuant to private international law. However, the Cases which resulted in the revocation of the two adequacy decisions concerned an Austrian citizen filing complaints against an undertaking established in Ireland and its US parent company. Hence, it must be called into question whether the EU data protection regime should at all have been substituted by the US system irrespective of whether it provided an adequate level of data protection. An argument could be made that the adequacy decisions applied beyond the substantive scope of EU law, but that brings questions to fore about the competence of the Union to adopt such decisions. In addition, the procedural system introduced in the first Case regarding Mr. Schrems is rather problematic as it requires national authorities and courts to assess the validity of adequacy decisions. Besides the distortion of the right for national courts to request preliminary rulings into an obligation to do so, most data subject are reluctant to get involved in disputes about the entire legal regime. In many instances, the data subject may rather rely on her or his procedural rights as a consumer. In this article, a systematic analysis of these aspects of the EU privacy safeguards is provided.

Lower Instance National Courts and Tribunals in Member States and Their Judicial Dialogue with the Court of Justice of the European Union

The vast majority of cases that are submitted to the Court of Justice of the European Union (the Court) through the preliminary reference procedure that is contained in Article 267 TFEU come from lower instance national courts and tribunals in EU Member States. As a result, it is not always appellate courts, or higher instance national courts and tribunals, such as courts of final appeal, which make orders for reference. Judicial dialogue between national courts and the Court through this Article 267 TFEU procedure is notable for its particular quality of it being open to receiving orders for reference, for an interpretation of EU law from national courts and tribunals – of any instance – from first instance, to final instance. But can this judicial dialogue between lower instance national courts and tribunals and the Court be impeded by national courts’ more senior national Brethren, with appeals being allowed against orders for reference within national legal orders? The case law of the Court on such an issue has been progressive, in that it developed slowly over time, and the Court, by 2021, becoming increasingly assertive. As will be analysed in this article, the Court’s approach to the arising issue has clearly been an attempt to balance the interests of judicial dialogue on the one hand, and national rules on the other. Yet, with the Court’s broader case law tightening the understanding of who constitutes the European judiciary, and ensuring that all national courts and tribunals remain independent from executive interference in EU Member States, the article commends recent developments, but makes the further plea for an affirmative judgment of the Court to not permit, as a matter of EU law, appeals against orders for reference made by lower instance national courts and tribunals in EU Member States, in the name of preserving judicial dialogue through the preliminary reference procedure.

Cross-Border Transfers of Personal Data After Schrems II: Supplementary Measures and new Standard Contractual Clauses (SCCs)

This article analyses the legal challenges of international data transfers resulting from the recent Court of Justice of the European Union (CJEU) decision in Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Schrems II). This judgement invalidated the EU-US Privacy Shield Framework but upheld the use of standard contractual clauses (SCCs). However, one caveat is that organisations would have to perform a case-by-case assessment on the application of the SCCs and implement ‘supplementary measures’ to compensate for the lack of data protection in the third country, where necessary. Regrettably, the CJEU missed the opportunity to specify what exactly these ‘supplementary measures’ could be. To fill this gap, the European Data Protection Board (EDPB) adopted guidelines on the measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. In addition, on June 4th, 2021 the European Commission issued new SCCs which replaced the previous SCCs that were adopted under the previous Data Protection Directive 95/46. These new developments have raised the bar for data protection in international data transfers. In this article, we analyse the current regulatory framework for cross-border transfers of EU personal data and examine the practical considerations of the emerging post-Schrems II legal landscape.