By: Alex Joel, Senior Project Director and Shanzay Pervaiz, Senior Researcher, in consultation with Gabriela Zanfir-Fortuna, Senior Advisor
In a previous post, Laila Abdelaziz outlined the path to an adequacy decision after the European Commission (EC) and the United States announce an agreement in principle. Almost two years after the Court of Justice of the European Union (“CJEU”) invalidated the EU-US Privacy Shield in Schrems II, President Biden and EC President von der Leyen have announced such an agreement. As the respective teams turn to finalizing the relevant documentation, Max Schrems stated that if the final text is not in line with EU law, “we or another group will likely challenge it.” What path might those opposing the new framework take to challenge the adequacy decision?
Under Article 77 of the General Data Protection Regulation (GDPR), a data subject has the right to “lodge a complaint” with the appropriate supervisory authority (commonly referred to as a data protection authority, or DPA). Could such a complaint seek a determination by the DPA to invalidate the new adequacy decision? The short answer is “no.”
The CJEU has made clear that DPAs are bound by the adequacy decisions of the European Commission (EC). In its first encounter with litigation brought by Max Schrems challenging data transfers to the U.S. (Schrems I), the CJEU stated: “Pursuant to the fourth paragraph of Article 288 of the Treaty on the Functioning of the European Union (“TFEU”), [the adequacy decision] is binding on all the Member States to which it is addressed and is therefore binding on all their organs” (Article 288 of the TFEU states “a decision [of an EU institution] shall be binding in its entirety”). Further, the CJEU affirmed that “until such time as the Commission decision is declared invalid by the Court, the Member States and their organs, which include their independent supervisory authorities, admittedly cannot adopt measures contrary to that decision, such as acts intended to determine with binding effect that the third country covered by it does not ensure an adequate level of protection.” (para. 51-52)
Under Article 79 of GDPR, a data subject “shall have the right to an effective judicial remedy where he or she considers that his rights under this Regulation have been infringed…” Article 79 further provides that proceedings “shall be brought before the courts of the Member State” where the controller or process has an establishment, or where the data subject has his or her habitual residence. Thus, a challenger may proceed directly to the appropriate court of a Member State.
But can a national court invalidate the adequacy decision? Again, the short answer is “no.” The Schrems I court left no doubt on this score: “[T]he Court alone has jurisdiction to declare that an EU act, such as a Commission decision adopted pursuant to Article 25(6) of Directive 95/46 [on adequacy], is invalid, the exclusivity of that jurisdiction having the purpose of guaranteeing legal certainty by ensuring that EU law is applied uniformly . . . Whilst the national courts are admittedly entitled to consider the validity of an EU act, such as a Commission decision adopted pursuant to Article 25(6) of Directive 95/46, they are not, however, endowed with the power to declare such an act invalid themselves.” (para. 61-62)
Since only the CJEU can rule on the validity of an adequacy decision, is there a way for a complainant to bypass the national courts and bring a claim directly before the CJEU? To answer this question, it is first necessary to unpack the structure of the Court. The CJEU is made up of two separate courts: the Court of Justice (commonly referred to as the European Court of Justice or ECJ) and the General Court.
It was the ECJ that issued the Schrems I and Schrems II decisions. On its website, the CJEU explains that the ECJ rules on national court referrals “[t]o ensure the effective and uniform application of European Union legislation and to prevent divergent interpretations,” recognizing that the ECJ’s judgments bind not only the referring court but also “other national courts before which the same problem is raised.”
The website goes on to state: “It is thus through references for preliminary rulings that any European citizen can seek clarification of the European Union rules which affect him. Although such a reference can be made only by a national court, all the parties to the proceedings before that court, the Member States, and the institutions of the European Union may take part in the proceedings before the Court of Justice.”
The General Court is the CJEU body that hears cases brought directly to the CJEU by “natural persons” (i.e., individuals). The nuances of the jurisdiction of the General Court are beyond the scope of this brief article; for our purposes, it is sufficient to note, first, that the standing requirements for these challenges are quite strict, and, second, that questions of EU law are in any case subject to appeal to the ECJ. Thus, whether the case is brought before a national court or, assuming it fits within the General Court’s jurisdiction, before the General Court, the ultimate question of legal validity will likely end up with the ECJ.
With all the above in mind, it is instructive to walk through how prior adequacy decisions were challenged in Schrems I and Schrems II.
In Schrems I, Max Schrems submitted a complaint to the Irish Data Protection Commissioner (“Commissioner”) asking them to use their statutory powers to prohibit Facebook Ireland from transferring his personal data to the United States. His complaint claimed that the United States failed to provide adequate protection of personal data, referring to revelations made by Edward Snowden regarding the National Security Agency. The Commissioner refused to investigate the complaint in part because questions of adequacy had to be determined in accordance with the European Commission’s adequacy decision. That decision had been issued on July 26, 2000, and had found that the U.S.-EU Safe Harbor Framework provided an “adequate level of protection” as required by the then-applicable Data Protection Directive, Directive 95/46/EC (since replaced by the General Data Protection Regulation (GDPR)).
Consistent with Article 22 of the Data Protection Directive, Schrems brought his complaint to the Irish High Court (“High Court”). Because the complaint, in essence, raised the question of whether the adequacy decision was valid, the High Court referred the matter to the CJEU. There, the ECJ invalidated the adequacy decision.
In Schrems II, Schrems submitted a complaint to the Data Protection Commissioner stating that Facebook was transferring personal data through standard contractual clauses (SCCs) from its European headquarters to the United States, and again asked the Commissioner to prohibit or suspend the transfer of his personal data. The Commissioner investigated the complaint and “took the provisional view that the personal data of EU citizens transferred to the United States were likely to be consulted and processed by the US authorities in a manner incompatible with Articles 7 and 8 of the Charter and that US law did not provide those citizens with legal remedies compatible with Article 47 of the Charter.” (para. 56) The Commissioner brought an action questioning the validity of the SCCs before the High Court, which in turn Court referred the case to the CJEU on April 12, 2018. The CJEU invalidated the EU-US Privacy Shield while also upholding the validity of the SCCs.
Thus, both the Schrems I and II cases started at the DPA level before making their way, through the national court system, to the CJEU. We do not know whether future challenges will follow that path, or whether they will proceed directly to a national court (or even, if available, the General Court).
What about timing? How long do these paths take? In Schrems I, the original complaint was filed with the Data Protection Commissioner on June 25, 2013, and the final decision was handed down by the CJEU on October 6, 2015, for a total elapsed time of 28 months. It took the CJEU 16 months to decide Schrems I once it received the complaint from the High Court. In Schrems II, the total elapsed time was 57 months. The Schrems II decision took 50 months between the High Court and CJEU. The CJEU spent 33 of those months deciding the case once it received the complaint from the High Court. If the new Privacy Shield framework is challenged, a decision on its validity could take several years.
There may be “expedited procedures” available at different stages. For example, the ECJ publishes an “expedited procedure” for giving rulings quickly “in very urgent cases” as well as an “urgent preliminary ruling procedure” for certain exceptional circumstances. Determining whether these procedures would apply is again beyond the scope of this brief article.
In short, all paths lead to the CJEU (and more specifically, the ECJ) to determine the validity of an adequacy determination under EU law.
This post has been updated for clarity.