The Right to an Effective Remedy in International Personal Data Transfers
By Dr Irene Kamara (Tilburg University & Vrije Universiteit Brussel), Prof. Dr. Eleni Kosta (Tilburg University), Prof. Dr. Sofia Ranchordas (University of Groningen & Luiss Guido Carli University)
In July 2020, the Court of Justice of the European Union (CJEU or the Court) annulled for the second time a Commission Decision which found that the US offers a (partially) adequate level of protection to individuals whose data are transferred to that country. The Commission Decision was based on the so-called Privacy Shield, a US-EU bilateral agreement providing companies a mechanism to comply with legal requirements for the transfer of personal data. In both CJEU rulings, namely the 2015 Schrems I (Case C‑362/14) and the 2020 Schrems II (C-311/18), the CJEU found that the Commission Decisions declaring the US partially adequate to receive personal data of EU citizens were incompatible inter alia with regard to the right to an effective remedy. In Schrems II, the CJEU highlighted that effective redress in the third country is ‘of particular importance’ in the context of personal data transfers. Individuals (data subjects) might be compelled to resort to national authorities and courts of a third country, where their personal data are transferred, if the administrative and judicial authorities of their Member States ‘have insufficient powers and means to take effective action’ to investigate their complaints (C-311/18, para 189). In case of data transfers to the US, the Court found that specific US legislation on US surveillance programs ‘does not grant data subjects rights that are actionable in the courts against the US authorities, from which it follows that data subjects have no right to an effective remedy.’ (C-311/18, para 192).
Despite those rulings, data flows are essential for commercial and trade relationships between the US and the Union, and continue to take place on the basis of other legal grounds such as the transfers to appropriate safeguards (e.g., contractual commitments and policies in the form of Binding Corporate Rules) in the General Data Protection Regulation (GDPR) (Regulation 679/2016) which suffer from similar problems with regard to safeguarding the fundamental right of Article 47 of the Charter of Fundamental Rights of the European Union (CFREU) on the right to an effective remedy and fair trial.
On 11 October 2021, the Tilburg Institute for Law, Technology, and Society of the Tilburg University and the Faculty of Law of the University of Groningen, with the support of the Netherlands Network for Human Rights Research, co-organised a roundtable titled: “Post-Schrems II: the future of the right to an effective remedy in international data flows.” The aim of the roundtable was to discuss the challenges posed to the right to an effective remedy enshrined in Article 47 CFREU, when personal data are transferred outside the borders of the Union and explore potential solutions.
The roundtable took place one year after the publication of the Schrems II ruling. It took stock of the Commission’s new negotiation efforts with the US counterparts towards ensuring whether the US offers and adequate level of protection of personal data, the reactions of European data protection authorities that warned companies to take measures ensuring that all data transfers to the US have a legal ground and are coupled with additional appropriate measures, and civil society activists that following the Schrems II case in July 2020, filed for over 100 complaints for violation of their rights by the ongoing data flows.
Following a keynote speech by prof. Herwig Hofmann (University of Luxembourg) and a discussion by prof. Mariolina Eliantonio (Maastricht University), participants representing public authorities, academia, industry, and civil society discussed two main aspects: first, the role of current legal bases provided by the GDPR in safeguarding the right to an effective remedy, and second, the future of effective redress of data subjects, and possible ways ahead.
As regards, the first issue, participants talked about the threshold of data subjects’ right to an effective legal remedy set by Article 44 GDPR, and the case law of CJEU and the European Court of Human Rights (ECtHR). The discussion revolved around questions on whether the existing legal bases in the GDPR provide for concrete safeguards for effective remedies, but also on what the role of supervisory data protection authorities in the EU and the third countries should be, and in specific how to exercise their tasks to supervise, through investigative and corrective powers, the application of the data protection law.
The second part of the discussion was forward looking as it identified what to expect but also what the possible way ahead should be for safeguarding the right to an effective remedy in international data transfers. A possible option put on the table by the organizers and discussed by participants concerned a Privacy Shield 2.0,, a new negotiation between EU and US taking into account the findings of Schrems II. Other options included the strengthening of international cooperation mechanisms, third party beneficiary clauses in contractual agreements (e.g. standard contractual clauses, certification agreements), and data localisation in the EU.
Overall, the issue of how to ensure effective remedies on the ground for international data transfers is certainly a matter that goes beyond the Schrems cases and the EU-US relationships. The European Commission has recently published adequacy decisions for Japan and the UK, and draft adequacy decision on South Korea. Thus, while international trade and information society services are offered without being bound to geographical borders, human rights and fundamental values of individuals need to be respected; human rights guarantees should follow the data.
Dr. Irene Kamara is Assistant Professor Cybersecurity Governance at the Tilburg Institute for Law, Technology, and Society at Tilburg Law School and affiliate researcher at the Research Group in Law, Science, Technology, and Society at the Vrije Universiteit Brussel. Her research explores norm-making and enforcement in cyberspace, including technical standardisation. Irene has conducted research for the European Commission, the National Cyber Security Agency in the Netherlands, the European Cybersecurity Agency (ENISA) and other organisations. She is also invited as external expert evaluator of EU funded proposals on societal security. Irene is selected as a member of the ENISA Experts List for assisting in the implementation of its Annual Work Programme. Earlier this year, Irene was the winner of the 2021 Standards+Innovation Individual Researcher award of the European Standardisation Organisations. Irene is qualified attorney-at-law and was practicing for several years before joining academia.