On 16 July 2020, the Court of Justice of the European Union (CJEU) handed down an historical judgment in the Schrems II case (C-311/18): the Court invalidated the decision of the European Commission on the adequacy of the protection provided by the EU-US Privacy Shield for transfers of European data to the US (the “Privacy Shield Decision”). 

This clearly means that companies in the European Union (EU) may no longer rely on the Privacy Shield to transfer data across the Atlantic. However, does the Court’s ruling produce the same effects also in those countries that are not members of the EU, but that apply the same data protection rules due to their membership in the European Economic Area (EEA) (i.e., Norway, Iceland and Liechtenstein or, collectively, the EEA EFTA States)?  It is generally assumed that the answer is yes. For example, shortly after the publication of the Schrems II judgment, the Norwegian Data Protection Authority (Datatilsynet) stated that: “it is not possible to use the Privacy Shield as a basis for transfer anymore,” and all of the other data transfer requirements introduced by the Court’s judgment “have already begun to apply.” However, the answer might be more complex (and perhaps different) than many probably expect.

The Status of the Privacy Shield in the EFTA Pillar after Schrems II

The relationship between EU law and EEA law is far from being plain and simple. The two legal regimes largely mirror each other, but they exist in parallel and are managed by separate institutions. This is because the EEA EFTA States have not transferred any legislative competences to the EU. In addition, as a rule, the EEA EFTA States are constitutionally unable to accept binding decisions made by the EU institutions directly.

In order to extend the applicability of an EU act to the EEA EFTA States, the act has to be made part of the EEA Agreement by incorporation into one of the Annexes of the Agreement. This incorporation is not automatic:  it is done by means of a decision of the EEA Joint Committee, which may introduce adaptations to the incorporated EU act to cater for the specific needs of the EEA or one of the EEA EFTA States. For instance, this is the process that was followed to extend the applicability of the Commission’s Privacy Shield Decision and of the EU General Data Protection Regulation (GDPR) to the EEA EFTA States: both acts were indeed incorporated into Annex XI of the EEA Agreement.

The same process is normally followed also to remove an act from the EEA Agreement, thus making it inapplicable to the EEA EFTA States. For example, after that the CJEU invalidated the Commission’s Safe Harbour Decision (i.e., the predecessor of the Privacy Shield Decision), the EEA Joint Committee adopted a decision, which removed the relevant Commission decision from Annex XI of the EEA Agreement.  Thus, the lack of automatism that applies when incorporating an EU act into the EEA Agreement normally applies also in the reverse scenario.

In this regard, it is interesting to note that, as of the beginning of October 2020, the Commission’s Privacy Shield Decision has not been removed from Annex XI of the EEA Agreement.  Thus, formally speaking, one could argue that it is still part of the EEA legal order, pending a decision of the EEA Joint Committee to remove it from Annex XI.

The fact that the CJEU invalidated the Commission’s Privacy Shield Decision mainly because it found that it was incompatible with the EU Charter of Fundamental Rights adds to the complexity. This is because the Charter does not apply to the EEA EFTA States, and one cannot simply assume that a CJEU judgment which applies the Charter entails the same consequences for the EU and for the EEA EFTA States.

The EFTA Court (i.e., the Court homologous to the CJEU for the EFTA pillar) has often tried to remedy the inapplicability of the Charter to EEA EFTA States by applying the European Convention on Human Rights (ECHR), an instrument that all of the EEA EFTA States have ratified and that contains largely the same rights enshrined in the EU Charter (see, among others, Joined Cases E-3/13 and E-20/13, Fred. Olsen and Others, para. 224). However, it should be noted that the CJEU is entitled to interpret the rights laid down in the Charter as providing a higher level of protection than that granted by similar rights in the ECHR (see Article 52(3) of the Charter). Moreover, it is noteworthy that one of the Charter’s provisions applied by the CJEU in the Schrems II case (i.e., Article 8 of the Charter) does not have an exact equivalent in the ECHR. Thus, had the EFTA Court been asked to review the Commission’s Privacy Shield Decision, it would not have necessarily applied the same human rights standards that the CJEU applied in Schrems II. Furthermore, should the EFTA Court be asked to review similar decisions in the future, it will not be bound by the CJEU’s judgment in Schrems II (although it will certainly take that judgment into due consideration, in light of the principle laid down in Article 3(2) of the Surveillance and Court Agreement). In essence, one may not exclude that the two Courts would come to different conclusions, even though the EFTA Court tends to follow the judgments of the CJEU.

It should also be noted that Section 5e of Annex XI to the EEA Agreement (which incorporates –  with certain adaptations – the GDPR into the EEA Agreement) expressly envisages that there may be a temporal discrepancy between the time when an adequacy decision is repealed and the time when such a repeal produces its effects in the EEA EFTA States. Indeed, Section 5e provides that:

“Pending a decision by the EEA Joint Committee to incorporate into the EEA Agreement an implementing act adopted pursuant to [Article 45(5) GDPR (i.e., the legal basis to be used by the Commission to repeal an adequacy decision)] an EFTA State may decide to apply the measures contained therein.

Each EFTA State shall decide and inform the Commission and the EFTA Surveillance Authority, before the entry into force of any implementing act adopted pursuant to [Article 45(5) GDPR], whether it, pending a decision by the EEA Joint Committee to incorporate the implementing act into the EEA Agreement, will apply the measures contained therein at the same time as the EU Member States or not. In the absence of a decision to the contrary, each EFTA State shall apply the measures contained in an implementing act adopted pursuant to [Article 45(5) GDPR] at the same time as the EU Member States” (emphasis added).

The above provision only addresses the consequences for the EFTA pillar of a Commission’s decision to repeal an adequacy decision after having found that a third country no longer ensures an adequate level of protection. However, one could argue that the EEA EFTA States enjoy a similar degree of independence and freedom when an adequacy decision is removed from the EU legal order by means of a Court’s order which sanctions its incompatibility with an EU instrument that is not binding for the EEA EFTA States, like the Charter.

In light of the above, one may legitimately wonder what are, at present, the consequences that CJEU’s judgment in Schrems II produces for the EEA EFTA States, and in particular whether the Commission’s Privacy Shield Decision should be considered automatically and immediately invalid also in the EEA legal order. Answering this question requires striking a fair balance between the sovereignty that the EEA EFTA States have not delegated to European institutions and the principle of homogeneity between EU law and EEA law. This is of practical significance, as US authorities have declared that they will continue to enforce the EU-U.S. Privacy Shield scheme, despite the CJEU’s invalidation of the Commission’s Privacy Shield Decision. Thus, should the latter Decision be considered still applicable in the EEA EFTA States, pending a EEA Joint Committee decision to remove it from the EEA Agreement, companies might be entitled to continue using the Privacy Shield as a basis for sending data to the US from (or through) Norway, Iceland or Liechtenstein.

The Implications of Schrems II for the Future Handling of Data Transfer Complaints in Norway, Iceland and Liechtenstein

From an EEA point of view, the Schrems II judgment is also problematic for the future handling of possible complaints regarding data transfers based on Commission adequacy decisions, which will be brought before data protection authorities in the EEA EFTA States. This is because, in Schrems II, the CJEU found that “until such time as a Commission adequacy decision is declared invalid by the Court, the Member States and their organs, which include their independent supervisory authorities, cannot adopt measures contrary to that decision, such as acts intended to determine with binding effect that the third country covered by it does not ensure an adequate level of protection […] and, as a result, to suspend or prohibit transfers of personal data to that third country” (see para. 118). Instead, “the competent national supervisory authority, when a complaint is lodged by a person concerning the protection of his or her rights and freedoms in regard to the processing of personal data relating to him or her, must be able to examine, with complete independence, whether the transfer of that data complies with the requirements laid down by the GDPR and, where relevant, to bring an action before the national courts in order for them, if they share the doubts of that supervisory authority as to the validity of the Commission adequacy decision, to make a reference for a preliminary ruling for the purpose of examining its validity” (see para. 120).

In other words, according to the CJEU, an adequacy decision may be disapplied by a data protection authority only after that the Court has declared it invalid following a reference for a preliminary ruling. This may be problematic for data protection authorities in the EEA EFTA States, as they do not have access to a preliminary ruling system analogous to the one available in the European Union.

Under Protocol 34 to the EEA Agreement, the national courts of the EEA EFTA States may ask the CJEU to decide on the interpretation of EEA rules corresponding to EU rules. However, this was envisaged as a very exceptional procedure, which has never been used in practice. The standard (but rather underutilized) process under EEA law is that of requesting an advisory opinion on the interpretation of EEA law to the EFTA Court. However, it is questionable whether, in the context of an advisory opinion procedure, the Court could invalidate an EU act incorporated in the EEA Agreement, or the EEA Joint Committee’s decision incorporating such an act. This is because the Surveillance and Court Agreement, which establishes the jurisdiction of the EFTA Court, does not expressly confer such a competence to the Court, and there is no provision equivalent to Article 267(1)(b) of the Treaty on the Functioning of the European Union (TFEU) in the Surveillance and Court Agreement or EEA Agreement. The EFTA Court’s competence is essentially limited to giving advisory opinions on the “interpretation of the EEA Agreement,” and reviewing the validity of the acts of the EFTA Surveillance Authority. Nonetheless, the EFTA Court has found that it has jurisdiction to give advisory opinions on the interpretation of provisions of the EEA Agreement concerning the functioning of the EEA Joint Committee (including its competence to adopt a certain act), but has never expressly stated that it may review the validity of a decision of the Joint Committee (see Case E-6/01, CIBA, paras. 20-23).

This makes it difficult to predict how a complaint like the one that gave rise to the Schrems II judgment would be treated if it would be brought before a data protection authority of an EEA EFTA State.

The issues outlined in the present article are just an example of the complex relationship that exists between the EU and the EEA legal systems, and of the widening gap between the EU Treaties and EEA Agreement. However, this example shows how this gap seems to be widening more rapidly in regulatory areas that are directly connected with the protection of fundamental rights (like privacy and data protection), which makes the call for an update of the EEA Agreement all the more timely.

* This article reflects only the personal views of the author.  However, thanks are due to Halvard Haukeland Fredriksen and Stian Øby Johansen for useful inputs on EEA law.