法律翻译｜欧盟法院之“Schrems二号”判决：欧美《隐私盾协议》失效，标准合同条款仍然有效

译者｜巩海璐 华东政法大学硕士

一审｜陈思源 北京大学硕士

二审｜peipei 布里斯托大学LL.M.

编辑｜陈婉菁 中国政法大学硕士

         邵娅绮 浙江工商大学本科

责编｜王有蓉 西安外国语大学本科

原文链接：

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62018CJ0311

概述

（一）施雷姆斯一案（Schrems I）

 2015年，奥地利隐私维权人士马克斯·施雷姆斯（Max Schrems）向爱尔兰数据保护机构（Data Protection Authority，以下简称为“DPA”）提起申诉，主张脸书的爱尔兰子公司（以下简称为“Facebook Ireland”）将他的个人数据传输到美国总部并在美国进行数据处理，同时美国当局机构也获取到了这些数据，而美国法律及惯例未对此给予充分保护，因此他要求禁止这些数据传输。DPA否决了施雷姆斯的申诉，认为根据《安全港协议》（the Safe Harbour Decision），美国对其所传输的个人数据提供了充分保护。随后，DPA将本案移交至爱尔兰高等法院，爱尔兰高等法院又呈请欧盟法院（Court of Justice of European Union）对《安全港协议》的有效性予以裁决。最终，在2015年10月6日，欧盟法院裁定欧美双方之间于2000年达成的《安全港协议》无效。[1]

（二）施雷姆斯二案（Schrems II）

Following the Schrems I judgment, Facebook Ireland explained that it transferred much of the data to its US parent company based on SCCs. On 1 December 2015, Max Schrems reformulated his complaint lodged with the IrishData Protection Authority (DPA)to the effect that the SCC Decision was not able to justify the transfer of personal data to the US, since US surveillance programmes interfered with his fundamental rights to privacy, to data protection and to effective judicial protection. In a draft decision, the DPA shared Schrems’ concerns and brought an action before the Irish High Court, which then made reference to the Court for a preliminary hearing.

施雷姆斯二案和上述施雷姆斯一案相互关联。欧盟法院于2015年10月发布“Schrems I”号判决，宣布《安全港协议》失效之后，Facebook Ireland称其根据标准合同条款（Standard Contractual Clauses，以下简称为“SCCs”）将存储在爱尔兰的大部分数据传输到美国总部。2015年12月1日，施姆雷斯重新向DPA提起申诉，主张美国的监听计划侵犯了他的基本隐私权、数据保护权以及获得有效司法保护的权利，因此SCCs不能证明Facebook Ireland将他的个人数据传输到美国的合理性。DPA将本案移交至爱尔兰高等法院；2018年4月爱尔兰高等法院又呈请欧盟法院予以裁决。在此期间，2016年7月，欧美之间通过了代替《安全港协议》的《隐私盾协议》（the Privacy Shield Decision），因此欧盟法院也需对《隐私盾协议》的有效性予以裁决。[2]

（图片来源于网络）

I. SCCs

1）对SCCs的判决

For the purpose of assessing the adequacy of the level of protection for transfers made pursuant to the SCCs, the CJEU confirmed that organizations must first undertake an “assessment” to ensure that, as required by Article 46(1) of the GDPR, data subjects are afforded appropriate safeguards, enforceable rights and effective legal remedies. This assessment must involve both a consideration of the provisions of the SCCs, and the laws of the country in which the data importer is located, on a “case-by-case” basis. Factors that are relevant to making this assessment include (but are not limited to) those same factors which the EU Commission considers when evaluating whether an adequacy decision should be made, as set out in Article 45(2) of the GDPR. Some of the factors set out in Article 45(2) of the GDPR include: the rule of law; respect for human rights; access by public authorities to personal data; the existence of independent supervisory authorities; effective data subject rights; and redress avenues afforded to data subjects.

为了评估按照SCCs所进行的数据传输是否具备充分保护性，欧盟法院明确表示，各组织须首先进行“评估”，以确保按照GDPR第46（1）条的规定，为数据主体提供适当保护、可执行权利以及有效的法律救济[5]。此种评估须基于“逐案核实”的原则将SCCs的条款规定和数据输入方所在国的法律考虑在内。与进行该评估相关的因素包括（但不限于）GDPR第45（2）条所列出的欧盟委员会对是否应作出充分性保护决定进行评估时所考虑的相同因素。GDPR第45（2）条规定的一些因素包括：法治、尊重人权、政府机构对个人数据的访问、有独立的监督机构、有效的数据主体权利以及为数据主体提供的救济途径[6]。

Many of these factors can be met through the data importer agreeing to the provisions in the SCCs. For example, the data importer can agree to process data subject rights requests to EU standards and gives enforceable third party rights to the data subjects. The problematic area is around factors that cannot be addressed through contracting with the data importer – principally (and this is where all the complaints have focussed) on mandatory laws applicable to the data importer (such as surveillance laws) that trump the contractual terms that the data importer has agreed with the data exporter in the SCCs.

大部分以上因素可以通过数据输入方遵守标准合同条款的规定而得以保证。例如，数据输入方可同意按照欧盟标准来处理数据主体权利的请求，并给予第三方可执行的数据主体权利。那些无法通过同数据输入方签订合同来解决的因素才是问题所在，主要有适用于数据输入方的强制性法律（如监视法），这些法律与数据输入方和传出方所达成的标准合同条款相悖。

（图片来源于网络）

As noted, the focus has been on surveillance laws applicable to the data importer. This judgment suggests that the assessment should at least evaluate and appraise the data importer’s legal system to the extent that it permits access by public authorities to personal data. It should include an assessment of: (i) the circumstances in which access is permitted; (ii) the oversight of the access; and (iii) redress available to data subjects (including EU data subjects). This may not be an easy task as the data importer’s laws in this area may be opaque and require specialist advice to interpret. Further, the standard that must be met is also not particularly clear. It is fair to say there will be considerable scope for dierences in opinion between data exporters who want to export and will tend to read the data importer laws restrictively, and privacy activists who want rights to be protected and who will read them expansively.

如前所述，重点在于适用于数据输入方的监视法。这一判决表明，至少应对数据输入方的法律制度进行评估，以确保其允许当局机构访问个人数据。评估主要包括以下方面：（1）允许访问的情况；（2）对访问的监督；（3）数据主体可获得的救济（包括欧盟数据主体在内）。这可能并非易事，因为数据输入方在这方面的法律可能不透明，因此需要采纳专家意见。此外，必须满足的标准也并非特别明确。数据输出方往往狭隘地解读数据输入方的法律，而隐私维权者则从广义角度解读法律，因此二者之间的分歧较大。

The CJEU held that SCCs remain a valid mechanism to transfer personal data outside the EEA since they provide sufficient protection for EEA personal data. However, the court held that it is for the data exporter (i.e., the EEA-based party) to ensure that, in practice, an adequate level of data protection is provided in the country where the data importer is based: “it is therefore, above all, for that controller or processor to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses.” Where a country falls short, the CJEU also encouraged parties to enter into “additional safeguards” to those offered by the SCCs, but it did not elaborate on the form such safeguards could take.

II. Privacy Shield

2）对《隐私盾协议》的判决

The CJEU held that the Privacy Shield is not a valid mechanism for transferring personal data from the EEA to the U.S. The CJEU’s decision was based on (i) the limitations on the protection of personal data under U.S. law, and (ii) the disproportionate access and use of EEA personal data by U.S. authorities with no effective redress mechanism for data subjects. In particular, the access to personal data under U.S. surveillance programs could not be regarded as being limited to what is “strictly necessary,” and the Privacy Shield also does not grant individuals based in the EEA actionable rights before U.S. courts against U.S. authorities. According to the CJEU, the Privacy Shield therefore cannot ensure a level of protection essentially equivalent to that arising from the GDPR as supplemented by national data protection laws across EEA countries.

本院认为，《隐私盾协议》不可作为个人数据从EEA传输到美国的有效机制。该判决基于：（1）美国法律对个人数据保护进行了限制；（2）美国当局过度访问和使用EEA的个人数据，但未对数据主体采取有效救济机制。特别是，美国监视计划下对个人数据的访问不可视为“绝对必要”这一有限情况，而且隐私保护也没有赋予位于EEA的个人向美国法院起诉美国当局的权利。又考虑到GDPR是以EEA各国的数据保护法作为补充的，因此本院认为《隐私盾协议》无法保证GDPR中所规定的同等保护水平。[7]

I.Implications for commercial data transfers

（一）对商业数据传输之影响

As a result of the Court’s decision, EU companies can no longer legally transfer data to the US based on the Privacy Shield framework. Companies that continue to transfer data on the basis of an invalid mechanism risk a penalty of €20 million or 4% of their global turnover, pursuant to Article 83(5)(c) GDPR. However, commentators disagree on the broader implications of the Court ruling for operators. Some commentators believe that the vast majority of companies can continue using the conventional SCCs, while others argue that companies should-if at all-only use SCCs for transfers to the US, if (i) they are not subject to the respective surveillance law, or if (ii) they provide for 'additional safeguards'. The DPA of North Rhine-Westphalia pointed out that any companies using US communication services or transatlantic cables might be subject to US surveillance mechanisms. To salvage SCC-based data transfers, such companies would need to compensate for gaps in protection with – so far undetermined – 'additional safeguards'. The Court stressed that protective contract clauses are not binding on third parties or authorities and therefore likely to be ineffective, while cryptanalytic and quantum computing efforts of intelligence agencies raise concerns about the effectiveness of protective technical measures such as encryption.

该裁决公布之后，欧盟的公司无法再基于《隐私盾协议》向美国合法传输数据。如果有公司继续基于失效的《隐私盾协议》进行数据传输，按照GDPR中第83（5）（c）条的规定，其面临的罚金将达2000万欧元或其全球收益的4%。但是，一些评论家对该裁决表示了不同看法。有些评论家认为绝大多数公司可以延用传统的SCCs，而有些则认为公司应该只有在向美国传输数据时使用SCCs，但前提是SCCs不受双方监视法的约束，或者该等条款中规定了“额外的保护”。北莱茵-威斯特法伦州（North Rhine-Westphalia）的DPA指出，任何使用美国通信服务或跨大西洋电缆的公司都有可能会受到美国的监视。为了保证数据传输能够基于SCCs顺利进行，该等公司需要采取迄今为止尚未确定的“额外保障措施”以弥补保护上所存在的差距。欧盟法院强调，保护性合同条款对第三方或其当局机构没有约束力，因此可能是无效的，但情报机构的密码分析和量子计算工作却引发了对加密等保护性技术有效性的担忧。

According to the EDPB and the Conference of the German Data Protection Authorities (DSK), companies may transfer data based on binding corporate rules, but will have to, equally, ensure the essential equivalence. Although the EDPB affirms the possibility of transferring data on the basis of derogations provided in Article 49(1)(a) GDPR, its guidelines raise doubts on their suitability to legitimise recurrent transfers. Furthermore, the EDPB announced that it will not suspend enforcement for a regulatory grace period. The Berlin, Hamburg and Dutch DPAs advise halting transfers to the US. The Berlin DPA even advises to retrieve data from the US. Many DPAs stress the need for further analysis and case-by-case assessments.

根据欧盟数据保护委员会（the European Data Protection Board）和德国数据保护机构（DSK），公司可基于有约束力的公司法规进行数据传输，但同样须确保该等法规具备同等保护的水平。尽管欧盟数据保护委员会对可能会根据GDPR第49（1）（a）条中的例外规定进行数据传输表示了肯定，但对该等例外规定在数据反复传输合法化上是否可适用持怀疑态度。此外，欧盟数据保护委员会宣布将不会暂停监管宽限期的执行。柏林、汉堡和荷兰的DPA建议暂停向美国传输数据。柏林的DPA甚至建议从美国收回已传输的数据。许多DPA则强调需要对此进行进一步分析和逐案评估。

II. Implications for international relations

（二）对国际关系之影响

US Secretary of Commerce Wilbur Ross and US Secretary of State Mike Pompeo expressed their deep disappointment with the ruling and suggested possible adverse effects on the US$7.1 million transatlantic economic relationship. Both stressed the importance of data flows for economic growth as well as for the post-Covid-19 recovery and pledged to work closely with the EU. European Commission Vice-President Věra Jourová́ and Commissioner Didier Reynders committed to joint efforts, and suggested modernising standard contract clauses. While Digital Europe and others would welcome a third longer-lasting adequacy agreement, Business Europe advocates an additional intermediate solution to avoid a negative impact on the economy. Max Schrems and the European Data Protection Supervisor encourage the United States to reform surveillance laws and meet the requirements of the Court. However, it is reported that senior US officials do not consider such an overhaul ‘advisable’ or ‘possible’ in the short term. The rationale of this ruling will particularly impact those third countries which conduct extensive surveillance for national security. This might become relevant for the United Kingdom, as it will be treated as a third country post-Brexit. Some commentators suggest that this ruling promotes a world fractured into data spheres of influence. Conversely, the judgment might bolster the European Commission’s objective to ‘promote convergence of data protection standards at international level, as a way to facilitate data flows and thus trade’.

（图片来源于网络）

美国原商务部长威尔伯·罗斯（Wilbur Ross）和原国务卿迈克·蓬佩奥（Mike Pompeo）均表示对该裁决很失望，同时其表示这会对价值710万美元的跨大西洋经济关系产生不利影响。二者均强调了数据流动对疫情后经济恢复和经济增长的重要性，并承诺将与欧盟密切合作。欧盟委员会副主席维拉·朱罗瓦（Věra Jourová）和委员会专员迪迪埃·雷恩代尔（Didier Reynders）承诺将共同努力打造现代化的标准合同条款。虽然数字欧洲（Digital Europe）和其他国家鼓励达成第三个更为持久的充分保护协议，但商业欧洲（Business Europe）则主张寻求其他中间解决方案，以避免对经济造成负面影响。施雷姆斯和欧洲数据保护监督员鼓励美国对监视法进行改革，达到欧盟法院的要求。然而，据报道，美国高官则认为这种改革在短期内并不可取或者说不可能实现。该裁决所运用的原理将对那些为了国家安全而采取广泛监视行动的第三国产生特别的影响。这或许会牵连到英国，因其在脱欧后将被视为第三国。一些评论家认为，该裁决促使世界划分成不同的数据影响范围。但该判决或许有助于欧盟委员会目标的实现，即“在国际层面上促进数据保护标准的趋同，以此促进数据流通和贸易往来”。[8]

-注释-