Schrems II – Groundhog Day for Data Transfers
On Thursday 16 July, the Court of Justice of the European Union (“CJEU”) delivered its judgment in one of the most highly anticipated court cases in data protection, Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (widely referred to as “Schrems II”).
This decision came almost 8 months after Advocate General Saugmandsgaard Øe published his Opinion, which albeit not binding, provided a strong indication for the CJEU's judgment.
The key takeaways from the Judgment are the following:
- The Privacy Shield framework, which is used by thousands of companies to transfer data between the EU and US, does not protect the privacy of EU citizens and is declared invalid. This comes less than 5 years after the CJEU struck down its predecessor, the Safe Harbour framework.
- The Standard Contractual Clauses ("SCCs") adopted by the European Commission for the transfer of personal data to processors established in third countries are valid, but companies will have to carefully analyse whether their SCCs are sufficient to ensure that data in third countries is treated in line with the General Data Protection Regulation ("GDPR") and the EU Charter of Fundamental Rights
The General Data Protection Regulation EU 2016/679 (“GDPR”) provides that transfers of personal data to a third country (i.e. any country outside the European Economic Area ("EEA")) may only take place if “appropriate safeguards” are used to legitimise the transfer. Those safeguards should ensure compliance with data protection requirements appropriate to processing within the EU, including both the availability of enforceable rights and of effective legal remedies, as well as adherence to the general principles relating to personal data processing. Among those safeguards are the Standard Contractual Clauses ("SCCs") of which many EU companies avail themselves in order to transfer personal data outside of the EEA for their everyday business operations.
In Schrems II, the CJEU has been asked to decide upon the validity of European Commission Decision 2010/87/EU, which incorporates the SCCs that are relied on to facilitate these international transfers of personal data.
A complaint was made to the Irish Data Protection Commissioner ("DPC") by the privacy activist, Max Schrems, about certain transfers of his personal data from the EEA to the US on the basis of the SCCs. More specifically, Mr Schrems complained about Facebook Ireland transferring his data outside the EU to Facebook Inc in the USA. The processing of data by the Facebook entity in the US was authorised based on the SCCs, but Mr Schrems argued that the US data protection framework did not provide the safeguards he was entitled to under EU law. He claimed that the SCCs cannot be enforced effectively in light of revelations regarding access of US state agencies to personal data for national security purposes, in a way that was incompatible with the EU Charter of Fundamental Rights.
The Schrems II case comes after 2015’s Case C-362/14 Maximillian Schrems v Data Protection Commissioner ("Schrems I") which invalidated the Safe Harbour framework, another EU/US arrangement used by companies in order to legitimise transfers of personal data from the EEA to the US, and following which the new framework of the Privacy Shield was adopted.
The Advocate General's opinion
The AG's opinion covers two ways to ensure data transferred to countries outside of the EEA are subject to sufficient safeguards. The first one is an "adequacy decision", a decision of the European Commission which confirms that the third country’s law and practices offer protection which is analogous to the GDPR. In the absence of an adequacy decision though, organisations should take measures to compensate for the lack of a satisfactory level of data protection in a third country by way of other appropriate safeguards for individuals, such as the SCCs adopted by the European Commission.
The Advocate General suggested that the CJEU upholds the validity of the SCCs, arguing that they are a sufficient measure to protect personal data and thus a valid mechanism of transfer, regardless of the level of protection in the country where the personal data is transferred. However, the opinion suggested that companies and data protection authorities should assess on their own and on a case-by-case basis whether other countries' national security protections are adequate.
The CJEU decision
The CJEU considered that, when personal data is transferred to a third country, it should be "afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR, read in the light of the [EU] Charter [of Fundamental Rights]". This protection encompasses appropriate safeguards, enforceable rights and effective legal remedies for individuals.
Through this prism, the CJEU considered the validity of the Privacy Shield and took the view that, despite the safeguards built into this framework, the risks to individual privacy arising from US government surveillance and law enforcement activities mean that the requirements of GDPR and the EU Charter are not met.
Concerns include a lack of proportionality, as access to data by US authorities is not limited to what is strictly necessary, and the lack of actionable rights for individuals before the courts. In the court's opinion, the Privacy Shield decision acknowledges the primacy of the US national security, public interest and law enforcement requirements, even when this would condone interference with the rights of EU citizens whose data is transferred to the US. "Mitigating" measures, such as the introduction of an Ombudsman to handle EU citizens' complaints did not satisfy the requirement for effective judicial protection, partly because the Ombudsman does not have the power to make decisions that bind the US intelligence services.
However, the court found that the SCCs, which are model clauses for data transfers from the EU to third countries, establish effective mechanisms that ensure compliance with the level of protection required by EU law – with the caveat that, if breached or not honoured, transfers of personal data pursuant to such clauses should be suspended or prohibited. In particular, the SCCs oblige both the data exporter and the recipient of data in the third country to verify, before commencing any transfer, not only whether that level of protection is respected in the third country, but also if the recipient is indeed able to comply with the requirements imposed by the SCCs on them. If not, the UK or EU organisation transferring the data must suspend the data transfer and/or terminate the contractual relationship with the recipient. The court also stated that national data protection authorities are under a duty to order the suspension or termination of data transfers based on the SCCs if in their view, the SCCs cannot be complied with in the third country to which the data is being transferred.
Any practical tips?
Commenting on the court's decision, RPC data protection partner Jon Bartley said:
"This is an important decision for the thousands of UK and EU companies that rely on Privacy Shield to ensure that data transfers to affiliates and suppliers in the US are lawful. It will have a similar impact to the 2015 decision which struck down the Safe Harbour arrangement and led to many US vendors revising their customer contracts to incorporate SCCs. It now remains to be seen whether the EU and US will be able to find an alternative solution that will succeed where their two previous efforts have failed, although this might require the US government to introduce domestic legislation to address the key concerns regarding its surveillance activities.
Also, although the court has upheld the validity of the SCCs, it has made clear that national data protection authorities are under a duty to suspend or prohibit transfers based on the SCCs if they cannot be complied with in the country to which the data is being transferred. So, we also have the risk that an EU data protection regulator declares the SCCs insufficient for data transfers to the US or other countries. This would cause significant problems for businesses given that the SCCs are the primary mechanism used for data transfers outside the EEA. It's also not yet clear how companies, let alone specialist data regulators, are supposed to judge the legal systems of third countries before authorising data transfers.
In the context of Brexit, this decision increases the pressure on the UK government to obtain an adequacy decision for data transfers to the UK. Concerns about the UK's data-sharing arrangements with the US have already been raised as part of the adequacy review process, which could fuel challenges to the use of SCCs if adequacy is not granted.
As a first step, companies should be looking out for guidance from national regulators and the European Data Protection Board and identifying whether any personal data transfers to the US are made on the basis of Privacy Shield. They should also identify which third countries are recipients of personal data on the basis of the SCCs so that assessments of those countries can be made on the basis of guidance that we hope will soon be produced. "
With the demise of the Privacy Shield, and the requirement that the SCCs should be judged on a case by case basis, the uncertainty surrounding international data transfers is set to continue.