The potential decision of the European Court of Justice of invalidation of the Standard Contractual Clauses and the Privacy Shield urges companies to be ready for the worst.
This is an article initially published on DLA Piper Privacy Matters blog here that I found very interesting and useful, and therefore I re-publish on the blog.
The hearing on the Schrems 2.0 case of the European Court of Justice
On July 9, 2019, Europe’s highest court – the Court of Justice of the European Union (CJEU) – is set to hear a case concerning the validity of two key data transfer mechanisms: Standard Contractual Clauses (SCCs) and Privacy Shield – mechanisms widely used by businesses within the European Economic Area (EEA) to legitimise the transfer of personal data to countries outside the EEA.
There is a significant risk the CJEU will declare the invalidation of the Standard Contractual Clauses and the Privacy Shield. If this happens, many organizations will be left without any practical solution to legitimize the international transfer of personal data outside the EEA and exposure to the threat of GDPR revenue based fines, regulatory sanctions including injunctions and third-party claims for compensation.
Why are the Standard Contractual Clauses and the Privacy Shield important?
The EU General Data Protection Regulation (GDPR), like its predecessor, the Data Protection Directive (Directive), prohibits the transfer of personal data to countries outside the EEA which are not considered to provide an adequate level of protection for personal data under applicable national legal regimes.
Very few countries have been assessed by the European Commission as providing adequate protection, meaning that for many transfers, the exporter of the data must identify and use a relevant compliance mechanism to ensure that the transfer does not breach the GDPR.
By far the most ubiquitous of such mechanisms are the Standard Contractual Clauses. These are sets of template contract clauses, approved by the European Commission, which are entered into between the exporter and importer and which require certain commitments from the parties, aimed at protecting the rights of those whose data are transferred. There are currently three sets of approved SCCs, two for transfers to controllers (those organizations determining the purposes and means of processing personal data) and one for transfers to processors (those organizations processing personal data on behalf of a controller). All three are within the scope of the questions facing the Court.
Privacy Shield is a separate scheme which legitimizes transfers of data to the US. It was introduced in 2016 following the downfall of a predecessor scheme known as ‘Safe Harbor’. Privacy Shield allows businesses to lawfully transfer personal data from within the EEA to US businesses who self-certify compliance to certain privacy principles. The scheme is overseen by the US Department of Commerce and has around 4800 active certified organizations. The validity of Privacy Shield is subject to challenge before the CJEU alongside SCCs in the so-called Schrems 2.0 case, but the Article 29 Working Party had already raised in the past some concerns on it (Read on the topic “EU-US Privacy Shield close to an end after WP29 review?“).
How has the Schrems 2.0 challenge come about?
We are not friends, but – as you can see from this picture – we were both speakers at a privacy conference and I took the opportunity to thank him for the late hours of work after the invalidation of the Safe Harbor program!
Mr. Schrems is an Austrian privacy activist who has concerns about the degree of cooperation between US companies and intelligence agencies, in particular in relation to Facebook’s sharing of EU citizens’ personal data with the National Security Agency. In 2013 he filed a complaint with the Irish regulator against Facebook Ireland Ltd, claiming that Facebook’s transfer of EU citizens’ personal data to Facebook Inc in the US violated their rights.
That complaint led to a referral to the CJEU on the question of whether the Safe Harbor framework (the predecessor to Privacy Shield) violated EU citizens’ rights under article 7 (the right to respect for private life, family, home and communications), article 8 (the right to protection of personal data) and article 47 (the right to an effective remedy before a tribunal) of the Charter of Fundamental Rights of the EU (Charter).
In a landmark finding in October 2015, the CJEU agreed with Mr. Schrems finding that the Safe Harbor framework did not provide a level of protection for personal data which was equivalent to that afforded within the EU thanks to the Directive and the Charter, and that it did not, therefore, meet the adequacy standards of the Directive in respect of international transfers. The Court was particularly swayed by evidence submitted that US legislation permitted authorities to access to the content of electronic communications on a generalized basis, and lacked any legal remedies for individuals to access their personal data or have it corrected or deleted. The Court overturned the EU Commission’s 2000 adequacy decision, and Safe Harbor was no more. This is now widely known as the ‘Schrems 1’ decision.
In the wake of the Court’s decision in Schrems 1, Facebook, like thousands of other businesses, switched to SCCs as a way to legitimize their international transfers of EU personal data. The EU Commission also agreed to replace Safe Harbor with a new EU-US transfer regime, known as Privacy Shield.
Mr. Schrems continuing his journey issued a new complaint to the Irish regulator challenging Facebook’s use of SCCs as an alternative transfer mechanism. The Irish regulator referred the issue to the Irish High Court for consideration. They have subsequently referred the matter to the CJEU, with the questions posed to the CJEU extended to also include consideration of the wider issue of EU-US data transfers more generally. Importantly, the European Court is now being asked to consider the validity of Privacy Shield alongside the validity of SCCs.
What is the key battleground in Schrems 2.0?
The Irish Court has referred a total of 11 questions to the CJEU. These can be seen in full here and have the potential to result in the invalidation of both Privacy Shield and the Standard Contractual Clauses.
The key issue underpinning the questions referred to the Court is the same as that which led to the invalidation of Safe Harbor in the 2015 ruling, namely the alleged incompatibility of EU law’s protection of privacy as a fundamental right on the one hand, and US law’s retention of and state access to data on the other.
All of the parties and the United States have submitted expert testimony. Mr. Schrems’ submission focuses on US laws and directives which he submits permit bulk collection of non-US citizens’ information without probable cause or individualized suspicion and lack of effective judicial redress for private individuals. Experts for Facebook and the United States have sought to demonstrate the adequacy of redress available to EU citizens, concentrating on statutory and administrative limitations within the US government, including the role of the US Foreign Intelligence Surveillance Court, the US Privacy and Civil Liberties Oversight Board, and the US Privacy Ombudsman which was created as part of the Privacy Shield Framework.
The fundamental issue before the CJEU is the alleged power of the US state to carry out mass surveillance of EU citizens’ data without meaningful legal redress by such citizens. As there has been no significant change since the 2015 decision (at least in the case of the SCCs), the widely held expectation amongst privacy professionals is that the CJEU will reach a finding that will lead to the invalidation of the Standard Contractual Clauses.
The fate of Privacy Shield is less certain since this was introduced to replace Safe Harbor and therefore had to address the concerns which led to the Safe Harbor decision being overturned. In particular, the Privacy Shield framework incorporates provision for EU citizens to refer complaints to a designated ombudsman which proponents argue makes Privacy Shield more protective than its predecessor.
What happens next?
During this hearing, starting on 9 July 2019, the parties, as well as the European Institutions and the EU Member States, will have the opportunity to present their views.
The Advocate General will then issue their opinion on the case. This usually follows three to six months after the conclusion of the hearing. The CJEU’s judgment typically follows a further three to six months after the Advocate General’s opinion and although the AG opinion carries significant weight, the Court is not bound to follow it and can (and sometimes does) adopt a different position. We can, therefore, expect a judgment of the Court during the first half of 2020.
The CJEU may rule the invalidation of the Standard Contractual Clauses and/or Privacy Shield in their entirety or certain provisions only. The judgment of the CJEU will as a default take immediate effect and apply retroactively. In other words, if the Court rules the invalidation of the Standard Contractual Clauses and/or the Privacy Shield, they will be considered as if they had never existed rendering not just future transfers relying on these mechanisms illegal but also all legacy transfers completed prior to the date of the judgment. In exceptional circumstances and for the sake of legal certainty, the CJEU may decide to limit the effects of any judgment to the future although this discretion is rarely exercised by the court and notably wasn’t used in the Schrems 1.0 decision.
Following the annulment of an act by the CJEU, the European Institution whose act has been declared void is required to take the necessary measures to comply with the judgment of the CJEU. This means that the European Institutions will need to adopt alternative mechanisms for data transfers outside of the EEA if the Court invalidates the SCCs and/or for data transfers to the US if the Court invalidates the Privacy Shield.
If the Court rules the invalidation of the Standard Contractual Clauses and/or Privacy Shield what does that mean for your business?
If the SCCs and Privacy Shield are struck down by the CJEU, businesses which have been relying on these tools will have to consider alternative mechanisms for their data transfers. Available options are really limited to Binding Corporate Rules (BCRs) or reliance on one of the derogations from the transfer restriction which are set out in Article 49 of the GDPR.
- Binding Corporate Rules are internal rules which can be adopted by multi-national companies, which legitimize the transfer of personal data to group entities in countries that do not provide an adequate level of protection for personal data. They have to be approved by data protection regulators in the EU countries in which the exporters are based, although the “mutual recognition” procedure streamlines this process for 21 participating EU Member States. Uptake of BCRs has been relatively limited to date and concentrated amongst the larger multi-nationals. They are generally seen as expensive and time-consuming to adopt making them suitable only for those groups with big budgets and mature privacy frameworks. Also BCRs typically only legitimize transfers of data within the same group of companies, so businesses with BCRs will still need to find other solutions to transferring personal data outside of their group e.g. to service providers unless the service providers have implemented their own “processor” BCRs. In practice, BCRs won’t offer an immediate solution to companies looking for a quick alternative to SCCs or Privacy Shield.
- GDPR also includes a narrow list of derogations which can be relied upon where there is no adequacy decision or appropriate safeguards in place. These include: the explicit informed consent of the data subject; where the transfer is necessary for the performance of a contract between the data subject and the controller; where the transfer is necessary for the performance of a contract between the controller and a third party which is concluded in the interests of the data subject; where the transfer is necessary for important reasons of public interest; where the transfer is necessary for the establishment, exercise or defense of legal claims; where the transfer is necessary to protect the vital interests of the data subject where the data subject is physically or legally incapable of giving consent. Guidance issued by the European Data Protection Board (EDPB) interprets these derogations narrowly stating that the derogations “must be interpreted restrictively and mainly relate to processing activities that are occasional and non-repetitive”.
In summary, there is no alternative readily available and widely applicable solution to legitimise the large-scale, systematic transfer of personal data outside the EEA if SCCs and/or Privacy Shield are struck down by the CJEU.
What steps should companies which rely on SCCs and/or the Privacy Shield be taking?
If the CJEU invalidates the Standard Contractual Clauses or the Privacy Shield, the impact on businesses is likely to be so material that the EDPB will be under intense pressure to declare a “grace period” where no enforcement action is taken by EU Member State data protection supervisory authorities. This would allow exporters time to assess the situation and put in place alternative solutions. This is what happened following the 2015 Schrems 1 decision following the collapse of Safe Harbor. A grace period is not however guaranteed. Nor would it prevent individuals from bringing private claims for compensation or group litigation claims and as noted above there are no obvious alternative mechanisms for a business to take to ‘fix’ the position in such a period.
In-house counsels need to be aware of the risks here so senior management and the wider business can be ready if the CJEU issues a negative decision. It is important to assess the potential impact and available mitigations – for example decisions may need to be made to stop certain processing activity or cross-border data flows and/or repatriate personal data to within the EEA, or to continue processing outside of the EEA, but recognizing this may carry material legal risk exposure.
The GDPR sets maximum penalties for failure to comply with international transfer requirements at the greater of € 20 million or 4% of annual global turnover in the preceding financial year (Read on the topic “Are privacy fines really massive under the GDPR?“).
There is also the possibly of compensation claims by affected data subjects including the potential for group litigation, and injunctions from regulators, i.e. orders to stop non-compliant transfers of data. This is not just a theoretical possibility. For example, following the demise of Safe Harbor several fines were imposed by the German data protection supervisory authorities for breach of international transfer restrictions and a number of injunctions threatened. Practical next steps for businesses may include:
- Analysing data flows which involve transfers of data to countries outside the EEA and determining what transfer mechanism is being used, how crucial these are to the business, and likely impacts of not being able to continue such transfers. Considering possible workarounds which could avoid the need for the transfers;
- For those transfers which must continue, considering possible alternatives (e.g. BCRs or derogations as outlined above);
- For key transfers to third party service providers, writing to those third parties and asking what contingency plans they are putting in place to enable them to continue to receive data. Larger vendors should be considering this issue and have sensible recommendations ready for clients, particularly given that they have seen recent precedents in the form of the Safe Harbor invalidation and with Brexit on the horizon;
- Briefing management and other key stakeholders on the risks arising from a potential invalidation of the SCCs and/or Privacy Shield;
- Considering lobbying European Institutions and the US Government concerning the need for an alternative legal mechanism to ensure the ongoing flow of personal data.
Ultimately, some may find themselves in a situation where there is no viable alternative but need to continue making the transfers and therefore choose to accept the associated risk. These businesses should be aware that this may not be solely their decision; the importer of the data may not be similarly willing to accept the risk and may put a stop to the transfers.