The European Court of Justice held in the Schrems II case that the Privacy Shield is invalidated, but the possibility to rely on standard contractual clauses for data transfers needs to be assessed on a case by case basis.
This article was initially published on DLA Piper Privacy Matters Blog and relates to the decision of the Court of Justice of the European Union (CJEU) on the long-awaited case Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18, commonly referred to as “Schrems II”).
In one of the most anticipated judgments of the year, the CJEU invalidated the EU-U.S. Privacy Shield framework as a mechanism for transferring personal data to the U.S.. The CJEU also held that Standard Contractual Clauses (SCCs), the more commonly-used mechanism for transfers of personal data outside the EU, remains valid subject to the requirement that businesses verify whether the overall context of the transfer (including the destination country) offers appropriate safeguards to individuals’ personal data. The judgment requires EU data protection regulators to suspend or prohibit transfers where such appropriate safeguards cannot be provided.
The background information on Schrems II case
The GDPR regulates the transfer of EU personal data, requiring a valid transfer mechanism. Such mechanisms include adequacy decisions of the European Commission (such as Privacy Shield) and appropriate safeguards (such as Standard Contractual Clauses and Binding Corporate Rules, which address intragroup transfers).
This is not the first time the CJEU has invalidated a transfer mechanism: in 2015, the CJEU invalidated the EU-U.S. Safe Harbor framework (the predecessor to Privacy Shield) in a case commonly referred to as Schrems I, a complaint by the same individual as in the current case. At the heart of Schrems’ complaint was the fact that U.S. surveillance laws did not offer adequate protection for EU personal data, in particular in relation to Facebook’s sharing of EU citizens’ personal data with the U.S. National Security Agency.
The key points of the Schrems II judgment that invalidated the Privacy Shield
The European Court of Justice held that:
Privacy Shield invalidated as a valid mechanism for transferring personal data to the U.S.
The CJEU held that due to the potential access to, and use by U.S. public authorities of, personal data transferred to the U.S., a level of protection essentially equivalent to that guaranteed under EU law cannot be guaranteed. The judgment continues that the “requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country.” In addition, in relation to the principle of proportionality provided under EU law, the CJEU held that the U.S. “surveillance programmes based on those provisions are not limited to what is strictly necessary”. The CJEU held that the Privacy Shield Ombudsperson mechanism does not provide an adequate level of protection, as data subjects do not have any cause of action before a body that offers guarantees substantially equivalent to those required by EU law.
The SCCs continue to be a valid mechanism for transferring personal data to countries outside the EEA but subject to limitations
The CJEU held that SCCs may not always constitute a sufficient means of ensuring, in practice, the effective protection of personal data transferred to a third country. In particular, “where the law of that third country allows its public authorities to interfere with the rights of the data subjects to which that data relates”. The judgment reiterates the importance of businesses verifying, prior to any transfer, whether an appropriate level of protection is respected in the relevant third country. Where there are no appropriate safeguards, the transfer of personal data to that third country should be suspended by the exporter or, failing that, the relevant Member State data protection supervisory authority. Although not explicitly referenced in the judgment, it is likely that this obligation would also apply to other appropriate safeguards, including Binding Corporate Rules.
What does all this mean for your business?
The judgment has serious implications on the transfer of personal data outside the EU and is a wake-up call for EU businesses:
- Businesses should analyze data flows that involve transfers of personal data outside the EEA and determine which transfer mechanism (Privacy Shield, SCCs, etc.) is currently being used;
- For those transfers relying upon Privacy Shield, an alternative transfer mechanism must be found as a priority;
- For businesses currently using, or considering using (as an alternative to Privacy Shield), SCCs, businesses must assess the level of appropriate safeguards provided by that transfer to determine whether SCCs are an available mechanism. The real-life risks of such must be taken into account, within the context of the sector / industry and other relevant factors including the destination country and the identity of the recipient, which may be challenging particularly given the uncertainty in the CJEU’s judgment in relation to relying on SCCs for transfers of personal data to the U.S.;
- EU data protection authorities will have the unenviable task of ultimately determining the sufficiency of appropriate safeguards.; and
- The implications of the judgment are likely to trigger a further round of political discussions between the EU and U.S.
Despite the questions that were raised by the CJEU, SCCs remain, for now, the most realistic option for the transfer of personal data outside of the EEA. We expect it will take time for the full practical implications of the decision to flow down and take effect.
Given the impact this decision will have on businesses, we expect Member State data protection supervisory authorities may delay commencing enforcement actions to enable businesses time to assess the situation and put in place alternative solutions, as happened following the 2015 Schrems I judgment and the invalidation of the Safe Harbor framework. However, a grace period is not guaranteed. Nor would it prevent individuals from bringing private claims for compensation or group litigation claims.
DLA Piper is developing a methodology to assist our clients in navigating the impact of the judgment and carrying out the required test when relying on SCCs.
Image Credit European Parliament