On July 16, 2020, the Court of Justice of the European Union (the “CJEU” or the “Court”) issued its landmark judgment in the Schrems II case (Case C-311/18). In its judgment, the CJEU unexpectedly invalidated the EU-U.S. Privacy Shield framework. However, the Court stated that the Standard Contractual Clauses (the “SCCs”) issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid.
Below we explain what the case was about, why is it important, and the impact it will have on businesses.
Facts
Mr Maximillian Schrems, an Austrian national residing in Austria, has been a user of the Facebook social network since 2008. After revelations made by Mr Edward Snowden about access by U.S. surveillance authorities to personal data, Mr Schrems was dissatisfied with the transfer of all or part of his personal data by Facebook from the EU to the U.S., where Facebook’s servers have been stored and data processing took place. Mr Schrems lodged a complaint with the Irish Data Protection Authority, requesting, in essence, a ban on such transfer. He argued that United States law and practice did not provide adequate protection against government access to data transferred to that country.
Importance of the Schrems II case
This decision of the CJEU, is important because it examined the validity of two important mechanisms, mandated by the General Data Protection Regulation 2016 (GDPR) for transferring personal data outside the EEA and their ability to maintain the safety of that data in the destination country, namely the EU-U.S. Privacy Shield and the SCCs.
According to the Court, the restrictions on the protection of personal data arising from the U.S. national legislation on access to and use by the U.S. authorities of such data transferred from the Union to that third country, which were assessed by the Commission in Decision 2016/1250, are not regulated in such a way as to meet requirements which are essentially equivalent to those laid down in European Union law in accordance with the principle of proportionality, since monitoring programs based on that legislation are not limited to what is strictly necessary.
On the basis of the findings in that judgment, the Court noted that, in the case of certain monitoring programs, the legislation did not in any way indicate that it contained restrictions or guarantees on the powers of those non-U.S. persons to whom those programs might apply. The Court added that, although those laws set out the requirements to be met by the U.S. authorities in carrying out the relevant surveillance programs, they did not confer on data subjects’ enforceable rights on which they could rely before the courts vis-à-vis the U.S. authorities.
Consequently, the CJEU stated that:
- The EU-U.S. Privacy Shield, which was put in place to replace the U.S. “Safe Harbor” regime, and which supposedly addressed the privacy concerns with the “Safe Harbor” so that EEA based businesses could continue to transfer personal data to their U.S. counterparts which had signed up and complied with the new regime, is invalid. The European Commission had stated the opposite in its decision 2016/1250 on the EU-U.S. privacy shield – that the U.S. adequately ensures data protection. By today’s decision, the CJEU declared the European Commission’s decision 2016/1250 invalid; and
- Standard Contractual Clauses, which are a set of European Commission approved clauses which data exporters and importers sign up to, obliging them to keep personal data exported outside the EEA, safe. There are two sets of clauses – clauses for use between data controllers, and clauses for use in respect of transfers from data controllers to data processors. The CJEU decision examined the latter set of clauses, but the reasoning could also be applied to controller to controller clauses.
Impact on businesses
What this means is a high degree of legal uncertainty and a big headache for businesses which did rely on the EU-U.S. Privacy Shield to govern their data transfers. The good thing is that the SCCs can still, for now, provide a fall back for them, as they did in the immediate aftermath following the initial decision about the US “Safe Harbor” regime – and, out of a range of transfer mechanisms which GDPR provides, such as BCRs (binding corporate rules), and specific derogations such as consent, they are the still often the most practical tool available for large scale, ongoing data transfers.
For those businesses which haven’t used them, and relied instead on the Privacy Shield, additional papering and due diligence will be required. In any case, here are a few points to consider:
- Businesses shouldn’t assume that once they have signed the SCCs, the job is done. The parties need to do their due diligence to ensure that any data being transferred will in fact be kept safe by the data importer, and the clauses themselves do impose obligations on the data importer to put in place technical and organizational measures to keep the data safe and to verify and inform the data exporter if there are any local laws which might compromise the safety of the data, so that the transfer can then be suspended.
- The judgment also highlighted the role which supervisory authorities have to play too in stepping in to suspend or prohibit data transfers where they take a view that standard contractual clauses cannot be complied with in a particular country, and that the protection of the data cannot be ensured by other means. For example, Berlin DPA already asked controllers to stop data transfers to the U.S.
- There needs to be a genuine assessment by the parties in any given situation of all the risks associated with the transfer of personal data to a third country, taking into consideration the nature of the data that is being transferred, the volume, and how it will be used by the data importer in the third country.
- Last, but not least, there is a now a job to be done on what precisely will replace the EU-U.S. Privacy Shield, and EU Justice Chief, Didier Reynders has already said that the EU will look at ways to boost data transfers to the U.S. European Data Protection Board (the “EDPB”) also already stated that if the result of the assessment of security of data transfer to the third country is that the country of the importer does not provide an essentially equivalent level of protection, the exporter may have to consider putting in place additional measures to those included in the SCCs. The EDPB is looking further into what these additional measures could consist of.
There is a clear and definite need for solutions to create a legally sound regulatory environment for data transmission outside EU. In any case, businesses shall review their practices of data transfers to third countries, especially to U.S. if they did rely on the EU-U.S. Privacy Shield invalidated by the said Schrems II decision. There is a high probability that similar concerns will be raised in the nearest future in regard to jurisdictions such as China, India, and Russia.