The Court of Justice of the European Union (CJEU) has now delivered its highly anticipated judgment in Case C-311/18, Data Protection Commissioner v Facebook Ireland & Schrems, also known as ‘Schrems II’.
The CJEU has declared that:
- The Privacy Shield, an adequacy decision enabling transfers of personal data to registered US organisations, is invalid and cannot be relied upon as a means of transferring personal data from within the EU to the USA.
- The European Commission approved Standard Contractual Clauses (SCCs) are still valid. These clauses are a form of wording that contracting parties in the EU and in third countries can agree to in order to make personal data transfers to non-EEA countries.
- Data protection authorities should suspend or prohibit transfers of personal data to third countries where, in such countries, the SCCs cannot be complied with and EU standards of protection of the data cannot be ensured by other means (presuming data exporters have not already suspended transfers). This element of the judgment brings with it unwelcome uncertainty for businesses which, as a result, may well question how long they can rely on the SCCs to make transfers of personal data to certain non-EEA countries, especially the USA.
The CJEU judgment brings considerable uncertainty to businesses in terms of their continuing ability to transfer personal data to the USA and to certain other non-EEA countries and, whilst the CJEU decision is not necessarily unexpected, it does now leave international data transfers in a difficult place and prime for further clarification. We take a look at some of the potential implications of this below.
Background to Schrems II
Schrems II follows the 2015 case of Schrems I in which the CJEU found the ‘Safe Harbour’ agreement on transatlantic data flows (the predecessor of the now invalid Privacy Shield) to be invalid. Both Schrems I and II stem from a complaint made by Maximillian Schrems, an Austrian privacy activist, about transfers of his personal data by Facebook Ireland to servers belonging to Facebook Inc. located in the USA. Mr Schrems claimed that US law and practices do not offer sufficient protection from access by public authorities, placing (in Schrems II) the Privacy Shield and SCCs under the spotlight.
Invalidity of the Privacy Shield
The CJEU has declared the Privacy Shield invalid on the basis that it considers:
- US domestic law affords limited protection of EU personal data due to the rights of access and use of personal data by US public authorities. In the CJEU’s view, this is not proportionate nor are US surveillance programmes limited to what is strictly necessary.
- Individuals do not have actionable rights before the courts against the US authorities.
- The Ombudsman mechanism in the US does not provide individuals with a cause of action before a body that offers guarantees that are substantially equivalent to those required by EU law (such as being able to bind US intelligence services with its decisions or giving guarantees of its independence)
- Under the Privacy Shield US national security, public interest and law enforcement requirements take primacy over the principles in that adequacy decision.
Obligations on businesses under SCCs to assess level of protection
In validating the SCCs, the CJEU places importance on the fact that the SCCs require the organisation transferring personal data outside of the EEA to verify, prior to any transfer, whether the level of protection required by the EU (i.e. that afforded by the GDPR and EU Charter of Fundamental Rights) is respected in the relevant non-EEA transferee country. Additionally, the non-EEA transferee organisation should inform the EU organisation of any inability to comply with the SCCs. If it does, the transferring EU organisation must then suspend transfer of the data and/or terminate the contract.
Whilst this may be laudable at a conceptual level and is not necessarily new, this appears to confirm a particularly high regulatory burden on the transferring organisation. The CJEU’s judgment implies that transferring organisations are expected to make a (presumably detailed) assessment of national security laws and surveillance practices in every non-EEA country to which they transfer personal data under the SCCs, as well as the impact of such laws and practices on an individual’s right to privacy. It is unclear the lengths to which an organisation must go in its verification – obtaining local advice may be helpful, but that in itself may not be sufficient.
Next steps for businesses
There are only a limited number of ways that personal data can be transferred from within the EU to third countries in compliance with the GDPR. Adequacy decisions are a key mechanism relied on by many organisations, and the Privacy Shield formed a useful mechanism for organisations transferring personal data to the USA. Now that the Schrems II judgment has rendered this mechanism unavailable, data exporters and data importers that previously relied on the Privacy Sheild will wish to look at what other options they have:
- The SCCs are the main other mechanism used by organisations to transfer personal data to the US under the GDPR and may be a suitable alternative for many businesses. The CJEU judgment does, however, appear to confirm a greater regulatory burden in the use of SCCs and this may have a practical impact on their use (see above).
- Other derogations (such as consent or where the transfer of personal data is necessary for performance of a contract) may apply in some circumstances but will only be applicable in specific situations and are often considered to be of limited use.
- Binding corporate rules may be an option for some organisations, but putting them in place is an onerous and lengthy process and may only be attractive for certain types of organisation and transfers.
However, it remains unclear how long any of the above mechanisms can be relied on to make transfers to the USA or other non-EEA countries. Due to the language of Article 44 of the GDPR (General Principle for Transfers), the CJEU considers that an EU equivalent level of protection must “be guaranteed irrespective of the provision of that chapter [i.e. the mechanism] on the basis of which a transfer of personal data to a third country is carried out”.
The fact that the CJEU considers that the USA does not offer a sufficient level of protection in data privacy terms casts doubt in and of itself on how transfers to the USA are capable of being made in compliance with the GDPR under any mechanism. It is not difficult to see how the Schrems II decision may, in time, extend to invalidate some or all of the remaining transfer mechanisms noted above.