Earlier today, the Court of Justice of the European Union (CJEU) handed down its much anticipated decision in ‘Schrems II,’ the ongoing litigation initiated by lawyer and privacy activist Maximillian Schrems. Here, Partner, Robert Peake and Associate, Nick Leslie explore the case.

Following on from the December 2019 Opinion of Advocate General Saugmandsgaard Øe (the AG) (our commentary on the AG’s Opinion is here), the CJEU held that Standard Contractual Clauses (SCCs) do not violate the EU Charter of Fundamental Rights (EU Charter), but Privacy Shield is dead.

Privacy Shield dead – New legal basis for transfer required

In a departure from the AG’s view that the validity of the Privacy Shield framework did not need to be reviewed, the court proceeded with its assessment and concluded that the European Commission’s Privacy Shield decision was invalid. Consequently companies relying on that framework for personal data transfers between the EU and the US must now rely on another legal mechanism, or suspend such transfers.

Standard Contractual Clauses are valid for transfer of personal data

The upholding of SCCs is welcome news for data controllers and processors operating internationally. It is also helpful to those transferring data into or out of the United Kingdom, given the imminent departure from the EU at the end of the 2020 transition period, as many such organisations rely on SCCs for their cross border transfers. What is worrying for businesses, is that the CJEU also confirmed that assessing whether data transfers are legal, requires a consideration not only of the terms of the SCCs between the parties, but also of the domestic law in the recipient jurisdiction. In short, the existing SCCs are valid, but that is only part of the picture; it is ultimately the responsibility of data controllers to be satisfied that adequate protections in place for their international personal data transfers.

Background

The transfer of personal data outside of the EEA is prohibited by EU data protection law, unless a finding of adequacy for the destination country is made by the European Commission (EC), or if the data controller can rely on another legal basis for transfer. The US had not benefitted from an adequacy decision by the EC. Accordingly, in 2000, the US government and the EC agreed a self-certification scheme based upon the ‘Safe Harbour’ principles in order to help organisations transfer personal data from the EU to the US, later updated to the Privacy Shield.

Mr. Schrems’s first case (Schrems I) successfully challenged transfers of personal data from Facebook Ireland to the US servers of Facebook Inc. (headquartered in Menlo Park, California); the CJEU ultimately held that Safe Harbour was invalid. After the decision, many organisations that wished to continue transferring personal data outside of the EEA came to rely on EC approved SCCs, or on the EU-US Privacy Shield which replaced Safe Harbour in 2016. Mr. Schrems subsequently challenged Facebook’s reliance on SCCs to transfer his personal data to the US (though not the validity of the SCCs themselves), for which the former was eventually referred to the CJEU by the Irish High Court.
In his initial complaint to the Irish Data Protection Commissioner (DPC), Mr. Schrems argued that the SCCs should not allow Facebook to transfer personal data to the United States, as they do not afford adequate means for EU citizens to invoke EU Charter rights in the US. In referring the case to the Irish High Court, the Irish DPC went a step further, opining that the entire SCC system should be invalidated.

Court’s decision

In keeping with the AG’s Opinion, the CJEU found that SCCs are valid under EU law. Specifically, the CJEU disagreed with the Irish DPC in finding that the invalidation of a global data transfer system, due to particular issues with a third country (such as the US), would be inappropriate and disproportionate.
The CJEU held that the fact that SCCs are not legally binding upon data protection authorities in a third country does not mean that SCCs are invalid for providing insufficient safeguards to data subjects. The court noted that SCCs mandate that data transfers be suspended where a recipient is unable to honour the protections afforded by SCCs due to local laws in recipient countries. Where such SCCs do not provide adequate protection for EU data subjects, either the data exporter or Member State data protection authority should suspend those SCCs.

The CJEU’s decision, in keeping with the AG’s Opinion, effectively states that where it is impossible for personal data to be protected when transferring the third country pursuant to SCCs, the transferring data controller must suspend such transfers. Where the controller fails to do so, it falls to the relevant local data protection authority to suspend the data transfers. In the context of Schrems II, this would mean that (on Mr. Schrems’s argument) Facebook Ireland must stop transferring personal data to Facebook, Inc. in the US on the basis of SCCs; failing which, the Irish DPC must suspend or prohibit such continued data transfers.

Comment

The key takeaway from the CJEU’s decision is that, whilst valid, SCCs do not grant data transferring organisations unrestricted freedom to transfer data to third countries. You must consider whether the SCC’s protections and safeguards can be complied with under that country’s laws, and whether protection of personal data required by EU law can be achieved by other means. Where protection equivalent to the protections guaranteed by the GDPR and the Charter cannot be established, then EU data controllers should suspend such data transfers. This will require a case by case analysis, which unfortunately does not give the certainty that businesses would wish for the law to provide.

As noted above, the Irish DPC will now be under increased pressure to investigate, and possibly suspend or prohibit transfers of personal data to the US on the basis of SCCs, where data controllers themselves do not take appropriate action. The Irish DPC has stated, following the court’s decision, that they intend to work with other European authorities to develop a common position on the matter.

The most important aspect of the decision is the fact the CJEU departed from the AG’s Opinion as to validity of the EU-US Privacy Shield. The CJEU considered, and then invalidated the European Commission’s 2016 Privacy Shield decision on the basis that data processing under US domestic and national security law is not limited to what is strictly necessary for those purposes, and that protections for personal data essentially equivalent to those under the GDPR and the Charter are not met.

A key difference between Safe Harbour and Privacy Shield was the establishment, under the latter, of a US Privacy Ombudsman, whose mandate includes adjudicating complaints and ensuring that data subjects who are the subject of EU-US Privacy Shield transfers have a means of legal redress. In his Opinion, the AG concluded that the Ombudsman position did not satisfy the requirement for judicial independence and impartiality, as the Ombudsman is appointed by the member of the US executive branch.

The CJEU, in invalidating the Privacy Shield, also noted that whilst US law provided actionable rights in relation to personal data processing, there are difficulties for EU citizens in exercising such rights before US courts; this meant that they fell short of being rights essentially equivalent to those afforded under EU law. Organisations relying on the Privacy Shield will now need to identify another legal basis for data transfers to the US, such as SCCs (subject to the limitations noted by the CJEU) or binding corporate rules (though these take a considerable period of time to achieve approval). Many organisations are likely to consider whether a derogation under the GDPR can support data transfers to the US, such as where it is necessary for the performance of a contract with the data subject.

Conclusion

The decision comes at an important time for the UK in particular, which will officially leave the EU when the Brexit transition period ends on December 31st 2020. The UK has not yet secured an adequacy decision from the EC, and today’s decision will not assist in achieving such a decision in view of the UK’s agreement with the US on law enforcement data sharing in the meantime (which we covered here).

In the absence of an agreement between the UK and the EU on personal data transfers before the end of the transition period, it is sensible to rely on SCCs in order to transfer personal data between the EU and UK. Today’s decision means that those SCCs can continue to be relied upon, and the safeguards needed by the EU are in place in the UK, so the concerns raised above concerning the US do not apply to the UK.