A clash between US national surveillance law and EU data protection standards, which lies at the heart of Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (“Schrems II”), has resulted in the invalidation of the EU–US Privacy Shield. Below we summarise the consequences of this judgment and what it means for businesses.
What happened in this case?
The Schrems II case is a follow-up to the Schrems I case in which the Court of Justice of the European Union (“CJEU”) invalidated the Safe Harbour framework as a mechanism to lawfully transfer personal data from the EU to the US. Following this decision, companies started looking to the Standard Contractual Clauses (“SCCs”) as an alternative to lawfully transfer personal data from the EU to the US.
In this latest judgment, the CJEU has rendered the Privacy Shield invalid and confirmed the validity of the SCCs. The CJEU has thereby followed the Advocate-General’s non-binding opinion according to which there are no grounds to invalidate the SCCs. See a previous Law Now article for our key findings on this opinion.
What is the background to this case?
The EU Commission adopted the Privacy Shield in July 2016, which was intended to be a more robust replacement of the Safe Harbour framework with added oversight and enforcement. In 2019, the US government appointed the Privacy Shield Ombudsperson, tasked with handling data access requests from EEA data subjects whose personal data has been transferred under the Privacy Shield to the US and accessed by US security agencies.
Max Schrems, an Austrian national who also filed the complaint in Schrems I, argued that the provisions in the SCCs should be used by data protection authorities in Europe to block data transfers from Europe to the US. The grounds invoked by Mr Schrems were similar to those in Schrems I, namely that US national surveillance laws are in direct conflict with the rights and safeguards granted under European data protection laws and therefore transatlantic data transfers require more safeguards. The complaint in Schrems II found its way to the CJEU via a referral by the Irish High Court for a preliminary ruling.
Are the SCCs still valid?
Yes, the SCCs can still be used to lawfully transfer personal data outside the EEA. However, organisations wishing to conclude the SCCs with a data importer outside the EEA will now have to assess whether and to what extent the laws of that country allow its public authorities to interfere with the exported personal data. If the laws of that country do not ensure adequate protection, the data exporter is required to take appropriate safeguards to mitigate this lack of data protection. However, it is still to be seen what the EU data protection authorities will consider as “appropriate safeguards”.
If it is not possible for personal data to be adequately protected in the data importer’s country, even though the SCCs are in place, then the data exporter must suspend those data transfers. If the exporter does not do so, then the relevant supervisory authority may order the transfer to be suspended or stopped.
Is the Privacy Shield still valid?
No, the CJEU has rendered the Privacy Shield invalid. Data transfers from the EEA to the United States on the basis of this mechanism are therefore unlawful.
What about binding corporate rules?
Although the Schrems II case concerns the SCCs and the Privacy Shield, the CJEU’s decision has ramifications for those organisations that rely on binding corporate rules (“BCRs”) for transferring data internationally. Indeed, the same reasoning applies to organisations relying on BCRs: they too will have to assess whether and to what extent the laws of that country allow its public authorities to interfere with the exported personal data.
If it is not possible for personal data to be adequately protected in the data importer’s country, even though BCRs are in place, then the data exporter must suspend those data transfers. If the exporter does not do so, then the relevant supervisory authority may order the transfer to be suspended or stopped.
What does this mean for businesses?
- In the coming months, authorities in Europe will hopefully provide clear guidance on how organisations can transfer data internationally following the CJEU’s Schrems II decision.
- Look for guidance with supervisory authorities, the EDPB and/or the EU Commission
- Assess your international data flows
- Identify your data transfers from the EEA to countries outside the EEA that are not on the EU Commission’s list of adequate countries.
- Verify the nature of each transfer: What type of data? Is special category data being transferred? Is the data importer subject to surveillance laws? How 'big' is the transfer (how often; how many data)? What is the purpose of the data transfer? Can you achieve that purpose without transferring the data?
- When considering transferring personal data to countries outside the EEA, assess whether and to what extent the laws of those countries allow their public authorities to interfere with the exported personal data. One way to assess this is by using the “European Essential Guarantees” (see the Working Party 29’s Working Document 01/2016):
- Surveillance should be based on clear, precise and accessible rules
- Surveillance should be necessary and proportionate to the objectives pursued
- An independent oversight mechanism should exist
- Effective remedies need to be available to individuals: individuals must have effective remedies to satisfy their rights before an independent body
- As part of the assessment, consider implementing technical measures to safeguard the data being transferred. One such measure could be the use of robust encryption technology.
- Conduct the transfer assessment for both the existing and future transfers.
- Be aware that these transfer assessments will be time-consuming and complex and will need refreshing regularly as the laws of third countries inevitably change over time.
- Document each transfer assessment as part of your GDPR-accountability obligation.
- Note that conducting transfer assessments for transfers to US-based suppliers is probably pointless because the CJEU’s apparent conclusion is that US surveillance measures do not meet the European Essential Guarantees anyway.
If the outcome of the transfer assessment is positive, roll out SSCs (or BCRs)
If, following the transfer assessment (see point 2 above), you are comfortable about the level of data protection in the data importer’s country, then you can use the SCCs or BCRs for data transfers to that data importer.
Transfers to the US are problematic
Transfers to the importers that are subject to US surveillance laws are problematic because the CJEU (i) has now invalidated the Privacy Shield and (ii) has apparently concluded that US surveillance laws do not meet the European Essential Guarantees, which means neither the SCCs nor BCRs will address the issue.
One way of mitigating the risk is by moving to “EEA-only solutions” offered by some of the bigger tech firms, which will keep EEA customers’ data on European territory and therefore require no data transfer to the US.
Tom De Cordier, Partner, Brussels, email@example.com
Thomas Dubuisson, Associate, Brussels, firstname.lastname@example.org
Janick Van Daele, Junior Associate, Brussels, email@example.com