CJEU on data protection: Privacy Shield is dead; standard contractual clauses valid (with conditions)

What happened?

On 16 July 2020, the Court of Justice of the European Union (CJEU) issued its long-awaited judgment in the case of Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18), commonly referred to as “Schrems II”.

In its judgment, the CJEU declared that the EU-US Privacy Shield (Privacy Shield), a mechanism used to legitimise of data from the EU to the US, is invalid. The CJEU separately held that the Standard Contractual Clauses (SCCs), an alternative mechanism used to legitimise transfers of data from the EU to third countries and which is the most popular mechanism used for global transfers of data from the EU, remain valid – subject to certain assessments by the transferor business as to securing appropriate safeguards for the individuals’ data.

Although the invalidation of Privacy Shield is relevant to EU-US transfers only, the SCCs are the most popular tool for transfers to third countries which do not benefit from an adequacy decision, thus making Schrems II a decision with global relevance.

A further key element of the Schrems II judgment is that it confirms that EU data protection regulators are required to prohibit or suspend transfers where these appropriate safeguards cannot be provided, giving data protection authorities to take enforcement measures where they deem the arrangements to be inadequate.

Legal background

Under the GDPR, transfers of personal data to third countries which do not benefit from an adequacy decision are only permissible if certain additional transfer mechanisms are adopted and complied with. These transfer mechanisms include adequacy decisions of the European Commission (such as the Privacy Shield for transfers to the US) and appropriate safeguards (such as the SCCs which can be used for transfers globally).

It is worth noting that this is not the first time that the CJEU has invalidated a data protection transfer mechanism. In 2015, the CJEU handed down a decision invalidating the predecessor of the Privacv Shield, known as the “EU-US Safe Harbor”. Similarly with Schrems II, the core of Max Schrems’ complaint in that case was that US surveillance laws meant it was not possible to offer adequate protection for EU personal data in the US.

So what did the CJEU say in Schrems II?

  • Invalidation of Privacy Shield: The CJEU held that due to the potential access to, and use by US public authorities of, personal data transferred to the US, a level of protection essentially equivalent to that guaranteed under EU law cannot be guaranteed. In particular, the CJEU stated in its press release that the “requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country”. Furthermore, the CJEU held that US surveillance programmes cannot be regarded as limited to what is strictly necessary, thus falling short of the requirements of the principle of proportionality under the GDPR. Finally, the CJEU held that the Privacy Shield Ombudsperson mechanism does not provide an adequate level of protection, since data subjects do not have any cause of action before a body which offers guarantees substantially equivalent to those required by EU law.
  • SCCs are valid, subject to conditions: The CJEU held that SCCs may not in practice constitute a sufficient means of ensuring the effective protection of personal data transferred to a third country, especially if the laws of that third country allow its public authorities to interfere with the rights of the data subjects to which that data relates. The judgment stresses the importance of businesses ensuring that they verify, prior to any transfer, whether an appropriate level of protection is respected in the relevant third country. If it is not possible to secure the appropriate safeguards, then the transfer of personal data to that third country should be suspended by the exporter. In turn, if the exporter fails to do so, the relevant Member State data protection supervisory authority should impose such suspension.

What next for international data transfers?

Beyond the immediate urgency for businesses to respond to the invalidation of the Privacy Shield, there are two major take-aways from the Schrems II decision:

  • The SCCs have survived, however businesses need to ensure they undertake and document their due diligence and reasoning that the transfer will maintain “appropriate safeguards”: It should be noted that the requirement on the relevant controller or processor to ensure “appropriate safeguards” for the relevant personal data was a pre-existing one within GDPR. However, the Schrems II judgment highlights the operational need for businesses to undertake and document their assessment in this respect.
  • Data protection authorities are asked to intervene in order to prohibit or suspend non-compliant transfers: With the confirmations of the CJEU, data protection authorities are now tasked with the admittedly difficult mandate to assess whether transfers satisfy the relevant “appropriate safeguards”. Given the enormity of the decision to invalidate Privacy Shield as well as the expected scramble to review existing transfers regulated under SCCs, it may be the case that data protection authorities will be slow to pick up this mandate. There is however no formal grace period and to this end businesses should revisit arrangements sooner rather than later.
  • SCCs are valid, subject to conditions: The CJEU held that SCCs may not in practice constitute a sufficient means of ensuring the effective protection of personal data transferred to a third country, especially if the laws of that third country allows its public authorities to interfere with the rights of the data subjects to which that data relates. The judgment stresses the importance of businesses ensuring that they verify, prior to any transfer, whether an appropriate level of protection is respected in the relevant third country. If it is not possible to secure the appropriate safeguards, then the transfer of personal data to that third country should be suspended by the exporter. In turn, if the exporter fails to do so, the relevant Member State data protection supervisory authority should impose such suspension.

Checklist for businesses

  • Check if your business relies on Privacy Shield for transfers to the US – if yes, an alternative transfer mechanism needs to be identified and adopted.
  • Check if your business is relying on SCCs for international transfers – if yes, revisit and re-evaluate your data flows to assess whether they meet the threshold for “adequate safeguards” at their destination and to ensure you are keeping the appropriate records to reflect the assessment process.
  • Keep records of your assessments and reasoning – as data protection authorities wrestle with the task of assessing whether a transfer based on SCCs indeed secures “appropriate safeguards”, it is in the interest of businesses to record their assessment and reasoning in concluding the transfer is compliant. This also feeds into the accountability principle under the GDPR, pursuant to which businesses should keep records to enable them to demonstrate compliance with the principles of processing, which includes lawful processing of data.

You can find the Schrems II judgment here.

You can find the CJEU press release here.