Standard Contractual Clauses remain valid but EU-US Privacy Shield struck down
On Thursday 16 July, the Court of Justice of the European Union (CJEU) made a landmark decision in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (the “Schrems II” case): while it upheld the use of Standard Contractual Clauses (SCCs), it invalidated the EU-US Privacy Shield.
Background
In 2000 the European Commission established a mechanism for the transfer of personal data from the EU to the US known as “Safe Harbour”. Thirteen years after the data transfer mechanism had been established Max Schrems, an Austrian lawyer and privacy advocate, made a complaint to the Irish Data Protection Commissioner regarding data transfers by Facebook Ireland to the US under Safe Harbour. At the time, organisations which complied with the Safe Harbour Privacy Principles were permitted to transfer data from the EU to the US. However, as a result of Schrems’ complaint, in 2015 the CJEU invalidated Safe Harbour as it was found that this mechanism did not adequately protect the personal data of EU Citizens (Schrems I, case C-362/14). As a result of Safe Harbour’s swift ending, the US Department of Commerce and the European Commission worked quickly to create a new mechanism which would again allow the transatlantic transfer of personal data from the EU to the US. The EU-US Privacy Shield became operational in 2016 and has become a well-known and well-used mechanism for transatlantic data transfer ever since.
Moving onto the current case (Schrems II, case C-311/18), where the CJEU looked at the validity of both SCCs - another data transfer mechanism which has been approved by the European Commission to ensure that the personal data of EU Citizens is protected when transferred outside of the EU - and the EU-US Privacy Shield. The outcome: the CJEU upheld the use of Standard Contractual Clauses, but invalidated the EU-US Privacy Shield.
Why was the EU-US Privacy Shield invalidated?
Under the General Data Protection Regulations (GDPR), the self-proclaimed ‘toughest privacy and security law in the world’, personal data can only be transferred outside the European Economic Area (EEA) if the country to which the data is being transferred can offer adequate protection. The EU-US Privacy Shield was invalidated over whether adequate protection could be offered to the personal data on EU Citizens. The Court stated on the matter that “the access and use by US public authorities of such data transferred…are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required, under EU law”. There was concern regarding the surveillance of personal data by public authorities in the US in terms of such surveillance not being limited to what is strictly necessary. Other concerns were raised that the Privacy Shield does not provide data subjects with any cause of action before a body which guarantees substantially equivalent to those required by EU law.
Why do the Standard Contractual Clauses remain valid?
Much to the relief of all the organisations that currently use them as a way to share personal data outside of the EEA (including the US), the CJEU yesterday upheld the validity of the SCCs. However, although their validity has been upheld, the Court examined GDPR’s requirement of ensuring appropriate safeguards are in place for international data transfers and concluded that while the SCC met part of this requirement, that it was also necessary for the data controller to assess the practical ability of the recipient to comply with the SCC against the backdrop of their legal system.
In practice, this means that prior to signing up to agreements that involve the international sharing of personal data, not just to the US, but any other country outside of the EEA, simply incorporating the SCC into the Agreement will not be sufficient. Data Controllers ought to be assessing whether the recipient can realistically comply with the SCC and thus provide adequate protection in the relevant jurisdiction taking into account the recipient’s legal system. If it is felt that adequate protection could not be met under the SCCs, then organisations must seek to provide additional safeguards or suspend transfers.
It is currently unclear how Data Controllers ought to realistically assess whether the recipient’s legal system supports the recipient’s compliance with the SCC other than seeking a legal opinion from a suitably qualified practitioner in the relevant jurisdiction, which will add not only additional cost to the project but also possible time delays. It could also result in situations where significant time is spent assessing adequacy to find it is inadequate and other routes to transfer must be explored. It may be that one way to help manage this would be to create ‘a black list’ of countries whose legal systems have been reviewed by e.g. the European Commission and considered not providing adequate protection thus allowing Data Controllers to identify recipient countries easily where reliance on SCC would not be a route to support international data transfers. It may well be that the US is already on the ‘black list’ on the basis that the Privacy Shield was invalidated as it was considered the US did not provide adequate protection in practice.
The Court continues to state that if the Data Controller does not suspend or cease transferring data where this requirement has not been met, the Supervisory Authority (the Information Commissioner’s Office in the UK), should step in and suspend or prohibit such transfers. This raises the question about how the ICO will have knowledge of all of these transfers and/or the resources to timely confirm whether checks undertaken by Data Controllers are adequate in order to step in. It would seem that this would be difficult to manage on a practical level.
Implications
Schrems II case is a landmark case and will have significant implications for not just EU – US transfers but transfers to other countries outside of the EEA. No doubt, many organisations will be concerned about the validity of their data transfers in light of this judgement, with particular concern over any data transfers to the US. While early indications are that there may well be a replacement to the Privacy Shield; there is little information on what that will look like and when it will be in place. What we do know is that any data transfers on the basis of the Privacy Shield are not in compliance with the GDPR and organisations relying on the Privacy Shield should start looking at other options for supporting the transfer in line with GDPR.
Organisations relying on the SCCs should also consider, on a case by case basis, whether the laws and legal system of the recipient country supports compliance with the SCCs on a practical level.
Generally, the case raises questions about how organisations should support international data transfers in a practical and cost-effective manner. While the decision on the Privacy Shield is fairly clear cut, there is significant ambiguity about how organisations can practically and adequately assess whether the SCCs would be an appropriate mechanism to support international data transfers.
Over the coming months, there will hopefully be answers to these questions. Both the European Data Protection Board and the UK’s Information Commissioner’s Office (ICO) has confirmed that more guidance will be provided. In the meantime, we recommend:
- Capture all data exports to the US and identify those which relied on the EU-US Privacy Shield and the SCCs;
- For those relying on the EU-US Privacy Shield currently, consider an alternative transfer mechanism and whether any of these can be used to support EU-US data exports;
- For those relying on the SCCs currently, you need to understand whether US local laws law or surveillance practices will impact on the data importers ability to comply with the SCCs. Organisations are encouraged to undertake documented risk assessments to support this;
- Review your contractual arrangement with US parties and understand whether any amendments need to be made; and
- review all other data exports outside of the EEA and identify those that rely on the SCCs. Again, you need to understand whether local laws or surveillance practices will impact on the data importers ability to comply with the SCCs by undertaking documented risk assessments.
Insight from Loretta Maxfield Data Protection specialist and Hayley Blackman, Corporate Senior Solicitor at Thorntons. For more information contact Loretta or Hayley on 03330 430350.