CJEU delivers a landmark ruling on international data transfers: Privacy Shield declared invalid
The Court of Justice of the European Union has delivered its ruling in the Schrems II case. The CJEU unexpectedly invalidated the Privacy Shield Decision in the ruling, but confirmed the validity of the Commission decision 2010/87 on standard contractual clauses.
On 16 July 2020, the CJEU delivered its ruling in the Schrems II case (C-311/18) concerning the validity of the two mechanisms that rely heavily on cross-border transfers of personal data outside the EU: The Commission’s adequacy decision 2016/1250 for the EU-US Privacy Shield Framework (Privacy Shield Decision) and the Commission decision 2010/87 on standard contractual clauses (SCC Decision).
The CJEU unexpectedly invalidated the Privacy Shield Decision but confirmed the validity of the SCC Decision. Moreover, CJEU found, i.a., that where the SCCs are used for international data transfers, a competent supervisory authority is required to suspend or prohibit the transfer of data if the supervisory authority finds that the SCCs are not or cannot be complied with in that third country, and if the protection of the data transferred, as required by EU law, cannot be ensured by other means. Consequently, when conducting international data transfers, organizations may no longer rely on the Privacy Shield but standard data protection clauses (SCCs) can be used. However, as will be further demonstrated below, some ambiguity still remains as to what extent the SCCs can be relied on, especially in EU-US data transfers.
The General Data Protection Regulation (GDPR) and its precedent Directive 95/46/EU provide that the transfer of personal data to a country outside the European Economic Area may, in principle, take place only if the third country in question can ensure an adequate level of data protection. In 2000 the European Commission adopted a decision finding that under the Safe Harbour agreement, the United States ensures an adequate level of protection of personal data transferred between the EU and the US.
The Safe Harbour decision was then overturned by the CJEU in the ruling of Schrems I case (C‑362/14) delivered on 6 October 2015. Schrems I case began when Mr. Schrems, a privacy activist and Facebook user, lodged a complaint with the Irish Data Protection Authority regarding Facebook Ireland transferring his personal data to Facebook Inc. in the United States. Mr. Schrems argued that the United States does not provide adequate protection of personal data transferred from the EU due to the surveillance activities undertaken by US Intelligence Authorities. After the Irish Data Protection Authority rejected the complaint arguing that Facebook’s data transfers were made in compliance with the Safe Harbour decision, Mr. Schrems appealed the matter to the High Court of Ireland. The High Court then referred the question of validity of the Safe Harbour decision to the CJEU which found the decision invalid.
In the absence of an adequacy decision, international transfer of personal data may take place if the personal data exporter established in the EU has provided appropriate safeguards, which may arise, in particular, from standard contractual clauses adopted by the Commission. After the declaration of invalidity of the Safe Harbour, organizations, including Facebook, could still rely on adequacy of the SCCs in international data transfers. However, Mr. Schrems continued to claim that the United States does not offer sufficient protection of data transferred to that country and reformulated the complaint on Facebook to focus on the validity of the SCCs and requested the Irish Data Protection Authority to suspend or prohibit Facebook’s data transfers. On the basis of Mr. Schrems’ reformulated complaint, the Irish Data Protection Authority referred the question of validity of the SCC Decision to the High Court of Ireland.
In 2016, after the initiation of these proceedings, the Commission adopted Privacy Shield Framework as an adequate level of protection of transatlantic personal data transfers. The purpose of the Privacy Shield was to reflect the requirements set out by the CJEU in the Schrems I case and to put stronger obligations on US companies to protect the personal data of Europeans as well as to include terms according to which access to transferred personal data by the US public authorities will be subject to clear conditions, limitations and oversight, preventing generalized access.
In April 2018 the High Court referred 11 questions to the CJEU concerning the interpretation of the SCC Decision as well as the Privacy Shield decision. On 19 December 2019 the Advocate General Saugmandsgaard Øe delivered his opinion on the case and upheld the SCC decision. Regarding the Privacy Shield, the Attorney General Saugmandsgaard Øe found that the main proceeding is limited to the validity of the SCC decision and thus, there is no need to assess the validity of the Privacy Shield decision.
On 16 July 2020, the Court delivered its judgment. Contrary to the Attorney General, the Court decided to assess the validity of the Privacy Shield. The Court found that limitations on the protection of personal data based on the domestic law of the United States on the access and use by US surveillance authorities is in conflict with the requirements from GDPR, read in the light of EU fundamental rights guaranteeing respect for private and family life, personal data protection and the right to fair trial and effective remedy. The guarantees adopted by the US under the Privacy Shield do not provide substantially equal safeguards required by EU law. Consequently, the Court declared the Privacy Shield decision as invalid with immediate effect.
Regarding the SCC decision, the Court came to the same conclusion as the Attorney General and declared the SCC decision to remain valid. However, the Court highlighted that when personal data is transferred to a third country pursuant to the SCCs, data subjects must be afforded a level of protection essentially equivalent to that guaranteed by the GDPR and Charter of Fundamental Rights of the European Union. This assessment must take into consideration, i.a. the contractual clauses agreed between parties transferring the data between EU and a third country, as well as relevant aspects of the legal system of that third country regarding any access by the public authorities of that third country to the data transferred. Moreover, the Court stated that the authorities are required to suspend or prohibit a transfer where they consider that the SCCs cannot be complied with in that country and if the protection of the transferred data cannot be ensured by other means.
The CJEU ruling is clear on that organizations may not rely on Privacy Shield in EU-US data transfers anymore. However, ambiguity remains on whether all EU-US data transfers are illegal and to which extent SCCs can be relied on in other international data transfers.
The uncertainty with SCCs stems from the fact that unlike Privacy Shield, the SCC Decision is not an adequacy decision declaring that a specific country would ensure an adequate level of data protection. The Court argued that in the absence of an adequacy decision and when relying on the SCC mechanism, it is for the controller or the processor established in the EU to verify on a case-by-case basis in collaboration with the recipient in the third country whether or not the law of the third country ensures adequate protection with appropriate safeguards, and to provide additional safeguards when necessary. Thus, when SCCs are used, the organization cannot solely rely on them but must assess whether adequate level of protection required by EU law is respected in the third country and adopt supplementary safeguards when necessary. As declared in the judgment, the supervisory authorities have power with respect to the data transfer made under the SCCs and thus, if the organization fails to or is unable to take the adequate additional measures required, the supervisory authority may prohibit or suspend data transfers made under the SCCs.
It remains to be seen in practice which safeguards or measures would be sufficient and if the organizations are in fact able to provide them, for example in case of EU-US data transfers. It is fair to assume that service providers using a cloud will be even more challenged in light of the ruling considering possible obligations under the Cloud Act. However, at this point it is clear that all organizations should assess whether personal data is transferred to third countries, especially to the US, and under which mechanisms. In addition, it remains to be seen whether the supervisory authorities will begin to investigate data transfers under the SCCs to the US and what the outcome of such investigations will be.
European Data Protection Board’s FAQ on Schrems II
On 23 July 2020 the European Data Protection Board (EDPB) published a FAQ based on questions the supervisory authorities have received after the CJEU delivered its judgment on the Schrems II case. The EDPB’s FAQ addresses questions related to the content and consequences of the ruling, including an assessment of the legality of different data transfer mechanisms and the lack of grace period to comply with the ruling.
The EDPB finds that the threshold the Court sets for transfers under the SCCs would also apply to Binding Corporate Rules (BCRs) as well as to all appropriate safeguards for international data transfers under Article 46 of the GDPR. The parties transferring data must assess on a case-by-case basis whether or not the level of protection required by EU law is respected in the third country and whether or not supplementary measures in addition to the transfer mechanisms are needed. However, EDPB is still analyzing what kind of measures could be provided to supplement the transfer mechanisms, e.g. legal, organizational or technical. EDPB will continue to amend and supplement the FAQ as the analysis of the ruling progresses.