The CJEU Declares the EU-US Privacy Shield Invalid and SCCs Valid…but with Conditions
What are the Implications and Next Steps for Your Organisation?
On 16 July 2020, the Court of Justice of the European Union (CJEU) issued its judgement on the adequacy of both the Privacy Shield and standard contract clauses (SCCs). The EU-US Privacy Shield is a mechanism that enables participating companies to meet the EU requirements for transferring personal data to the US and focuses on the methods of data transfer, including third-party transfers. Similarly, SCCs can be used to legitimise the transfer of personal data between the EU and the US (and other third countries) where a contract is established on EU approved terms between the sender and recipient, typically between small and medium-sized businesses.
Taking pundits by surprise, the CJEU declared the Privacy Shield invalid but validated SCCs, albeit with a number of conditions attached. Here, we provide you with the background leading up to the judgements, a high-level summary of the judgements themselves and highlight the potential implications and next steps for UK organisations.
What was the Background to these Judgements?
The case that triggered the CJEU judgements is often referred to as ‘Schrems II’. In summary, Maximillian Schrems, an Austrian privacy activist, brought a complaint against the Irish Data Protection Commission (DPC), Ireland’s data protection authority, arguing that the US does not provide sufficient security and redress mechanisms to protect transferred privacy data. In Schrems’ case, the privacy data related to his personal Facebook data, which he claimed Facebook Ireland transfers and processes wholly or partially on servers of Facebook Inc., based in the US. These transfers between Facebook Ireland and Facebook Inc. took place using SCCs. Schrems has claimed that the SCCs do not provide an ‘adequate’ level of protection for EU data subjects, as U.S. legislation does not explicitly limit interference with an individual’s right to protection of personal data in the same way as EU data protection law, i.e. the intrusive nature of US surveillance activities. Following the complaint, the Irish DPC brought proceedings against Facebook in the Irish High Court, which referred a number of questions to the CJEU for a preliminary ruling. The preliminary questions primarily focussed on the validity of the SCCs, but also related to the EU-U.S. Privacy Shield framework.
What was the Judgement on SCCs?
The CJEU’s judgment on SCCs was that they provide sufficient protection for EU personal data to be transferred to third countries (including the US). The Court, however, noted that any EU organisation relying on them is obliged, prior to any transfer, to adopt a proactive role to ensure there is an ‘adequate’ level of protection for personal data in the respective third country. The CJEU also added that organisations may implement additional (unspecified*) safeguards, over and above those contained in the SCCs, to ensure the adequacy of protection. In addition, the responsibilities don’t just end with the data exporter. Under the CJEU judgement, there are also obligations on the third country organisations importing data that they must inform EU data exporters of any inability to comply with the SCCs. When a data importer is unable to comply with the SCCs, and there are no additional safeguards in place to guarantee the necessary level of protection, there is a requirement on the EU data exporter to suspend the transfer of data and/or terminate the contract.
The Court also took the opportunity to clarify that EU data protection authorities (DPAs) have a duty to take action. The Court highlighted that a DPA is “required to execute its responsibility for ensuring that the GDPR is fully enforced with all due diligence”. This includes assessing and, if necessary, suspending and prohibiting transfers of personal data to a third country where they believe that the SCCs are not being, or cannot be, complied with and where they assess them as being unsafe according to EU data protection requirements.
* The European Data Protection Board (EDPB) issued a statement on 20 July that it will be looking further into what these additional safeguards or measures could consist of.
What was the Judgement on the Privacy Shield?
In declaring the Privacy Shield invalid, the CJEU concluded that the Privacy Shield did not provide adequate protection of personal data in the US that is ‘essentially equivalent’ to that under the GPPR and EU law. The key reason behind this decision is the intrusive nature of the surveillance programmes undertaken by the US government and intelligence agencies allowed by Section 702 of FISA (Foreign Intelligence Surveillance Act) and Executive Order 12333 (which sanctions bulk collection of personal data not limited to information that is ‘strictly necessary’ and is, therefore, viewed as disproportionate under the GDPR).
The CJEU also highlighted the lack of redress EU citizens have in the US under the Privacy Shield. This lack of redress had been flagged up previously by many privacy lawyers and the European Commission had set up the office of The Privacy Shield Ombudsman in response to these. However, its decisions were not binding on US intelligence services and its impartiality was widely questioned.
What are the Implications and Next Steps for UK Organisations?
Review data flow – If your organisation, or your third party suppliers, currently transfer (or enable routine access to) personal data processed in the EU to the US under the Privacy Shield, then a data flow review should be carried out. This will help identify the scope of the data being transferred to the US, particularly that which falls under Section 702. In the interim, it is worth noting that the UK’s Information Commissioner’s Office (ICO), has indicated that “If you are currently using Privacy Shield, please continue to do so until new guidance becomes available”, at the same time as saying “Please do not start to use Privacy Shield during this period.”
Review existing SCCs -The CJEU judgement has implications for all EU personal data transfers to jurisdictions not currently covered by an adequacy decision. If your organisation relies on SCCs (or intends to start relying on SCCs) in order to transfer data to third countries (including the US), it is essential that you review these and ensure they are enforceable in that third country. You also need to work out how to resolve any conflicts that may arise where the destination of data has laws that are incompatible with the GDPR. It may also pay to keep a ‘watching brief’ on any further protection measures which the EDPB may impose around the use of SCCs.
Prepare for the impact of Brexit – In URM’s opinion, the CJEU judgement is likely to impact on the adequacy decision for data transfers between the EU and the UK after 31 December 2020. This is because the UK currently has surveillance laws that go beyond those frowned upon in the CJEU’s judgement decision on the Privacy Shield and this could pose a considerable challenge with any adequacy decision.
Also, the UK may fall back on something more substantial than just the adequacy decision. As such, there may be a number of adjustments required on the part of UK-based organisations.
Consider other options for transferring personal data to the US? – The CJEU has identified certain derogations under the GDPR that provide options to allow personal data transfers to the US. For instance, any situation where the data subject has allowed their data to flow abroad remains legal under GDPR, as this can be based on the informed and freely given consent of the data subject. However, even in such a case, extra safeguards and controls need to be in place.
Also, if a data transfer is ‘necessary’ to fulfil a contract, it can still occur under the GDPR. Expert advice needs to be sought in this respect, because transfers under this option are likely to be interpreted narrowly.
How URM Can Help
In this blog, we have provided a high-level outline of the key reasons behind the CJEU’s decision to invalidate the Privacy Shield and the conditions it is attaching to the use of SCCs. We have also highlighted the immediate impact of the judgements and the potential impact it may have on your organisation with any adequacy decision for EU-UK data transfers after 31 December 2020.