Schrems II – A roadblock for data transfers?

This article considers the recent decision by the Court of Justice of the European Union on data transfers and raises some practical considerations for organisations.

Introduction

In the modern business environment and as attributed to Clive Humby, ‘data is the new oil’. Like oil, data is only valuable if it is refined for further and better use. Organisations refine the data they collect by data processing and are heavily reliant on data transfers for this purpose. On 16 July 2020, the Court of Justice of the European Union (CJEU) delivered its long awaited judgement in the matter of the Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/1). This case, better known as “Schrems II”, as it is the second case that the Austrian privacy activist Max Schrems has brought against Facebook, is seen as a very important judgement in relation to data processing and transfers between the EU and the United States (US) and other non-EU countries which are not included on the EU’s list of countries with adequate safeguards.

Bottom line up front

The judgement in Shrems II:-

1. has found that data transfers between the EU and US fail to guarantee that EU citizen’s data is protected to the degree required by the EU;
2. invalidates Decision 2016/1250 on the adequacy of the protection provided by Privacy Shield;
3. holds that whilst the Standard Contractual Clauses (“SCC”) are not automatically invalid, users must verify certain ‘appropriate safeguards’ or ‘supplementary measures’ in the receiving jurisdiction before transfer;
4. highlights that in the absence of such ‘appropriate safeguards’ or ‘supplementary measures’ data transfers are unlawful; and
5. holds that the new obligations exceed the capability of SCCs to address.

Background to the case

Facebook processes user data in the US, originally by participation in the EU-US “safe harbor” programme, which the European Commission had determined provided “adequate protection” for EU user data. In 2013, Mr Schrems, a Facebook user, lodged a complaint with the Irish Data Protection Commissioner (the “DPC”). He objected to surveillance activities undertaken by US intelligence agencies and argued that the law and practice in the US relating to this meant that there was not adequate protection for personal data transferred from the EU to the US. This complaint was referred to the CJEU, and in 2015 it declared the EU-US safe harbor invalid and asked the DPC to reconsider Mr Schrems’ complaint (Schrems (C-362/14, EU:C:2015:650)).

Following this striking down of ‘safe harbor’, Facebook, in addition to most companies affected by the CJEU decision, entered into Standard Contractual Clauses (“SCCs”) to provide protection for the data it transferred to the US. The Commission decision (Commission Decision 2010/87/EU of 5 February 2010) on SCCs provides that supervisory authorities, such as the DPC, can suspend or prohibit data transfers if, for example, they conclude that the law of the country to which the personal data is transferred means that the data importer cannot comply with the obligations set out in the SCCs. Mr Schrems asked the DPC to use this power to suspend or prohibit transfers of his data to Facebook in the US.

The DPC considered Mr Schrems’ complaint and provided a draft decision, which took the position that US law and practice, allowing US intelligence agencies access to EU data, was incompatible with the EU Charter of Fundamental Rights. Rather than doing as Mr Schrems requested and ordering the suspension of data transfers to the US, the DPC brought proceedings before the Irish High Court, asking it to make a reference to the CJEU, to consider if the SCCs themselves were invalid.

In 2016, the Commission adopted the Privacy Shield Decision. The decision included consideration of law and practice in the US relating to access by US intelligence agencies to EU data. It referenced explanations and assurances made by the US and concluded that the EU –US Privacy Shield, offered adequate protection for EU personal data. The Privacy Shield Decision complicated matters further, as how could the DPC suspend data transfers to the US, on the grounds that the laws precluded appropriate protection for EU personal data whilst the European Commission had concluded that EU-US Privacy Shield offered adequate protection for EU personal data? The Irish High Court considered this and this also formed part of the reference to the CJEU.

Privacy Shield is invalid

The Court set out that the Privacy Shield does not provide recourse to an authority that “offers guarantees substantially equivalent to those required by EU law” and in plain language the protection in the US did not satisfy the requirements of EU data privacy law. Art. 45(2)(a) of the GDPR provides that when the Commission makes an adequacy decision it must consider the “rule of law … including concerning national security … and the access of public authorities to personal data… as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred”. The CJEU found that Privacy Shield does not grant EU citizens those actionable rights before the courts against US authorities. The court pointed out that the US government has access to all personal data and that such access was not proportionate or strictly necessary. The CJEU also concluded that the role of the Privacy Shield Ombudsperson is not enough to remedy the vulnerabilities of privacy Shield.

As a result, and with effect from 16 July, the Privacy Shield is invalid.

Standard Contractual Clauses

Organisations have assumed that SCCs can always be used to provide adequate protection for personal data. However, the CJEU makes it clear that this is not the case. If an organisation wishes to transfer personal data to a third country, where an adequacy decision is not in place, then the GDPR places the responsibility for ensuring appropriate safeguards on that organisation. Whilst SCCs are one way to achieve this, they may not be effective on their own. If a receiving jurisdiction allows third parties (such as intelligence agencies) access to the data, then additional measures will be required, such as considering relevant aspects of the receiving jurisdiction’s legal system. The CJEU also emphasizes that supervisory authorities (such as the DPC) have significant obligations as regards data transfers made pursuant to the SCCs. The GDPR grants such supervisory authorities extensive investigative powers and if an authority concludes that there is no an adequate level of protection, it is required to act to remedy this. It is now clear that organisations who utilise SCCs must take a proactive role in evaluating and verifying, prior to any data transfer, whether there is an adequate level of protection for personal data in the receiving jurisdiction. In the absence of such protections, transfers are unlawful.

Practical Impacts

Given the judgement by the CJEU that Privacy Shield is invalid and SCCs are only valid if the receiving jurisdiction provide EU level data protection guarantees, there is at present no compliant way to send data to the US (and other third countries that do not have an adequacy decision ) as those receiving jurisdictions with laws allowing their intelligence and security agencies access without EU level protections (such as the US and UK) are unable to comply with EU law. In short, to comply, these receiving jurisdictions will have to change their security and surveillance laws or another alternative to Safe Harbour/Privacy Shield will be needed.

For those transferring data, they should:-

1. Read and re-read the judgement
2. Gain an understanding of the guidance from the DPC, the European Data Protection Board and the European Commission that will follow.
3. Consider carefully how they are transferring data and on what basis (by way of Privacy Shield, SCCs or Binding Corporate Rules)
4. Consider if any of the 12 countries that have an adequacy decision are suitable for their data processing requirements
5. Companies should put in place robust procedures for data transfers. Risk factors include:-

• Identifying the receiving jurisdictions?
• Clarifying if the data is encrypted?
• Are public authorities in those receiving jurisdictions entitled to access the data?
• If it is accessed, on what basis is this authorised?

Is it set out in law?
Does such a law limit or restrict the ability to access data?
Is the access necessary and proportionate?
Does the law provide effective judicial remedies for data subjects in the EU?

Conclusion

The impact of this Schrems II decision will take some time to filter down. Companies engaging in the transfer of personal data from the EU to the US (or other countries) need to look at the basis on which they engage in that transfer. Those that previously relied upon Privacy Shield will have to find a suitable alternative and if they are intent on utilising the SCCs, they will need to verify the existence of appropriate safeguards in line with the judgement in this very important case. Similar issues will arise with transfers to the UK once it formally leaves the EU unless it achieves a finding of adequacy. Ensuring data transfers are GDPR compliant will be extremely challenging to those exporting data to the US and the UK.

How can Reddy Charlton help?

Reddy Charlton Solicitors advise clients on data protection, transfer and processing matters, having considerable experience and a number of experts in the area. If you have any queries or seek further information on Data Protection or any other area of commercial law, please contact Elaine McGrath at emcgrath@reddycharlton.ie