The CJEU has now issued its much anticipated judgement in Ireland & Schrems (Case C-311/18) (Schrems II). Our previous article on the Attorney General’s opinion last December sets out the background to the CJEU’s verdict.
As a brief recap, there were two key issues for the CJEU to opine on:
- The adequacy of transferring data under the EU’s Standard Contractual Clauses
- The adequacy of transferring data from the EU to the US by relying on the US Privacy Shield to provide appropriate safeguards.
Standard Contractual Clauses
The Standard Contractual Clauses ('SCCs', also known as the 'Model Clauses') remain valid in principle, although this validity will depend on whether it is possible, in practice, for the data importer to ensure compliance with the level of protection required by EU law. This means that transfers of personal data made under the SCCs should be suspended or prohibited by the EU data exporter in the event that the individual’s data protection rights are not protected to an 'essentially equivalent' standard outside the EU as they would be under GDPR.
This means we are likely to see more focus on importers of the data of EU citizens (in particular those based in the US - but this ruling applies to all third countries without an adequacy decision) to prove to the EU-based data exporter that the processing will not conflict with the GDPR. In the case of data exports to the US this may be difficult to prove with the current surveillance laws not granting the same protection as afforded to Americans to the rights of foreign citizens.
EU-US Privacy Shield
The CJEU has declared the Privacy Shield invalid. The ruling is not a great surprise, following views in some quarters that the Privacy Shield was effectively the Safe Harbour agreement under another name.
The court concluded that the Privacy Shield did not provide a level of protection of personal data in the US 'essentially equivalent' to that under the GPPR and EU law, due to the intrusive nature of surveillance programmes undertaken by the US government and intelligence agencies, which are not limited to information that is 'strictly necessary' and are therefore viewed as disproportionate under GDPR.
Further, the court noted the limited ability of non-US citizens to challenge the US government processing their data in this manner. The Privacy Shield Ombudsman (which was set up by the European Commission in response to criticism that EU individuals lacked access to an effective remedy under US law regarding processing of their data) still did not provide data subjects with adequate access to justice, as its decisions were not binding on US intelligence services and its impartiality was deemed to be questionable.
Austrian privacy advocate Max Schrems, who brought the case against Facebook and the Irish supervisory authority, noted that this puts the US on the same footing as any other third country, and hopes that this decision will encourage US corporations to advocate for stronger privacy rights for foreign citizens.
Other legal gateways to transfer data outside of the EEA
The CJEU points to certain mechanisms under GDPR that remain options to permit data exports to the US. For example, if a data export is 'necessary' to fulfil a contract it can still occur under the GDPR (although this is likely to be interpreted narrowly). Additionally, any situation where the data subject wants their data to flow abroad remains legal under GDPR, as this can be based on the informed and freely-given consent of the user. However, it is also a requirement of GDPR that this consent must be able to be withdrawn by the data subject at any time.
These mechanisms are narrower than the gateways for data exporters that existed under the Privacy Shield and which continue to operate under the SCCs. If necessity or informed consent cannot be relied on, organisations and data protection supervisory authorities will now need to develop ways for US data importers to show they have taken additional steps to ensure appropriate rights for EU data subjects.
The clarified role of data protection supervisory authorities
The CJEU has also put pressure on Member State supervisory authorities to enforce the clarified obligations under the SCCs – it noted that authorities actually already have the powers to do so under the existing SCCs and should be using these powers. Unless there is a valid adequacy decision from the European Commission (and we note that only 12 jurisdictions worldwide have received such a decision so far), where the EU data exporter has not itself ended non-compliant transfers, the relevant national supervisory authority (being the ICO in the UK) is responsible for suspending or prohibiting a transfer of personal data to a third country where that it takes the view that the SCCs are not or cannot be complied with in that country.
It will be interesting to see how the ICO and other supervisory authorities choose to pursue enforcing the terms of SCCs following this ruling. There is now an increased possibility of enforcement actions against organisations to prevent transfers that are taking place under SCCs as well as the now invalid Privacy Shield.
For now the attitude of the ICO seems to be supportive of businesses, after it issued a brief press statement saying that the ICO 'stands ready to support UK organisations and will be working with UK Government and international agencies to ensure that global data flows may continue and that people’s personal data is protected.' We await more detail from the ICO in due course on how it intends to enforce its now clarified obligations.
Next steps
For organisations relying on the EU-US privacy shield to transfer data of EU citizens to the US, this judgement will come as a setback. These organisations will need to review their flows of data and enter into arrangements incorporating the SCCs with their US data importer.
For organisations who already rely on SCCs (or intend to now start relying on the SCCs) in order to transfer data to third countries (including the US), now is a good time to review these and ensure that they are practicably enforceable in that third country. The SCCs already require that the non-EU data importer inform the EU data exporter of any inability to comply with the SCCs (for instance, because of incompatible local laws and access by the third countries’ public authorities). Compliance with this clause should be documented, and receipt of any such notification would mean that the exporter would need to suspend or not proceed with the data transfer.
This also raises a possible roadblock (following the end of the Brexit transition period) for an adequacy decision in favour of the UK, and the validity of data transfers from the EU to the UK generally. The judgement may open the door to a similar challenge of the UK’s Investigatory Powers Act and the UK’s data sharing agreements with the US. We await further developments on this point, hopefully before the end of the transition period on 31 December 2020.
If this judgement has affected your data sharing arrangements, our Data Protection team is ready to help. For more information please contact David Varney.
This article was written by David Varney and Andrew Wilson.