Many organisations around the world can breathe a sigh of relief, as the European Union's highest court upheld the validity of the Standard Contractual Clauses (SCCs) as a mechanism for transferring personal data outside the EEA under the GDPR. However, by its judgment delivered yesterday in the so-called ‘Schrems II’ case (Preliminary Ruling), the Court of Justice of the European Union (CJEU) has invalidated an earlier decision (Decision 2016/1250) on the adequacy of protection provided by the EU-US Privacy Shield (Privacy Shield), with immediate effect.
This is not a welcome development for thousands of companies that have either certified to the EU-US Privacy Shield (in the US), or that rely upon US-based counterparties that are so certified in order to lawfully transfer personal data from the EEA to the US. The Preliminary Ruling also has implications for transfers of personal data to the US generally and to other jurisdictions with strong state surveillance practices (which may well include Australia).
Brief background on
Schrems II
By way of background, C-311/18: Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems , better known as the "Schrems II case", involved a reformulated complaint brought by Austrian privacy advocate, Max Schrems, filed with the Irish Data Protection Commissioner (Irish DPC) in 2015.
In this complaint, Schrems challenged Facebook Ireland Limited's (Facebook Ireland) reliance on the SCCs as a legal basis for transferring personal data to Facebook, Inc. in the US on two grounds:
the clauses used by Facebook for its intra-group data transfer arrangements were not consistent with the SCCs; and
in any event, the SCCs could not ensure an adequate level of protection for Facebook Ireland's transfer of personal data relating to him to the United States.
As the determination of Schrems' complaint depended on the validity of the SCCs, the Irish DPC brought proceedings against Facebook Ireland in the Irish High Court and requested that the court refer 11 questions to the CJEU for a preliminary ruling. As part of this referral, the Irish High Court questioned the validity of both the SCCs and the Privacy Shield.
On 19 December 2019, Advocate General Henrik Saugmandsgaard e delivered an opinion , which recommended that the CJEU uphold the validity of the SCCs and return the matter to the Irish DPC on the basis that the analysis of the questions did not require an assessment of the validity of the SCCs. Most relevantly, the AG opined that while the CJEU should not take this opportunity to rule on the validity of a related transfer mechanism, the EU-U.S. Privacy Shield, a full court review of the Privacy Shield would be useful even if it would lead to concerns about the validity of that mechanism.
The Preliminary Ruling (July 2020)
By its Preliminary Ruling, the CJEU concluded that the SCCs remain valid as an adequate safeguard for transferring personal data outside of the EEA, while declaring the Privacy Shield to be unlawful under the adequacy regime in the GDPR.
We have distilled below the key aspects of the judgment:
) may have, together with the relevant aspects of the legal system of that jurisdiction.
In particular, if regulatory authorities in the Importer Jurisdiction have statutory rights or powers to access personal data of EU data subjects, “other clauses or additional safeguards” to supplement the SCCs will be required. It is hoped that supervisory authorities or the European Data Protection Board will issue clear guidance on what will be expected of data exporters going forward in this regard.
If the data importer is subject to local legal requirements which mean that it can no longer comply with its obligations under the SCC, the importer has an obligation to notify the data exporter that it is unable to comply with its obligations under the SCCs. If a data exporter receives such a notice, the SCCs provide a right under Clause 5(b) for the exporter to suspend the data transfer and/or terminate the SCCs. The CJEU affirms the Advocate General’s Opinion that this is not simply a right but an obligation on data exporters to do so.
For clarity, we note that while a Preliminary Ruling sets out the CJEU’s interpretations on EU law and the validity of EU legal instruments, it does not decide the dispute or complaint itself. The matter will now return to the Irish High Court to be determined.
So, where to from here?
Much wider implications
SCCs have been the bedrock of international personal data transfers long before the GDPR came into force. While the Preliminary Ruling provides a measure of certainty to organisations that transfer personal data outside the EEA, arguably, the EC's modernisation of the SCCs will be the more significant update on data transfers to which the GDPR applies.
Furthermore, the CJEU’s powerful statement on the impact of state surveillance on the validity of personal data transfers could cast doubt upon the lawfulness of transfers under the SCCs to other countries like China and India (and perhaps even Australia, given the passing of the Assistance and Access Act in 2018 and the tabled draft of the International Production Orders Bill), as well as the UK’s mission to attain GDPR adequacy status before the end of the transition period. It is clear that EU businesses will need to consider the effect of the UK state surveillance program under the Investigative Powers Act 2016 (which, post-Brexit, is no longer subject to EU review). Watch this space.