Many organisations around the world can breathe a sigh of relief, as the European Union's highest court upheld the validity of the Standard Contractual Clauses (SCCs) as a mechanism for transferring personal data outside the EEA under the GDPR. However, by its judgment delivered yesterday in the so-called ‘Schrems II’ case (Preliminary Ruling), the Court of Justice of the European Union (CJEU) has invalidated an earlier decision (Decision 2016/1250) on the adequacy of protection provided by the EU-US Privacy Shield (Privacy Shield), with immediate effect.
This is not a welcome development for thousands of companies that have either certified to the EU-US Privacy Shield (in the US), or that rely upon US-based counterparties that are so certified in order to lawfully transfer personal data from the EEA to the US. The Preliminary Ruling also has implications for transfers of personal data to the US generally and to other jurisdictions with strong state surveillance practices (which may well include Australia).
Brief background on Schrems II
By way of background, C-311/18: Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems, better known as the "Schrems II case", involved a reformulated complaint brought by Austrian privacy advocate, Max Schrems, filed with the Irish Data Protection Commissioner (Irish DPC) in 2015.
In this complaint, Schrems challenged Facebook Ireland Limited's (Facebook Ireland) reliance on the SCCs as a legal basis for transferring personal data to Facebook, Inc. in the US on two grounds:
- the clauses used by Facebook for its intra-group data transfer arrangements were not consistent with the SCCs; and
- in any event, the SCCs could not ensure an adequate level of protection for Facebook Ireland's transfer of personal data relating to him to the United States.
As the determination of Schrems' complaint depended on the validity of the SCCs, the Irish DPC brought proceedings against Facebook Ireland in the Irish High Court and requested that the court refer 11 questions to the CJEU for a preliminary ruling. As part of this referral, the Irish High Court questioned the validity of both the SCCs and the Privacy Shield.
On 19 December 2019, Advocate General Henrik Saugmandsgaard Øe delivered an opinion, which recommended that the CJEU uphold the validity of the SCCs and return the matter to the Irish DPC on the basis that the analysis of the questions did not require an assessment of the validity of the SCCs. Most relevantly, the AG opined that while the CJEU should not take this opportunity to rule on the validity of a related transfer mechanism, the EU-U.S. Privacy Shield, a full court review of the Privacy Shield would be useful even if it would lead to concerns about the validity of that mechanism.
The Preliminary Ruling (July 2020)
By its Preliminary Ruling, the CJEU concluded that the SCCs remain valid as an adequate safeguard for transferring personal data outside of the EEA, while declaring the Privacy Shield to be unlawful under the adequacy regime in the GDPR.
We have distilled below the key aspects of the judgment:
- The obligations on commercial parties to the SCCs. Organisations around the world have long assumed that implementing the SCCs will (alone) satisfy the GDPR obligation to implement an appropriate safeguard for data transfers outside of the EEA. The CJEU makes clear that this is not the case. The decision looks in detail at the obligations on “data exporters” and “data importers”:
- The CJEU affirmed that data subjects whose personal data is transferred to a country outside the EEA pursuant to the SCCs must be afforded “a level of protection essentially equivalent to that guaranteed within the EU by the GDPR, read in light of the Charter [of Fundamental Rights]”. When assessing this level of protection, companies must take into account both the specific SCCs agreed in a contract between the “data exporter” in the EEA and the “data importer” established outside the EEA and any access to the transferred data that regulatory authorities in the data importer’s jurisdiction (Importer Jurisdiction) may have, together with the relevant aspects of the legal system of that jurisdiction.
- In particular, if regulatory authorities in the Importer Jurisdiction have statutory rights or powers to access personal data of EU data subjects, “other clauses or additional safeguards” to supplement the SCCs will be required. It is hoped that supervisory authorities or the European Data Protection Board will issue clear guidance on what will be expected of data exporters going forward in this regard.
- If the data importer is subject to local legal requirements which mean that it can no longer comply with its obligations under the SCC, the importer has an obligation to notify the data exporter that it is unable to comply with its obligations under the SCCs. If a data exporter receives such a notice, the SCCs provide a right under Clause 5(b) for the exporter to suspend the data transfer and/or terminate the SCCs. The CJEU affirms the Advocate General’s Opinion that this is not simply a right but an obligation on data exporters to do so.
- The role of supervisory authorities in “policing” compliance with the SCCs. As supervisory authorities across the EU struggle to manage their current workloads, the CJEU has confirmed that in the absence of an adequacy decision, competent supervisory authorities are required to suspend or prohibit transfers of personal data to Importer Jurisdictions where, having assessed the relevant circumstances, the authority determines that the SCCs are not or cannot be complied with. This responsibility is only triggered where the data exporter in the EEA has not itself suspended or ceased the relevant transfer of personal data after receiving a notice from the data importer regarding an inability to comply with the SCCs.
- U.S. state surveillance not compatible with EU law. Following a detailed examination of the practices set out in section 702 of the Foreign Intelligence Surveillance Act, in Executive Order 12333 and in Presidential Policy Directive 28, the CJEU concluded that these legal instruments do not contain sufficient limitations to ensure proportionate use of personal data by US intelligence services and do not grant data subjects actionable rights before the US courts. Moreover, the CJEU found that the Ombudsman mechanism under the Privacy Shield did not provide a sufficient remedy to EU citizens as required by Article 47 of the EU Charter of Fundamental Rights. For these reasons, the CJEU declared the Privacy Shield to be invalid, with immediate effect. This judgment will inevitably set the bar higher for any future adequacy decisions made by the EU Commission – with the UK hoping to be the next cab off the rank.
For clarity, we note that while a Preliminary Ruling sets out the CJEU’s interpretations on EU law and the validity of EU legal instruments, it does not decide the dispute or complaint itself. The matter will now return to the Irish High Court to be determined.
So, where to from here?
- Regulatory burden for companies that rely on Privacy Shield. The validation of the SCCs by the CJEU is not unexpected, given the practical implications had the CJEU decided otherwise (according to IAPP research, about 88% of companies rely on SCCs to transfer data out of the EEA, while 60% use the Privacy Shield). However, there will now be a substantial regulatory burden for thousands of organisations that currently rely on the Privacy Shield to find alternative means to lawfully transfer personal data from the EEA to the US. According to one of the US interveners in the case, the Business Software Alliance, Inc., the CJEU’s invalidation of the Privacy Shield is an “an unwelcome development at a time when businesses on both sides of the Atlantic are focusing on recovering from the economic impacts of Covid-19 and are increasingly relying on data-driven tools and services to do so”.
- New SCCs that align with GDPR requirements. The CJEU's ruling comes as the EC is working on a "comprehensive modernisation of standard contractual clauses" to ensure they align with new requirements introduced by the GDPR (e.g. legal obligations on data processors). Currently, the two forms of SCCs approved by the EC do not reflect GDPR requirements and do not provide for data transfers from a processor to a subprocessor outside the EEA. This has led companies and privacy lawyers to adopt novel approaches to implementation of the SCCs (without the express or implied blessing of an EU supervisory authority) to ensure there is at least some form of appropriate safeguard in place to cover the relevant data transfer The ruling is also important for companies that have included SCCs in their Brexit contingency plans, in the event that the UK does not obtain adequacy status by the expiry of the transition period on 31 December 2020.
Much wider implications
SCCs have been the bedrock of international personal data transfers long before the GDPR came into force. While the Preliminary Ruling provides a measure of certainty to organisations that transfer personal data outside the EEA, arguably, the EC's modernisation of the SCCs will be the more significant update on data transfers to which the GDPR applies.
Furthermore, the CJEU’s powerful statement on the impact of state surveillance on the validity of personal data transfers could cast doubt upon the lawfulness of transfers under the SCCs to other countries like China and India (and perhaps even Australia, given the passing of the Assistance and Access Act in 2018 and the tabled draft of the International Production Orders Bill), as well as the UK’s mission to attain GDPR adequacy status before the end of the transition period. It is clear that EU businesses will need to consider the effect of the UK state surveillance program under the Investigative Powers Act 2016 (which, post-Brexit, is no longer subject to EU review). Watch this space.
Authors: Grace Loukides and Melissa Fai