Press enter to search, esc to close
The General Data Protection Regulation (EU) 2016/679 (GDPR) prohibits transfers of personal data from the EU (including, for the time being, the UK) to third countries unless appropriate safeguards are in place to protect that personal data. Such appropriate safeguards include standard contractual clauses (SCCs) adopted by the European Commission (EC), which can be put in place between EU data exporters and third country data importers to adduce adequacy. For transfers to the USA, EU data exporters have also, until now, been able to rely on the EU-US Privacy Shield arrangement, a scheme allowing transfers to organisations that self-certify adherence to certain data protection principles.
The case is the result of a complaint from Austrian privacy activist, Max Schrems, who famously brought down the EU-US Safe Harbor arrangement (the predecessor to Privacy Shield) in 2015. This was the result of a complaint by Mr Schrems to the Irish Data Protection Commissioner (DPC) against Facebook Ireland regarding Facebook’s reliance on Safe Harbor to transfer personal data to Facebook in the USA.
The complaint leading to the Schrems II case was a reformulation of his original complaint, this time focusing on Facebook’s reliance on SCCs to legitimise data transfers to Facebook in the US. The DPC referred questions to the CJEU concerning the validity of SCCs and Privacy Shield.
In a shock judgment, the CJEU has declared that Privacy Shield is invalid. The CJEU considered that US laws continue to grant rights to US public authorities to access and use EU personal data that do not include sufficient limitations and safeguards to ensure appropriate protection of data subjects. The Privacy Shield Ombudsperson mechanism (introduced in response to the invalidation of Safe Harbor) was also not considered to provide data subjects with an appropriate cause of action offering equivalent protections to the GDPR.
Taken together, the CJEU considers that these points mean that Privacy Shield does not ensure a level of protection that is essentially equivalent to that required by the GDPR and, as such, can no longer be valid in accordance with the GDPR requirements.
SCCs remain valid, but with some significant caveats. EU data exporters can only rely on SCCs where they satisfy themselves that the laws of the country to which personal data is being transferred offer an appropriate level of protection of that data. Data importers themselves are obliged to inform the data exporter if they become aware of circumstances that mean they can no longer comply with the SCCs. If exporters become aware (either through notification by the importer or via other means) of any such circumstances, they must cease transfers to that country.
The CJEU also reinforced that supervisory authorities in the EU must suspend or prohibit transfers of personal data if they consider that SCCs can no longer be complied with in that country due to deficiencies in that country’s laws.
As the decision has been released during the transition period, it applies to UK organisations in the same way as to EU organisations. The UK faces wider questions about what this will mean for its future trade negotiations with both the EU and the US. If the EC does not grant the UK adequacy, transfers from the EU to the UK will be likely to rely heavily on SCCs.
The UK’s approach to data transfers to the US will, no doubt, influence the EC’s views on UK adequacy. If the UK moves away from the judgment post-transition, for example by implementing its own “Privacy Shield” style arrangement or declaring the US adequate, this may affect how the EU approaches its adequacy decision in respect of the UK.
The judgment will have far-reaching effects for both EU/UK data exporters and their third country importers. SCCs will require far more thought and analysis of third countries’ data protection regimes before they can be comfortably relied on. A replacement to Privacy Shield may be proposed, but realistically an alternative is likely to require commitments from the US to change its legal regime, which are unlikely to be forthcoming. It will be difficult for organisations to rely on SCCs as an alternative to Privacy Shield in light of the CJEU’s clear view that the US does not provide appropriate protection for personal data.
EU and UK organisations will need to review all of their international data transfers and establish what adequacy mechanisms are currently being relied on. Many organisations may well look to move away from transfers to the US altogether. However, it is not just US transfers that are affected; all international data transfers covered by SCCs will also need to be reviewed to ensure that the laws of the relevant recipient countries provide appropriate levels of protection to continue to rely on SCCs. Many countries may struggle to satisfy this high bar – for example those countries which have previously applied (whether formally or informally) and been turned down for an EC adequacy decision.
Frustrations will also, no doubt, be felt by those who were hoping that the judgment would lead to an update of SCCs, which have been widely acknowledged for some time as being out-of-date and unfit for purpose. The 5,000 plus US businesses who invested significant resource in certifying with Privacy Shield will also be reeling, and wondering what their options are going forward.
Guidance from the Information Commissioner’s Office in the UK and, more widely, the European Data Protection Board, will be indispensable as organisations start to try and navigate these tricky waters.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at July 2020. Specific advice should be sought for specific cases. For more information see our terms & conditions.
16 July 2020
Partner, Head of Data privacy & cybersecurity London
Managing Associate Bristol