On July 16, 2020, the Court of Justice of the European Union (“CJEU” or “Court”) issued a significant judgment in Case C-311/18 (“Schrems II decision”) on the adequacy of protection provided by the EU-US Data Protection Shield. The court concluded that the Standard Contractual Clauses (“SCCs”) issued by the European Commission for the transfer of personal data to processors outside of the EU continue to be valid. However, the Court also invalidated the E.U.-U.S. Privacy Shield framework. In our post below, we: (I) provide some background on the events leading up to today’s decision; (II) summarize today’s decision and (III) provide some reflection on what it means for U.S. organizations that transfer personal data from Europe.
The Schrems II decision is the latest in a series of decisions regarding privacy advocate Maximilian Schrems (“Max Schrems”), who filed a complaint in 2015 with the Irish Data Protection Commissioner challenging Facebook Ireland’s reliance on standard contractual clauses (“SCCs”) as a legal basis for transferring personal data to Facebook Inc. in the United States. Facebook turned to the SCCs after the CJEU had invalidated the US-EU Safe Harbor framework in 2015 upon Max Schrems’ earlier complaint.
The General Data Protection Regulation (‘the GDPR’) provides that the transfer of personal data to a third country may, in principle, take place only if the third country in question ensures an “adequate level of data protection”. According to the GDPR, the Commission may find that a third country ensures, by reason of its domestic law or its international commitments, an adequate level of protection. In the absence of an adequacy decision, such transfer may take place only if the personal data exporter established in the EU has provided appropriate safeguards, which may arise, in particular, from standard contractual clauses adopted by the Commission, and if data subjects have enforceable rights and effective legal remedies. Furthermore, the GDPR details the conditions under which such a transfer may take place in the absence of an adequacy decision or appropriate safeguards.
Max Schrems, an Austrian national residing in Austria, has used Facebook since 2008. The personal data of Mr. Schrems (and other European nationals) is transferred by Facebook Ireland to Facebook servers located in the United States, where it is processed. Mr. Schrems lodged a complaint with the Irish data protection authority (“DPA”) seeking to prohibit those transfers. He claimed that U.S. laws and practices do not sufficiently protect against access to the transferred data by U.S. public authorities. Specifically, he was concerned that EU personal data might be at risk of being accessed and processed by the U.S. government once transferred, in a manner inconsistent with privacy rights guaranteed in the EU, and that there is no remedy available to EU citizens to ensure protection of their personal data after it is transferred to the U.S. Mr. Schrems’ complaint was rejected at the time on the basis, among others, that the Commission had already found that the U.S. Safe Harbor Framework did ensure an adequate level of protection in Decision 2000/5205 (“the Safe Harbour Decision”).
Following his complaint, the Irish DPA brought proceedings against Facebook in the Irish High Court, which referred 11 questions to the CJEU for a preliminary ruling. These questions primarily addressed the validity of the SCCs, but also raised concerns about the E.U.-U.S. Privacy Shield framework. On October 6, 2015, the CJEU declared that the Safe Harbour Decision to be invalid (“the Schrems I judgment”), thus invalidating the EU-US Safe Harbor Framework and annulling the rejection of Max Schrems’ complaint.
In light of the Schrems I judgment, the Irish DPA then asked Mr. Schrems to amend his complaint. In his amended complaint, Mr. Schrems claimed that the U.S. still does not sufficiently protect data transferred to that country, and sought to suspend or prohibit future transfers of his personal data from the EU to the United States. Meanwhile, Facebook Ireland had begun carrying out data transfers pursuant to the alternative method of standard contractual clauses (“SCCs”) set out in the Annex to Decision 2010/87 (“SCC Decision”), which provides standard contractual clauses which could be used for data transfers to countries that had not been deemed adequate.
Since the outcome of Mr. Schrems’ amended complaint hinged upon the validity of the SCC Decision, the Irish DPA brought proceedings before the High Court in order for it to refer questions to the Court of Justice for a preliminary ruling. After the initiation of those proceedings, the Commission adopted Decision 2016/1250 on the adequacy of the protection provided by the E.U.-U.S. Privacy Shield (‘the Privacy Shield Decision’).
In today’s decision, the Irish High Court asked the CJEU whether: (1) the GDPR applies to transfers of personal data pursuant to the SCCs from Decision 2010/87, and what level of protection is required by the GDPR in connection with such a transfer and (2) what obligations are incumbent on supervisory authorities in those circumstances. The High Court also raised the question of the validity of both (3) the 2010 SCC Decision and (4) the 2016 Privacy Shield Decision.
In today’s decision, the Court stated that:
(1) GDPR Applies to Data Transfers. EU Law, and the GDPR in particular, applies to the transfer of personal data for commercial purposes by an economic operator established in a Member State to another economic operator established in a third country, even if, at the time of that transfer or thereafter, that data may be processed by the authorities of the third country in question for the purposes of public security, defense and state security. The Court adds that this type of data processing by the authorities of a third country cannot preclude such a transfer from the scope of the GDPR. The requirements of the GDPR concerning appropriate safeguards, enforceable rights, and effective legal remedies must be interpreted as meaning that data subjects whose personal data are transferred to a third country pursuant to SCCs must be afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR, read in the light of the Charter. The assessment of that level of protection must take into consideration both: (a) the contractual clauses agreed between the data exporter established in the EU and the data importer recipient established in the third country concerned and, (b) the relevant aspects of the third country’s legal system regarding access by public authorities of that third country.
(2) Obligations of Supervisory Authorities. Regarding obligations of supervisory authorities (such as the Irish DPA) in connection with such a transfer, the CJEU held that, unless there is a valid Commission adequacy decision, those competent supervisory authorities are required to suspend or prohibit a transfer of personal data to a third country where the DPA takes the view, in the light of all the circumstances of the transfer, that the SCCs are not or cannot be complied with in that country and that the protection of the data transferred that is required by EU law cannot be ensured by other means, where the data exporter established in the EU has not itself suspended or put an end to such a transfer.
(3) Validation of SCC Decision. The Court found that Decision 2010/87 (SCC Decision) sufficiently establishes effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law and to ensure that transfers of personal data pursuant to such clauses a suspended or prohibited in the event of the breach of such clauses or it being impossible honor them. Specifically, the Court pointed out that, in particular, that that decision imposes an obligation on a data exporter and the recipient of the data to verify, prior to any transfer, whether that level of protection is respected in the third country concerned and that the decision requires the recipient to inform the data exporter of any inability to comply with the standard data protection clauses, the latter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the former. The court also emphasized the EU organizations relying on them must take a proactive role in evaluating, prior to any transfer, whether there is in fact an “adequate level of protection” for personal data in the data importer’s jurisdiction. The Court stated that many organizations may implement additional safeguards to ensure an “adequate level of protection” for personal data transfers, although it was not specific on what those additional safeguards might be. Further, non-EU organizations importing data from the EU based on SCCs must inform data exporters in the EU of any inability to comply with the SCCs. When non-EU data importers are unable to comply with the SCCs, and there are not additional safeguards in place to ensure an “adequate level of protection”, the EU data exporter must suspend the transfer of data and/or terminate the contract.
(4) Invalidity of Privacy Shield Decision. Finally, the CJEU decided, unexpectedly, to examine and rule on the validity of the EU-U.S. Privacy Shield framework. In invalidating the Privacy Shield, the Court took the view that “the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by U.S. public authorities of such data transferred from the European Union to the United States, which the Commission assessed in the Privacy Shield Decision, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law…” Specifically, the CJEU found, the Privacy Shield and its Ombudsperson mechanism “does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law, such as to ensure both the independence of the Ombudsperson provided for by that mechanism and the existence of rules empowering the Ombudsperson to adopt decisions that are binding on the US intelligence services.” For these reasons, the Court declared the Privacy Shield Decision to be invalid.
Therefore, while the SCCs remain valid under today’s decision, organizations that currently rely on SCCs will need to consider whether there is still an “adequate level of protection” for the personal data as required by EU law, taking into account the nature of the personal data, the purposes and context of the processing, and the country of destination. Where that is not the case, organizations should consider what additional safeguards may be implemented to ensure there is in fact an “adequate level of protection.”
Further, organizations that currently rely on the EU- U.S. Privacy Shield framework will need to urgently identify an alternative data transfer mechanism to continue transfers of personal data to the U.S. These may include the SCCs that remain valid (along with any additional safeguards as necessary). Alternatives may also include derogations provided in the GDPR for certain transfers (such as when the transfer is necessary to perform a contract), or Binding Corporate Rules (“BCRs”) as set forth in the GDPR.
To read the CJEU decision, click here.
To read the CJEU press release, click here.