On 16 July 2020 the CJEU delivered its judgment in ‘Schrems II’. In this case the CJEU looked at the legitimacy of the EU-US Privacy Shield arrangement (Privacy Shield) and the effectiveness of the European Commission’s Standard Contractual Clauses (SCCs) as a means for transferring personal data originating from the EEA.
This case is one of many bought by Belgian privacy campaigner Max Schrems, who has had long battles with Facebook over the use and transfer of his personal data (particularly in the US). He previously had success against Facebook in respect of Safe Harbour Agreement, the Privacy Shield’s predecessor.
In this article we explain what happened in the judgment, outline some post-Brexit implications, and suggest some steps for your business to take as a result of the change to data protection law.
The CJEU declared the Privacy Shield invalid with immediate effect as a mechanism for EEA to US personal data transfers.
This decision is not surprising given the CJEU’s thinking behind its invalidation of the Safe Harbour Agreement back in 2015, and other similar data protection issues.
The CJEU noted that matters concerning national security and the access by public authorities to personal data must be provided for by law, and that this law must set out the limitations of the rights to access personal data as well as clear and precise rules governing the measures. The CJEU also emphasised the reference to ‘effective and enforceable data subject rights’ in Article 45(2)(a) GDPR. The CJEU looked at US practices set out in s.702 of the Foreign Intelligence Surveillance Act, Executive Order 1233 and in Presidential Policy Directive 28. The CJEU concluded that the provisions of these do not set out limitations on the powers of the intelligence services and do not give data subjects actionable rights before US courts, and so ‘cannot ensure a level of protection essentially equivalent to that guaranteed by the EU Charter…’. The CJEU also concluded that the role of the Privacy Shield Ombudsperson is not enough to cure these deficiencies.
Standard Contractual Clauses (SCCs)
The CJEU’s decision in respect of SCCs is slightly more nuanced. Whilst the CJEU held that SCCs are valid as a mechanism for EEA to third country transfers, it places a heavy burden on individuals or businesses (data exporters) seeking to rely on them. If a data exporter decides to use SCCs, it is not enough to just fill in the Annexes and sign the document along with the data importer. The data exporter must now:
- assess the law and practice in the country to which personal data are being transferred; and
- if public authorities in that country may have access to such personal data, also assess the factors relevant to the Commission in making an adequacy decision under Article 45(2) GDPR
in order to determine if the guarantees made in the SCCs can be complied with in practice. The data importer may be able to assist with this, but in effect the CJEU now requires data exporters wanting to rely on SCCs to make ‘mini adequacy decisions’ on a case by case basis. The CJEU also noted that these factors are non-exhaustive, leaving the door open for it to introduce additional factors into an adequacy assessment in the future.
The CJEU also held that a competent supervisory authority (such as the Information Commissioner’s Office (ICO) here in the UK) is required to suspend or prohibit transfers of personal data to third countries pursuant to SCCs if, in the supervisory authority’s view and taking into account all the circumstances of the transfer, the SCCs are not or cannot be complied with in that third country and the protection of transferred personal data required by EU law.
Whether supervisory authorities will suspend or prohibit such transfers in practice remains to be seen and the judgment’s wording around supervisory authorities’ views and the circumstances of the transfer give them an element of discretion.
The judgment does not immediately impact transfers of personal data between the EEA and the UK. However, from 01 January 2021 the UK will be a third country with respect to personal data transfers, and EU and UK organisations will need a legally valid mechanism to continue transferring personal data.
The EU Commission could issue an adequacy decision in respect of the UK, removing the need for SCCs. An adequacy decision is issued when the EU Commission decides that a country offers levels of data protection essentially equivalent to those guaranteed by the GDPR. However, UK adequacy for data protection is far from certain because the UK has similar security and surveillance issues to the US (e.g. under the Investigatory Powers Act 2016), and in any case at the time of writing it is very unlikely the Commission would issue an adequacy decision by 01 January 2021.
So, it is much more likely EU-based data exporters will need to rely on SCCs to transfer personal data to the UK, which means under Schrems II they will have the burden of needing to consider UK law and practice and, if applicable, the adequacy decision factors given in Article 45(2) GDPR as stated above.
What should my business do?
If your business transfers personal data to the US or other third countries, we suggest the following at this stage:
- Monitor for and read guidance issued from the European Data Protection Board (EDPB), the ICO and the UK Government:
- The EDPB is currently analysing Schrems II to determine the kind of supplementary measures that data exporters could provide in addition to SCCs and will provide further guidance. In the meantime it has published a useful FAQ document in which it recommends that data exporters must conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework, whether the transfer is to the US or elsewhere;
- Today, the ICO released an updated statement in which it says data exporters should ‘take stock of the international transfers [they] make and react promptly as guidance and advice becomes available’ and that the ‘ICO understands the many challenges UK businesses are facing at the present time and [it] will continue to provide practical and pragmatic advice and support.’
- If you haven’t done so already, document your international personal data transfers and the bases for these, for example an adequacy decision or SCCs. This will enable you to identify areas of risk once further guidance has been released. You should not only document international transfers between controllers and processors, but also between processors and sub-processors. Note, international data transfers include those between organisations of the same group, not just separate organisations;
- Subject to guidance from the ICO, begin developing an approach for due diligence when an international personal data transfer is necessary.
It is of course uncertain exactly what impact this judgment will have on international personal data transfers out in the long term. However, some academics think that this is the beginning of the end for SCCs. Others think the US and the EU may negotiate a ‘Privacy Shield 2.0’, which would then likely end up being challenged, perhaps even by Mr Schrems himself.
The current SCCs are long overdue an update (they don’t actually refer to the GDPR, but to the old Data Protection Directive) and the EU Commission has stated it will accelerate its review and update of them as a result of this judgement.
Given the difficult economic conditions owing to the ongoing coronavirus pandemic, businesses in the UK and throughout the EEA will want as much clarity as soon as possible so they can begin to fully assess how to change their policies and procedures with respect to international personal data transfers. The UK Government has stated it ‘remains committed to supporting UK organisations on international data transfers’.
In the longer term, more businesses may simply avoid international personal data transfers unless absolutely necessary by hosting personal data within the EEA. Indeed, given the volume of international personal data transfers and the number of business impacted by this judgement, it certainly seems like this presents a commercial opportunity.
We are of course monitoring the situation closely for new developments.
Our Corporate and Commercial law teams in Bristol and London specialise in advising SMEs and large businesses on data protection issues. If you have any questions about this article and/or you are looking for legal guidance in relation to it, please contact us by calling 0117 9069400 or email email@example.com
 Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18