The broken shield: a compliance nightmare?
On Thursday 16 July, the Court of Justice of the European Union (CJEU) made a landmark decision in Data Protection Commissioner v Facebook Ireland and Schrems (Case C-311/18) (the “Schrems II” case): while it upheld the use of standard contractual clauses (SCCs), it invalidated the EU-US Privacy Shield.
Background
In 2000 the European Commission established a mechanism for the transfer of personal data from the EU to the US, known as “Safe Harbour”. Thirteen years after the data transfer mechanism had been established, Max Schrems, an Austrian lawyer and privacy advocate, made a complaint to the Irish Data Protection Commissioner regarding data transfers by Facebook Ireland to the US under Safe Harbour. At the time, organisations which complied with the Safe Harbour privacy principles were permitted to transfer data from the EU to the US. However, as a result of Schrems’ complaint, in 2015 the CJEU invalidated Safe Harbour as it was found that this mechanism did not adequately protect the personal data of EU citizens ("Schrems I", Case C-362/14).
As a result of Safe Harbour’s swift ending, the US Department of Commerce and the European Commission worked quickly to create a new mechanism which would again allow the transatlantic transfer of personal data from the EU to the US. The EU-US Privacy Shield became operational in 2016 and has become a well-known and well-used mechanism for transatlantic data transfer ever since.
Moving onto the current case (Schrems II), here the CJEU looked at the validity of both SCCs – another data transfer mechanism which has been approved by the European Commission to ensure that the personal data of EU citizens is protected when transferred outside the EU – and the EU-US Privacy Shield. The outcome: the CJEU upheld the use of SCCs, but invalidated the Privacy Shield.
Why was the EU-US Privacy Shield invalidated?
Under the General Data Protection Regulation (GDPR), the self-proclaimed “toughest privacy and security law in the world”, personal data can only be transferred outside the European Economic Area (EEA) if the country receiving the data can offer adequate protection. The EU-US Privacy Shield was invalidated over whether adequate protection could be offered to personal data on EU citizens.
The court stated that “the access and use by US public authorities of such data transferred… are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required, under EU law”. There was concern regarding the surveillance of personal data by public authorities in the US in terms of such surveillance not being limited to what is strictly necessary. Other concerns were raised that the Privacy Shield does not provide data subjects with any cause of action before a body which guarantees protections substantially equivalent to those required by EU law.
Why do the SCCs remain valid?
Much to the relief of all the organisations that currently use them as a way to share personal data outside the EEA (including the US), the CJEU upheld the validity of the SCCs. However, although their validity has been upheld, the court examined GDPR's requirement of ensuring appropriate safeguards are in place for international data transfers, and concluded that while the SCCs met part of this requirement, it was also necessary for the data controller to assess the practical ability of the recipient to comply with the SCCs against the backdrop of their legal system.
In practice, this means that prior to parties signing up to agreements that involve the international sharing of personal data, not just to the US, but any other country outside the EEA, simply incorporating the SCCs into the agreement will not be sufficient. Data controllers ought to be assessing whether the recipient can realistically comply with the SCC and thus provide adequate protection in the relevant jurisdiction, taking into account the recipient’s legal system. If it is felt that adequate protection could not be met under the SCCs, organisations must seek to provide additional safeguards or suspend transfers.
It is currently unclear how data controllers ought realistically to assess whether the recipient’s legal system supports the recipient’s compliance with the SCCs, other than seeking a legal opinion from a suitably qualified practitioner in the relevant jurisdiction, which will add not only additional cost to the project but also possible time delays. It could also result in situations where significant time is spent assessing adequacy, to find it is inadequate and other routes to transfer must be explored.
It may be that one way to help manage this would be to create a “blacklist” of countries whose legal systems have been reviewed by, for example the European Commission and considered as not providing adequate protection, thus allowing data controllers to identify easily recipient countries where reliance on SCCs would not be a route to support international data transfers. It may well be that the US is already on the blacklist, on the basis that the Privacy Shield was invalidated as it was considered the US did not provide adequate protection in practice.
The court further states that if the data controller does not suspend or cease transferring data where this requirement has not been met, the supervisory authority (the Information Commissioner’s Office in the UK) should step in and suspend or prohibit such transfers. This raises the question about how the ICO will have knowledge of all of these transfers, and/or the resources to confirm in a timely manner whether checks undertaken by data controllers are adequate in order to step in. It would seem that this will be difficult to manage on a practical level.
Implications
Schrems II is a landmark case and will have significant implications not just for EU-US transfers but transfers to other countries outside the EEA. No doubt many organisations will be concerned about the validity of their data transfers in light of this judgment, with particular concern over any data transfers to the US. While early indications are that there may well be a replacement for the Privacy Shield, there is little information on what that will look like and when it will be in place. What we do know is that any data transfers on the basis of the Privacy Shield are not in compliance with the GDPR, and organisations relying on the Privacy Shield should start looking at other options for supporting the transfer in line with GDPR.
Organisations relying on the SCCs should also consider, on a case by case basis, whether the laws and legal system of the recipient country support compliance with the SCCs on a practical level.
Generally, the case raises questions about how organisations should support international data transfers in a practical and cost-effective manner. While the decision on the Privacy Shield is fairly clear cut, there is significant ambiguity about how organisations can practically and adequately assess whether the SCCs would be an appropriate mechanism to support international data transfers.
Over the coming months, there will hopefully be answers to these questions. Both the European Data Protection Board and the UK Information Commissioner’s Office (ICO) have confirmed that more guidance will be provided. In the meantime, we recommend:
- Capture all data exports to the US, and identify those which relied on the EU-US Privacy Shield and the SCCs.
- For those relying on the EU-US Privacy Shield currently, consider alternative transfer mechanisms and whether any of these can be used to support EU-US data exports.
- For those relying on the SCCs currently, you need to understand whether US local laws or surveillance practices will impact on the data importer's ability to comply with the SCCs. Organisations are encouraged to undertake documented risk assessments to support this.
- Review your contractual arrangements with US parties and understand whether any amendments need to be made.
- Review all other data exports outside the EEA and identify those that rely on the SCCs. Again, you need to understand whether local laws or surveillance practices will impact on the data importer's ability to comply with the SCCs, by undertaking documented risk assessments.
Regulars
Perspectives
Features
Briefings
- Criminal court briefing: Coronapocalypse?
- Employment: Unfairly anonymous?
- Family: When experts miss the mark
- Human rights: Judicial review refusal does not need oral hearing
- Pensions: Members' benefits: compensation and protection action
- Scottish Solicitors' Discipline Tribunal
- Property: Code to recovery
- In-house: “So, how are you?”