Court of Justice invalidates EU-US Privacy Shield in Schrems II

On 17 July 2020, the Court of Justice of the European Union ('CJEU') delivered its long awaited judgment in the Schrems II case. The Court declared the Privacy Shield as a mechanism for the transfer of personal data from the EU to the US invalid.

However, according to the Court, the transfer of personal data on the basis of standard contractual clauses (SCCs) remains possible and can therefore serve as an alternative to the Privacy Shield. Nevertheless, the SCCs are also called into question by the Schrems II judgment, as the Court imposed conditions on their use. Below the background of this ground breaking judgment is explained, as well as the consequences for your organization. 

Update: Following the CJEU ruling of 16 July 2020 in the Schrems II case, the EDPB has provided some useful guidance on supplementary measures to take in order to make your international transfers permitted under the GDPR. In addition, the European Commission has published new SCCs pursuant to the GDPR which formally require data exporters to perform a data transfer impact assessment (TIA). Read all about it in our dedicated blogpost: checklist for transferring personal data after Schrems II. 

Background

In 2019 we already wrote a blog post on the occasion of the hearing in the Grand Chamber of the CJEU in the Schrems II case. 

We explained how Maximilian Schrems engaged in a legal battle against Facebook in 2013 which led to the Court of Justice declaring the Safe Harbour mechanism for the transfer of personal data from the EU to the US invalid in 2015, because of US law not ensuring the adequate level of protection of personal data required under EU data protection law. The Safe Harbour mechanism referred to the adequacy decision of the European Commission as one of the possibilities to transfer personal data outside the European Economic Area (EEA).

The reason for Schrems' legal battle were Facebook's privacy violations that came to light following the revelations of Edward Snowden. These revealed that Facebook Ireland transferred personal data of EU residents to Facebook Inc. for processing on US servers and subsequently gave US intelligence services access to these personal data for surveillance purposes. Schrems filed a complaint with the Irish Data Protection Commission (DPC) and eventually obtained the invalidity of the 'Safe Harbour Framework' before the Court of Justice (Schrems I). 

Given that the Schrems I judgment removed the main mechanism for the transfer of personal data from the EU to the US, a new, similar mechanism for transatlantic data transfers was designed by the European Commission in 2016, namely the 'EU-US Privacy Shield'. 

However, the investigation by the Irish Data Protection Commission showed that the transfer of a large part of the personal data of EU residents by Facebook Ireland to Facebook Inc. was not based on the (former) Safe Harbour Framework, but on the SCCs, so that Schrems reformulated its complaint and the Court of Justice focused on both the SCCs and the new EU-US Privacy Shield in the Schrems II case. 

Decision in Schrems II

The EU-US Privacy Shield = invalid 

In Schrems II, the Court of Justice invalidated the EU-US Privacy Shield (or, more accurately, the EU-US Privacy Shield Adequacy Decision of the European Commission). In this Adequacy Decision, the European Commission confirmed that the US ensured an adequate level of protection for the transfer of personal data from the EU to self-certifying organisations in the US under the EU-US Privacy Shield. 

This was now contradicted by the Court of Justice in its judgment of 17 July 2020. The Court of Justice ruled that the Privacy Shield is incompatible with the GDPR and is therefore invalid. Reasons for this were that:

(1) The US legal framework for surveillance activities does not sufficiently specify in which circumstances and under which conditions surveillance activities leading to the processing of personal data may be carried out, so that such interference is not limited to what is strictly necessary and thus contrary to the principle of proportionality of the GDPR. 

(2) The US legal framework does not provide data subjects with sufficient administrative or judicial remedies to object to the processing of their personal data. Similarly, the Ombudsperson introduced for this purpose does not provide sufficient safeguards, as his/her decisions cannot bind the US intelligence services. 

The SCCs = valid, subject to conditions

As regards the SCCs, the Court of Justice held that they are still valid as a mechanism for the transfer of personal data from the EU to non-EEA countries, but only to the extent that the controller or processor provides adequate safeguards to ensure a level of protection essentially equivalent to that provided by EU law. 

Therefore, since the SCCs, as a contractual mechanism, do not contain safeguards which can be invoked against the public authorities of the non-EEA countries to which personal data are transferred, it is necessary for the controller itself to verify whether the law of the non-EEA country to which data will be exported ensures adequate protection under EU law for transfers on the basis of SCCs.

If it were found that this 'data importing country' does not provide an adequate level of protection, the controller itself will have to provide for additional safeguards in the SCCs (e.g. in terms of data subjects' rights or remedies) in order to ensure the respect of the EU level of protection.

What these additional measures may entail is not clear at the moment, but will most likely be clarified by the European Data Protection Board (EDPB) which, in its 'Statement' on the judgment, indicated that it will further investigate on this issue. 

If additional safeguards are not possible, the controller (or if necessary the competent data protection authority) is obliged to suspend or terminate the transfer of personal data to the third country. In any event, data importers are obliged to notify the data controller if they are unable to comply with the provisions of the SCCs so that the transfer can be suspended or terminated. 

Possible consequences for your organisation 

The fall of the Privacy Shield means that all organisations relying on the Privacy Shield for transatlantic transfers of personal data will either:

• have to stop this data export or 
• provide for another mechanism of transfer in accordance with Chapter V of the GDPR. 

This adjustment must be made as soon as possible, since the Court of Justice has declared the Privacy Shield invalid with immediate effect, without any transition period. This means that those who continue to rely on the Privacy Shield (for example via their use of Google Analytics) will be exposed to immense fines and possible damages for data breaches that would occur at the recipient's end in the US. 

The most urgent action points for organisations are the following:

• Organisations should first check in their register of processing activities and privacy policies whether they rely on the Privacy Shield or SCCs.
• If the organisation relies on the Privacy Shield, this should be adjusted immediately. 
• If the organisation relies on SCCs (or any other transfer mechanism of article 46 GDPR) to transfer personal data to non-EEA countries, then the organisation will have to scrutinise the law of that third country, in particular as regards access by national security authorities to the personal data of EU residents and the redress possibilities for the data subjects. They will thus have to perform a ‘transfer impact assessment’ (TIA) of some kind. If that TIA reveals a lack of data protection, the controller will have to compensate this by providing additional safeguards. What these additional safeguards should include is not yet clear. Hopefully, official guidelines and advice will soon be issued to help EEA exporters.

In any case, it is recommended that organisations have their international data transfer agreements thoroughly checked by an expert in the field. And this certainly for exports of personal data to the US and UK. You can read more about the export of personal data to the UK on our Brexit page.

Do you have further questions about data protection and data export or would you like to have your international transfer agreements checked? Contact Timelex.