The Court of Justice of the European Union (“CJEU”) has ruled that one of the main mechanisms allowing the transfers of personal data from the EU (and UK) to the United States of America is invalid. This mechanism, called the “EU-US Privacy Shield”, has been in place since 2016. At the same time, the CJEU has decided that another mechanism, called Standard Contractual Clauses (“SCCs”) or Model Clauses, is valid in principle to allow transfers of personal data outside the EU. However, in practice, when applying the CJEU’s overall reasoning, SCCs may not be a lawful basis for transfers of personal data to the United States, or indeed, to other third countries.
Organisations who engage in any transfers of personal data outside the EU and the UK will need to carefully consider this ruling. We are awaiting a response from the European Commission and the UK Information Commissioner to today’s ruling and the practical steps that organisations might take, so transfers of data are unlikely to need to stop immediately.
Here is a fuller explanation of the CJEU’s judgment.
In 2016, the European Commission issued a Decision which set up the EU-US Privacy Shield regime (to provide a lawful basis for the transfer of personal data from Europe to certain businesses in the United States). The Privacy Shield itself was a replacement for the EU-US “Safe Harbor” regime, which in a similar way to the Privacy Shield gave automatic protection for personal data transferred to American businesses who had registered for the scheme via the US Department of Commerce. Both regimes have operated on the principle that self-certifying US companies agree to certain commitments about how they will treat personal data exported from Europe, essentially to ensure a degree of protection for that data which is similar to the protection it would otherwise have under European data protection legislation (including, since May 2018, the GDPR).
The practical effect of the CJEU’s decision today is that “data importer” organisations based in the United States and “data exporter” organisations in the EU (or the UK) can no longer rely on the Privacy Shield to provide a lawful basis for the transfer of personal data outside the EU or the UK. In a similar way that the European Commission has made “adequacy decisions” in respect of a number of countries (eg Argentina, Guernsey, Isle of Man, Jersey, and Japan – plus several others), the Privacy Shield (and Safe Harbor before it) was based on a European Commission view that US companies which agreed to adhere to the framework would automatically provide adequate protection for personal data transferred to them. The unusual feature of the Privacy Shield was that it only provided protection for self-certifying US businesses, and not for any organisation based in the United States (as would be the case for the “adequacy decisions” in respect of whole countries such as Argentina).
The legal challenge to the validity of the Privacy Shield began several years ago, driven by Austrian privacy campaigner Max Schrems, who was unhappy about the privacy implications of Facebook Ireland (from where Facebook runs its operations for all European users) transferring user data to Facebook Inc. in the United States. Facebook’s justification for these transfers had originally been that they are made under the EU-US “Safe Harbor” regime – but Mr Schrems successfully challenged the adequacy of that framework and in October 2015 the CJEU declared the “Safe Harbor” regime to be invalid in a decision commonly referred to as “the Schrems I judgment”.
Mr Schrems then re-directed his case to focus on the validity of SCCs. The case was widened later to include the Privacy Shield regime that replaced Safe Harbor. Mr Schrems argued that the United States does not offer sufficient protection for personal data given inherent weaknesses in the SCCs and the Privacy Shield framework. Assessing Mr Schrems’ case and delivering “the Schrems II judgment”, the CJEU has held:
- Individuals whose personal data are processed under the GDPR must be afforded a level of protection for their personal data which is “essentially equivalent” to that guaranteed within the EU (and the UK) by the GDPR, including when those personal data are transferred outside of Europe (this is not new and instead reflects earlier CJEU decisions);
- The assessment of that level of protection for personal data must take into account:
a. Any contractual clauses agreed between the data exporter based in Europe and the data importer based in another country;
b. Whether public authorities in the data importer’s country have access to that personal data once it has been transferred there (which the CJEU has ruled is a major problem for the United States, given the wide powers the US Government has given to its national security and law enforcement agencies, allowing interception and access to communications under surveillance programmes which extend to non-US citizens, etc); and
c. Other aspects of the legal system in the data importer’s country, including the adequacy of privacy laws generally, their enforcement by the courts and other regulators, and rights of redress for data subjects who are unhappy with how their personal data has been processed.
In short, the CJEU has found in this latest Schrems II decision that the Privacy Shield is invalid on grounds b. and c. above. The CJEU has decided (contrary to the EU Commission’s assessment when putting in place Privacy Shield) that American surveillance laws are simply too wide to be sufficiently compatible with the EU regime underpinning the protection of personal data. In addition, EU citizens have no effective ability to enforce their rights in America (an Ombudsman scheme set up in the United States to protect those rights is insufficient, again contrary to the EU Commission’s assessment when issuing the Privacy Shield Decision).
While the CJEU has effectively put a stop to all transfers relying on the Privacy Shield, it decided that SCCs are still valid in principle. This mechanism is available for transfers to the United States and to other third countries outside the EU. The invalidation of SCCs could have been much more serious in interrupting data transfers globally.
However, the CJEU includes a very significant caveat which puts the onus on data protection supervisory authorities (including the Information Commissioner’s Office, in the UK) to police the use of SCCs – the CJEU holding that supervisory authorities must “suspend or prohibit a transfer of personal data to a third country where they take the view… that the standard data protection clauses are not or cannot be complied with in that country”. And parties entering into SCCs must make that assessment for themselves before making transfers and keep the position under review. If, for example, the legal position changes in the recipient’s country then the transfers must stop and any data already transferred must be destroyed or returned.
In our view, this creates a major problem for data transfers from Europe to the United States if organisations now seek to rely on SCCs. It will be difficult for the parties to those transfers and European data protection regulators to conclude that the SCCs will be complied with by the transferee when the underlying US laws have already been found to be fundamentally incompatible with the EU legal regime. Similar assessments will also have to be made in relation to other third countries, so wider global data flows could also be affected by the CJEU’s decision.
This is also a potential blow for the UK’s wish to be granted an “adequacy decision” by the European Commission after the end of the Brexit transition period. At that time, the UK will become a “third country” like the United States for GDPR purposes. An adequacy decision from the European Commission would continue to allow transfers of personal data from the EU to the UK. But, like Privacy Shield, this adequacy decision could be challenged (or refused by the EU Commission), with the most likely objection being the UK’s laws on data gathering and surveillance in the law enforcement and national security sphere.
We will of course keep you updated as this develops.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, July 2020