Schrems II: CJEU judgment jeopardises legality of international data transfers

Back in February this year, HLaw commented on what Brexit might mean for the GDPR.  We noted then that UK based organisations could rely on the EU-US Privacy Shield to cover data transfers to and from the US.

On 16 July 2020, the Court of Justice of the European Union (“CJEU”) struck down the Privacy Shield agreement in its judgment of the Schrems II case.

Many companies based in the EU that transfer data to the US have been left scratching their heads as a result.

Schrems I, the end of Safe Harbour

Author and privacy activist Max Schrems successfully brought the claim which resulted in the invalidation of the ‘Safe Harbour’ agreement between the US and the EU in October 2015. The Safe Harbour principles were developed in July 2000 to safeguard the data of EU citizens being transferred to the US.  Self-certified US companies under the Safe Harbour principles had to ensure they provided an adequate level of protection for personal data transferred from the EU.

Privacy Shield

After the Safe Harbour nullification, the ‘Privacy Shield’ framework was introduced to enable lawful data flows between the EU and US.

This new framework had a similar structure as the Safe Harbour agreement but placed additional requirements on businesses to guarantee adequate data protection standards.

The Privacy Shield was clearly influenced by the EU’s General Data Protection Regulation (“GDPR”), introducing accountability, purpose limitation and a right of data portability (and so mirroring some of the key principles which protect personal data in the EU).

Importantly, the Privacy Shield framework included a publicly available website which listed those companies that had self-certified under the framework.  Once self-certified, US companies could receive personal data transferred from the EU without requiring any further steps to legitimise the transfer.

Not more than four years down the line, Privacy Shield has met the same fate as its predecessor and has been declared invalid by the CJEU.

Standard Contractual Clauses

In addition to Privacy Shield, US businesses could also rely on an alternative transfer mechanism such as Standard Contractual Clauses (“SCCs”).

SCCs are a set of contractual clauses agreed by the European Commission as providing an adequate level of protection for personal data transferred. They are used to transfer personal data between an EU based controller and a controller or processor based in a third country outside the EU.

In 2001 (controller to controller clauses), 2004 (alternative controller to controller clauses), and 2010 (controller to processor clauses), the European Commission (“EC”) introduced three sets of SCCs, which need to be entered into without alteration in order to govern the transfer of data from the EU to data controllers or processors located in third countries.

Schrems II judgment

The Privacy Shield framework has been ruled invalid by the CJEU in Schrems II on the basis that:

• Surveillance activities by US government authorities are incompatible with the requirements of EU law; and
• EU data subjects seemingly have no effective remedy if they are caught within a US surveillance program.

The CJEU found that US surveillance laws were in direct conflict with EU fundamental rights. The US does not offer any protection to the data of EU data subjects under these laws.

…but SCCs remain available to use (with restrictions) …

The CJEU has ruled that SCCs will remain valid, provided that they contain sufficient safeguards to ensure the protection afforded will be in line with that guaranteed in the EU. The CJEU has clarified that SCCs on their own do not necessarily provide the required protection of personal data.

The data exporter must assess on a case-by-case basis before any transfer is made whether the SCCs can ensure that the data transferred will be protected in the destination country and whether such protection will be in line with the protection afforded in the EU.

If the exporter believes there is insufficient protection, they must implement supplementary measures to ensure protection is on par with the EU. The CJEU has not specified what these measures should include.

If a data exporter comes to the conclusion that such safeguards for the transferred data cannot be ensured, the transfer must be suspended or ceased immediately.

This places much responsibility on the data exporter to assess whether there are laws in the destination country that will override the protections provided under the SCCs.

The CJEU has further stressed the duty of relevant EU data protection authorities (“DPA”) to take action in cases where the data exporter continues to transfer data despite finding the transfer is not safe.

Ultimately, in the UK and other jurisdictions, the DPA will have the final say in whether a company can rely on SCCs and will have the power to invalidate them accordingly.

International response

The CJEU judgment has been met with mixed responses from different DPAs in the EU.

In a statement made by UK’s ICO on 16 July 2020, they stated they were still considering the judgment and would continue to work with the government and other international agencies to ensure that global data flows could continue without disruption.

However, the German DPAs in Berlin (Berlin Commissioner) and Hamburg (Hamburg Commissioner for Data Protection and Freedom of Information) have issued stringent statements, with the Berlin Commissioner effectively announcing that any transfers to the US should cease immediately and that any data controllers that are subject to the supervision of the Berlin DPA and are sending personal data to the US should look to other service providers based in the EU or a third party country with adequate levels of protection for personal data.

To complicate issues further, the UK’s position is unique, in the sense that it is no longer an EU member state but up until the end of 2020 (at least) will remain bound by EU data protection legislation under the agreed transitional arrangements.

After 31 December 2020, the UK will be treated as a ‘third country’ and become subject to stringent rules unless it receives an adequacy decision in time.

The European Data Protection Board (“EDPB”), however, cast doubt in June 2020 on the prospects of a UK adequacy decision, based on the UK’s previous agreements with the US.  Therefore, after the end of December 2020, the UK may become a third-country for the purposes of EU data protection law. In which case, transfers of personal data will not be allowed from the EU to the UK unless appropriate safeguards are put in place. Watch this space.

Impact on businesses

The EDPB has clarified that there will be no grace period for the Schrems II decision – any data flows from the EU to the US that do not have an alternative appropriate safeguard will no longer be permitted.

There are over 5,000 US organisations that rely on the Privacy Shield, including tech titans such as Amazon and Facebook.

These organisations, together with EU and UK entities which transfer data to the US in reliance on Privacy Shield, will have to cease all transfers that previously relied on the Privacy Shield unless they have an alternative appropriate safeguard for the transfer. Most companies will now turn to SCCs to ensure the continued flow of data from the EU to the US and other third countries.

Businesses should not be blindly relying on SSCs but should be looking to conduct case-by-case assessments of whether the laws of each destination country are sufficient and can offer an equivalent level of protection to personal data transferred as that afforded by the EU before continuing the transfer.

It is important to document any assessments made by your business, to be used as evidence if the relevant DPAs ever decide to audit your business.

An incorrect assessment could have severe consequences – a violation of the GDPR could incur a maximum fine of €20 million or 4% of a company’s annual worldwide turnover, whichever is greater.

Comment

HLaw data protection and privacy expert, Husna Grimes, commented:

“We are left with more questions than answers following the decision in Schrems II.

Clearly Privacy Shield can no longer be used to transfer personal data to the US. Nevertheless, the decision has created confusion in relation to the use of SCCs to legitimise international transfers. This confusion is not limited to transfers of data to the US but also casts a shadow over transfers of personal data around the world. 

The Information Commissioner’s Office in the UK has indicated that further work is underway between the European Commission and the EDPB to provide more comprehensive guidance on the additional measures that entities may need to take.

In the meantime, companies should take stock of their international data transfers and the safeguards used to legitimise such transfers and stay abreast of further guidance issued by the DPAs.”

Final thoughts

The Schrems II decision has been a blow to the many companies who previously transferred personal data to the US in reliance on the Privacy Shield framework.

The judgment has also reiterated the standard of protection for personal data. The use of SCCs to legitimise data transfers is not a tick box exercise but requires businesses to seriously consider whether the use of such clauses offers the required level of protection for data being transferred in light of the laws of the relevant third country.

The CJEU has stated that appropriate safeguards and supplementary measures should be used by businesses if they come to the conclusion that relying solely on SCCs will not provide the required level of protection. There is no clear guidance as to what such measures are yet, and we await further clarification from the European Data Protection Board (“EDPB”).

The CJEU judgment may also lead to calls within the US to adjust their laws in order to match the protections afforded to personal data in the EU if that is deemed necessary to maintain transatlantic data transfers.

On 10 August 2020, the European Commission and the US department of Commerce confirmed that discussions had begun for a new and improved Privacy Shield.  Watch this space to see if third time’s the charm.

This piece was researched and prepared by Victoria Clement and James Maddern whilst on an internship with HLaw during the summer of 2020, with comment from Husna Grimes.

All the thoughts and commentary that HLaw publishes on this website, including those set out above, are subject to the terms and conditions of use of this website.  None of the above constitutes legal advice.  Much of the above will no doubt fall out of date and conflict with future law and practice one day.  None of the above should be relied upon.  Always seek your own independent professional advice.

Humphreys Law