European Court decision: EU-US Privacy Shield declared invalid; standard contractual clauses remain valid subject to conditions

Today, the EU’s highest court, the Court of Justice of the European Union (CJEU), handed down its judgment on the long-awaited case Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18, commonly referred to as “Schrems II”). 

In one of the most  anticipated judgments of the year, the CJEU declared the EU-U.S. Privacy Shield framework (Privacy Shield) to be invalid as a mechanism for transferring personal data to the U.S.  The CJEU also held that Standard Contractual Clauses (SCCs, the more commonly-used transfer mechanism) remain valid subject to the requirement that businesses verify whether the overall context of the transfer (including the destination country) offers appropriate safeguards to individuals’ personal data. The judgment requires EU data protection regulators to suspend or prohibit transfers where such appropriate safeguards cannot be provided.

Background

The GDPR regulates the transfer of EU personal data, requiring a valid transfer mechanism under Chapter V GDPR to be in place.  Such mechanisms include adequacy decisions of the European Commission (such as Privacy Shield) and appropriate safeguards (such as Standard Contractual Clauses and Binding Corporate Rules, which address intragroup transfers).

This is not the first time the CJEU has invalidated a transfer mechanism: in 2015, the CJEU invalidated the EU-U.S. Safe Harbor framework (the predecessor to Privacy Shield) in a case commonly referred to as Schrems I, a complaint by the same individual as in the current case (see our previous blog post).  At the heart of Schrems’ complaint was the fact that U.S. surveillance laws did not offer adequate protection for EU personal data, in particular in relation to Facebook’s sharing of EU citizens’ personal data with the U.S. National Security Agency.

 

Key points of the CJEU judgment

In today’s judgment, the CJEU held that:

  1. Privacy Shield is no longer a valid mechanism for transferring personal data to the U.S. The CJEU held that due to the potential access to, and use by U.S. public authorities of, personal data transferred to the U.S., a level of protection essentially equivalent to that guaranteed under EU law cannot be guaranteed.  In its press release, the CJEU states that the “requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country.”  In addition, in relation to the principle of proportionality provided under EU law, the CJEU held that the U.S. surveillance programmes cannot be regarded as limited to what is strictly necessary. The CJEU held that the Privacy Shield Ombudsperson mechanism does not provide an adequate level of protection, as data subjects do not have any cause of action before a body which offers guarantees substantially equivalent to those required by EU law.

 

  1. The SCCs continue to be a valid mechanism for transferring personal data to countries outside the EEA but subject to limitations. The CJEU held that SCCs may not always constitute a sufficient means of ensuring, in practice, the effective protection of personal data transferred to a third country, in particular where the law of that third country allows its public authorities to interfere with the rights of the data subjects to which that data relates.  The judgment reiterates the importance of businesses verifying, prior to any transfer, whether an appropriate level of protection is respected in the relevant third country.   Where there are no appropriate safeguards, the transfer of personal data to that third country should be suspended by the exporter or, failing that, the relevant Member State data protection supervisory authority.  Although not explicitly referenced in the judgement, it is likely that this obligation would also apply to other appropriate safeguards, including Binding Corporate Rules.

 

What does all this mean?

Today’s judgment has serious implications on the transfer of personal data outside the EU and is a wake-up call for EU businesses.

  • Businesses should analyse data flows which involve transfers of personal data outside the EEA and determine which transfer mechanism (Privacy Shield, SCCs, etc.) is currently being used.
  • For those transfers relying upon Privacy Shield, an alternative transfer mechanism must be found as a priority.
  • For businesses currently using, or considering using (as an alternative to Privacy Shield), SCCs, businesses must assess the level of appropriate safeguards provided by that transfer to determine whether SCCs are an available mechanism. The real-life risks of such must be taken into account, within the context of the sector / industry and other relevant factors including the destination country and the identity of the recipient, which may be challenging particularly given the uncertainty in the CJEU’s judgment in relation to relying on SCCs for transfers of personal data to the U.S.
  • EU data protection authorities will have the unenviable task of ultimately determining the sufficiency of appropriate safeguards.
  • The implications of the judgment are likely to trigger a further round of political discussions between the EU and U.S.

Despite the questions that were raised by the CJEU, SCCs remain, for now, the most realistic option for the transfer of personal data outside of the EEA.  We expect it will take time for the full practical implications of the decision to flow down and take effect.

Given the impact this decision will have on businesses, we expect Member State data protection supervisory authorities may delay commencing enforcement actions to enable businesses time to assess the situation and put in place alternative solutions, as happened following the 2015 Schrems I judgment and the invalidation of the Safe Harbor framework.  However, a grace period is not guaranteed.  Nor would it prevent individuals from bringing private claims for compensation or group litigation claims.

DLA Piper is developing a methodology to assist our clients in navigating the impact of the judgment and carrying out the required test when relying on SCCs.

For further information and advice, please get in touch with DataPrivacy@dlapiper.com or your usual DLA Piper contact.