Schrems II: SCCs Valid (in Principle), Privacy Shield Struck Down – Time for Action
In its recent much-noticed Schrems II decision the Court of Justice of the European Union ruled – in a not entirely unexpected move – that the EU-U.S. Privacy Shield negotiated between the EU Commission and the USA is invalid. As a result, personal data of EU citizens can no longer be lawfully transferred to the USA on the basis of the EU-U.S. Privacy Shield. At the same time, standard contractual clauses (SCCs) are valid in principle. The message is one of action.
Key Takeaways
- The EU-U.S. Privacy Shield does not ensure an adequate level of protection of personal data and is therefore not a lawful basis for data transfers to the U.S.
- The Standard Contractual Clauses adopted by the EU Commission remain a lawful basis for data transfers to a non-EEA country (including, potentially, the U.S.), but data exporters and data importers are required to conduct individualized assessments to ensure their adequacy for specific transfers and may be required to implement supplementary measures.
- Data controllers and processors may be subject to increased enforcement actions of EEA supervisory authorities and individual data subjects.
Under the General Data Protection Regulation (GDPR), personal data may only be transferred outside of the European Economic Area (EEA) (i) if the third country to which the data is to be transferred has been the subject of an adequacy decision; (ii) if appropriate safeguards are put in place (e.g. standard contractual clauses (SCCs) or binding corporate rules); or (iii) on the basis of certain derogations. Of these options, SCCs are the most widely used.
In its Schrems II1 decision the Court of Justice of the European Union (CJEU) has ruled that SCCs are valid in principle but that the EEA data exporter and the non-EAA importer are required to verify whether the law of the destination country ensures adequate protection of the personal data transferred and provide additional safeguards where necessary. Where adequate protection cannot be guaranteed, the exporter (and, where the exporter fails to act, the relevant supervisory authority) must ensure that any transfers based on the SCCs are suspended or prohibited.
Furthermore, in a not entirely unexpected move, the CJEU also held the EU-U.S. Privacy Shield invalid.
The EU-U.S. Privacy Shield was a special kind of adequacy decision allowing personal data transfers to U.S. organisations who self-certified to particular standards. As at the date of the CJEU decision, around 5,300 organisations had signed up to the EU-U.S. Privacy Shield.
The Schrems II case originated from the CJEU decision in Maximilian Schrems v. Data Protection Commissioner (Schrems I),2 in which Maximilian Schrems filed a complaint with the Irish Data Protection Commissioner against the transfer of his personal data from Facebook Ireland to Facebook Inc. in the U.S. The complaint was rejected by the Irish Data Protection Commissioner and therefore Mr. Schrems had brought judicial review proceedings against the rejection of his complaint before the High Court (Ireland), which referred a preliminary ruling to the CJEU.
EU-U.S. Privacy Shield struck down
The CJEU declared personal data transfers that are solely based on the EU-U.S. Privacy Shield invalid because of data surveillance carried out by U.S. intelligence agencies, holding that the primacy granted to U.S. national security, public interest and law enforcement condoned interference with the fundamental rights of EU individuals whose data is transferred to the U.S. Businesses currently relying on Privacy Shield will need to swiftly review their data transfers to the U.S. and consider alternative mechanisms that they can put in place (SCCs, Binding Corporate Rules) or whether they can look to rely on derogations such as consent of data subjects, necessity for performance of contract or establishment, exercise or defence of legal claims to appropriately safeguard the data transfers.
How the CJEU decision affects the use of SCCs
The CJEU explained that it is as a basic principle that personal data transferred to a third country must be afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR. An entity’s assessment of the level of protection afforded to personal data in the recipient’s jurisdiction must take into account both the SCCs and the relevant aspects of the legal system of the country of the data importer.
However, given that the SCCs are a purely contractual mechanism between the exporter and the importer and that they do not bind the authorities of third countries, the CJEU opined that depending on the position in the third country in question, entities may be required to introduce supplementary measures in order to ensure compliance with this level of protection.
Of particular note is the CJEU’s statement that it is “above all, for [the data exporter] to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary additional safeguards to those offered by those clauses.”
In short: The signing of SCCs is only the starting point. Supplementary assessments and documentation as well as ongoing monitoring measures will be required.
The requirement for businesses to conduct their own case-by-case assessment is not entirely new. The SCCs have always required an exporter to ensure that personal data will continue to be protected in accordance with the relevant provisions of EU data protection law even after it is transferred to a third country, and an importer to promptly inform the exporter if it cannot comply with the terms of the SCCs. However, in practice, many businesses have viewed the SCCs as a simple paper exercise without necessarily undertaking any further diligence. The CJEU has now brought these obligations to the forefront and is highlighting to both businesses and supervisory authorities that these steps need to be taken.
In summary, the data exporter and the data importer are required to verify whether the level of protection required by EU law is respected in the third country concerned, taking into account the categories of data to be transferred and the legal system in the country of destination. The importer is under an obligation to inform the controller of any inability to comply with the SCCs or in case the SCCs do not – or no longer – provide sufficient safeguards for the data transferred. The exporter would then be obliged to suspend the transfer of data and/or terminate the contract.
Any personal data that has already been transferred to that third country must be returned or destroyed in their entirety.
Where the exporter is not able to take adequate additional measures to guarantee such protection, the exporter is required to suspend or end the transfer of personal data to the third country concerned. If it fails to do so, that responsibility falls on the competent supervisory authority.
Enforcement and sanctions
In its ruling the CJEU encourages supervisory authorities to enforce GDPR in the context of international data transfers, emphasizing that the supervisory authorities’ primary responsibility is to monitor the application of GDPR and that the exercise of such responsibility is of particular importance when personal data is transferred to a third country.
The CJEU also points out that the breach of the parties’ obligations under the SCCs, including the obligation to assess and monitor the data importer’s legal system, may result in affected data subjects having damage claims against both, the data exporter and the data importer.
In the near future, we therefore expect to see more monitoring of international data transfers by EEA supervisory authorities and claims being made by private individuals, data activists or consumer associations, which may include requests for the suspension of data transfers and/or claims for damages from data exporters in the EEA and data importers in third countries, including the U.S.
New challenges for data transfers
The underlying message of the CJEU judgment however is not about particular transfer mechanisms but rather about transfers to a particular country: the U.S. The CJEU declared that the U.S. did not in fact provide adequate protection via the Privacy Shield because of government surveillance. If that is indeed the case, it seems that these issues would be equally applicable in the case of SCCs. This leaves businesses in a difficult position – how can they conclude that adequate protection is provided when the CJEU has said that it is not? The Irish Data Protection Commissioner has also made this point, stating in a press release that “in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable. This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis.”3
The supervisory authority of the City of Berlin, Germany, in its first reaction on 17 July 2020, even went a step further, asking data controllers based in Berlin to stop transferring personal data to the U.S. and to transfer the same back to Europe, until the U.S. has reformed its legal framework4. Whilst we do not agree with this statement in its generality for all kinds of data transfers to the U.S. – and without regard for the data subjects concerned and categories of data to be transferred – it underlines the necessity for additional diligence, documentation and monitoring – and to start this exercise immediately.
The EU Commission continues to work on alternative instruments for international transfers of personal data, including by reviewing the existing SCCs5. However, this process will take months, maybe even years.
In the meantime, it is inherent upon the data exporter and data importer to thoroughly review their data transfers and develop adequate standards. Therefore, data exporters especially should consider the following Action Points:
- Review your current data transfers (particularly to the U.S.) and identify the transfer mechanisms relied on. If relying on the Privacy Shield, urgently consider your alternatives.
- Conduct an assessment of whether the SCCs will work for a particular personal data transfer taking into account the nature of the data to be transferred, the categories of data subject and the legal system of the third country.
- Document that assessment. Ensure that you have a thorough paper trail of your reasoning and the outcome of your assessment.
- Consider amendments/supplementary provisions to the SCCs. It is likely that this will play a much larger role going forwards but will need to be considered on a case-by-case basis as it is unlikely that there will be a uniform solution.
- Monitor transfers on a regular basis. Businesses will need to actively monitor and follow up with importers. We suggest building an annual review mechanism into the SCCs.
Whilst we expect that most supervisory authorities will give businesses some unofficial grace period to get matters in order, the more immediate risk may be actions from data subjects, privacy activists and consumer associations. There have been an increasing number of actions on data protection matters across the EU and Schrems II will further boost these proceedings. Failure to update personal data transfer practices could therefore leave businesses vulnerable to compensation claims. A complaint by a data subject could also lead to a supervisory authority suspending a transfer itself and questioning the exporter’s reasoning behind continuance of the transfer.
At the time of the Advocate General’s opinion, we wrote: “The message is thus one of caution: continue to use SCCs but be alive to whether the importer can actually comply with the SCCs in practice.”6 Now, after the CJEU’s decision, the message is one of action: if you wish to continue to use SCCs, you must proactively assess current transfers, document that assessment and monitor them on an ongoing basis.
Footnotes
1) Judgment of the Court (Grand Chamber) (July 16, 2020)
2) Judgment of the Court (Grand Chamber) (October 6, 2015)
3) DPC statement on CJEU decision (July 16, 2020)
4) Berlin: Berlin Commissioner issues statement on Schrems II case, asks controllers to stop data transfers to the US (July 17, 2020)
5) European Parliament: Parliamentary questions (May 19, 2020)
6) Dechert OnPoint: Schrems v Facebook: AG says Standard Contractual Clauses are Valid (December 20, 2019)