Standards are Upheld but Shield Sinks Under Harbour Waves
European Court upholds validity of Standard Contractual Clauses but not Privacy Shield as international transfer regime, though with strings attached for businesses and regulators.

 

The Court of Justice of the European Union (CJEU) published its decision today, affirming the validity of the Standard Contractual Clauses (SCCs), which are widely used for international data transfers of personal data to processors in third countries in order to comply with the General Data Protection Regulation (GDPR).  The decision puts a spotlight on obligations for businesses and regulators to conduct a meaningful assessment to validate the adequacy of standards in all countries to which data are exported. In addition, the CJEU invalidated the use of Privacy Shield as a basis for lawful transfers to the United States, which will need urgently to be replaced (again) by a new framework. Serious questions arise in relation to the ability to make lawful transfers to the United States. The Irish Data Protection Commission has strongly welcomed the decision.  The US Department of Commerce expressed deep disappointment, and is studying the decision to assess its impacts, acknowledging the important of EU-US data flows.

Executive Summary

  • Standard Contractual Clauses remain valid.
  • Privacy Shield does not constitute an acceptable basis to legitimize transfers to the United States.
  • Businesses and regulators have clear obligations to act to assess and ensure transfers occur only where adequate standards exist in third countries, i.e. standards essentially equivalent to those enjoyed in the EU.

Background

The data protection team at William Fry welcomed the decision, which ensures SCCs can continue as a crucial basis that underpins the vast majority of international transfers.  The team has played a key role in this case, filing crucial evidence and legal analysis on behalf of BSA – The Software Alliance (Microsoft, Apple, Adobe, Workday and others), which acted early and decisively to ensure the full facts were available to the Court. The case originated before the Irish High Court and has a significant history.

 

Schrems I

These proceedings arose from a complaint made by Maximillian Schrems, an Austrian data protection activist, to the Office of the Irish Data Protection Commissioner, now the Data Protection Commission (DPC) regarding the transfer by Facebook Ireland of his personal data, linked to his Facebook account, to servers belonging to Facebook Inc. located in the United States (US). The complaint focused on the legality of the transfer and the issue of the adequate protection of his personal data.  
After hearing submissions and arguments, the Irish High Court referred eleven questions to the CJEU, which determined that the then existing Safe Harbour Framework was not a valid legal basis to transfer personal data between the EU and US. As a result, business adopted SCCs or relied on the Privacy Shield mechanism, which replaced the Safe Harbour Framework, for EU-US international personal data transfers.

 

Schrems II

The current case concerned the use of SCCs and, by implication, Privacy Shield. The DPC brought proceedings before the Irish High Court, which referred several important questions to the CJEU. 

Advocate General Henrik Saugmandsgaard Øe delivered an opinion on 19 December 2019 (AG Opinion), finding that the CJEU should confirm the validity of the Commission's decision on SCCs (which we discussed here). The AG Opinion noted that the CJEU did not need to rule on the adequacy of the Privacy Shield but did raise some serious questions about its validity, in particular, having regard to the right to respect private and family life and the right to an effective remedy under the Charter of Fundamental Rights (Charter).

Court of Justice of the European Union Decision

The CJEU upheld the validity of SCCs and declared the Privacy Shield to be invalid as a basis for transfers. The CJEU noted that the processing of personal data by authorities in a third country, such as the US, does not preclude the effect of the GDPR. 

 

Level of Protection

Regarding the level of protection required in respect of such transfers, the CJEU held that the GDPR requirements concerning appropriate safeguards, enforceable rights and effective legal remedies must be interpreted to mean that data subjects, whose personal data are transferred to a third county under SCCs, must be afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR, read in the light of the Charter. 

The Court specified that the assessment of that level of protection must take into consideration both the SCCs agreed between the data exporter established in the EU and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the data transferred, the relevant aspects of the legal system of that third country.

 

Role of Data Protection Supervisory Authorities

In the absence of a valid adequacy decision, the relevant Supervisory Authority (SA) must suspend or prohibit a transfer of personal data to a third country where the SA believes, considering all the circumstance of the transfer:

  • the SCCs are not or cannot be complied with in that country; and
  • the protection of the personal data transferred, that is required under EU law, cannot be ensured by other means, where the data exporter, being established in the EU, has not suspended or put an end to such a transfer.

 

SCC Validity

The validity of SCCs depend on whether the they include effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law and that transfers of personal data pursuant to the SCCs are suspended or prohibited in the event of the breach of such clauses or it being impossible to honour them. 

The CJEU declared that SCCs establish the appropriate mechanisms and in particular, SCCs impose an obligation on data exports and the recipient to verify, prior to any transfers, that the level of protection is respected in the third country.  There is also an obligation for data recipients to inform the data exporter of any inability to comply with the SCCs, which will require the data exporter to suspend the transfer and/or terminate the SCCs.

 

Privacy Shield

Read in light of the rights guaranteed under the Charter to respect private and family life, personal data protection and effective judicial protections, the CJEU found that the limitations on the protections of personal data arising from the domestic law of the United States regarding access and use of personal data by public authorities were not sufficiently dealt with by the Privacy Shield, in so far as the surveillance regimes are not limited to what is strictly necessary. The CJEU noted data subjects do not have actionable rights against these authorities including under the Ombudsman mechanism referred to in the Privacy Shield.

Conclusion: What this means for businesses

Businesses will need to assess their current personal data transfer processes and arrangements regarding personal data transfers from the EU to any third country without an adequacy decision, particularly the United States. There are serious questions arising in relation to the ability to make lawful transfers to the United States arising from this decision. Businesses that previously relied solely on Privacy Shield will need to act quickly to identify and adopt a different legal mechanism for EU-US personal data transfers.

Businesses will need to carefully assess the suitability of their current and future use of SCCs in light of the CJEUs comments on assessing the level of protection, as well as the role of the SAs. For some, consideration should be given to other mechanisms such as Binding Corporate Rules. It may be appropriate for certain businesses to utilise more than one mechanism for international transfers of personal data in order to mitigate risks of business continuity issues.

Food for thought: Brexit

The United Kingdom (UK) has not been issued with an adequacy decision by the European Commission, which places international transfers of personal data to the UK from 31 December 2020 in a similar situation to the US and other third countries. Careful analysis will be needed in respect of the standards in place in the UK at that time, including its surveillance regime, or this could give rise to GDPR compliance issues. These same issues will apply to other third countries who have not been granted an adequacy decision, which is a factor EU businesses will need to consider carefully whenever dealing with those countries.

William Fry Compliance Team

Your data protection team at William Fry is expert in all of these matters and available to assist with GDPR compliance queries, as well as other items relation to data protection.  Please contact us for more information or your usual William Fry contact.
 

Contributed by David Cullen

 

Key Contacts

Leo Moore Partner

John O'Connor Partner

Charleen O’Keeffe Senior Associate

Related Practice Areas

Related Industry