BREAKING: Unexpected Outcome of Schrems II Case: CJEU Invalidates EU-U.S. Privacy Shield Framework but Standard Contractual Clauses Remain Valid
On July 16, 2020, the Court of Justice of the European Union (the “CJEU”) issued its landmark judgment in the Schrems II case (case C-311/18). In its judgment, the CJEU concluded that the Standard Contractual Clauses (the “SCCs”) issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid. Unexpectedly, the Court invalidated the EU-U.S. Privacy Shield framework.
The case concerns Max Schrems, an Austrian privacy advocate, who filed a complaint with the Irish Data Protection Commissioner (the “Irish DPA”) in 2015, challenging Facebook Ireland’s reliance on the SCCs as a legal basis for transferring personal data to Facebook Inc. in the U.S. Facebook turned to SCCs after the CJEU invalidated the U.S.- EU Safe Harbor Framework in 2015, following an earlier challenge by the same privacy advocate.
Specifically, Schrems alleged that the SCCs do not ensure an adequate level of protection for EU data subjects, as U.S. legislation does not explicitly limit interference with an individual’s right to protection of personal data in the same way as EU data protection law. A key concern was that EU personal data might be at risk of being accessed and processed by the U.S. government once transferred, in a manner incompatible with privacy rights guaranteed in the EU under the Charter of Fundamental Rights and that there is no remedy available to EU individuals to ensure protection of their personal data after transfer to the U.S. Following the complaint, the Irish DPA brought proceedings against Facebook in the Irish High Court, which referred 11 questions to the CJEU for a preliminary ruling. The preliminary questions primarily addressed the validity of the SCCs, but also concerned the EU-U.S. Privacy Shield framework.
The CJEU Judgment
With respect to the SCCs, the CJEU judgment mainly followed the CJEU’s Advocate General’s (“AG”) non-binding opinion on the case (published on December 19, 2019). The CJEU stated that the SCCs provide sufficient protection for EU personal data, but underscored the fact that EU organizations relying on them have an obligation to take a proactive role in evaluating, prior to any transfer, whether there is in fact an “adequate level of protection” for personal data in the importing jurisdiction. The CJEU also noted that organizations may implement additional safeguards, over and above those contained in the SCCs, to ensure an “adequate level of protection” for personal data transferred, although it is unclear at this stage what form those additional safeguards would take. The CJEU further noted that non-EU organizations importing data from the EU based on the SCCs must inform data exporters in the EU of any inability to comply with the SCCs. When non-EU data importers are unable to comply with the SCCs, and there are no additional safeguards in place that would ensure an “adequate level of protection,” the EU data exporter is required to suspend the transfer of data and/or to terminate the contract. In addition, the judgment highlights the role of supervisory authorities in assessing and, where necessary, suspending and prohibiting transfers of personal data to an importing jurisdiction “where they take the view that the SCCs are not or cannot be complied with in that country and that the protection of the data transferred that is required by EU law cannot be ensured by other means.”
Contrary to the approach suggested by the AG in his opinion, the CJEU decided to examine and rule on the validity of the EU-U.S. Privacy Shield framework. In ruling that the Privacy Shield is invalid, the CJEU took the view that “the limitations on the protection of personal data arising from [U.S. domestic law] on the access and use [of the transferred data] by U.S. public authorities […] are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.” Further, the CJEU found that the EU-U.S. Privacy Shield framework does not grant EU individuals actionable rights before a body offering guarantees that are substantially equivalent to those required under EU law. On those grounds, the CJEU declared the EU-U.S. Privacy Shield invalid.
Next Steps for Organizations
While SCCs remain valid, organizations that currently rely on them will need to consider whether, having regard to the nature of the personal data, the purposes and context of the processing, and the country of destination, there is an “adequate level of protection” for the personal data as required by EU law. Where that is not the case, organizations should consider what additional safeguards may be implemented to ensure there is in fact an “adequate level of protection.”
Organizations that currently rely on the EU- U.S. Privacy Shield framework will need to urgently identify an alternative data transfer mechanism to continue transfers of personal data to the U.S. Organizations may be able to rely on derogations provided in the GDPR for certain transfers (such as when the transfer is necessary to perform a contract), and SCCs or Binding Corporate Rules should also be considered as alternative mechanisms.