EU Court Issues Landmark Ruling on Transfer of Personal Data Outside European Economic Area
On July 16, the highest court in the European Union (EU), the Court of Justice of the European Union (CJEU), issued a landmark judgment in the case of Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18) (Schrems II). The decision upholds the validity of Standard Contractual Clauses (SCCs) for transfers of personal data outside the European Economic Area, while imposing significant obligations on the parties to such SCCs. However, the CJEU has invalidated EU-U.S. Privacy Shield, which is relied upon by over 5,000 businesses for the transfer of personal data between the EU and U.S.
Under the EU General Data Protection Regulation (GDPR), personal data may only be transferred outside the European Economic Area (EEA) provided that certain safeguards are met to ensure that a similar level of protection is afforded to data subjects as that granted under European law.
The safeguards which can be relied upon include an “adequacy decision” granted by the EU which confirms that the standards of data protection in the relevant third country are sufficient to be treated as equivalent to those afforded in the EU; reliance on a specific international agreement under which additional measures must be taken by individual businesses (such as the EU-US Privacy Shield); the use of binding corporate rules for data transfers within a corporate structure under certain conditions; and reliance on SCCs embedded in wider data processing and data transfer agreements between businesses (SCCs).
Data privacy activist Max Schrems has brought a series of legal challenges relating to the transfer of personal data by Facebook Ireland to Facebook Inc.’s U.S.-based servers for processing dating back to 2013. These challenges had already resulted in the CJEU invalidating the old Safe Harbour agreement relating to data transfers between the EU and U.S. in 2015 (Schrems I) and led to its replacement Privacy Shield, which became operational in 2016.
The Schrems II case has focussed on the final safeguard — the use of SCCs. Mr. Schrems originally brought a complaint with the Irish Data Protection Commission (Irish DPC) — the Irish data protection authority and Facebook Ireland’s EU data protection supervisory authority. He argued that the SCCs in Facebook’s data processing agreements could not justify Facebook’s transfer of personal data, as the laws and practices of the U.S. do not offer sufficient protection against surveillance by U.S. public authorities. Hence, Mr. Schrems argued, the SCCs do not provide an effective remedy in the U.S. for him or others to protect their privacy rights. After Mr. Schrems asked the Irish DPC to suspend the application of the controller-to-processor SCCs, the Irish DPC referred his complaint to the Irish High Court, which requested a preliminary ruling by the CJEU.
CJEU Decision: SCCs
In line with the non-binding opinion of the Advocate General (AG) given in December last year (summarized in our previous alert), the CJEU has upheld the validity of SCCs, whilst making it clear that there is a responsibility on processors and controllers to ensure that the laws of the country into which personal data is being imported do not conflict with their ability to provide adequate protections as required under the SCCs. For each particular transfer of personal data, the data exporter must assess whether there are any conflicts, and the data importer must inform the exporter of any inability to comply with the terms of the SCCs in order to allow the exporter to suspend the data transfer or terminate the SCCs.
The assessment must, in particular, take into account both the SCCs and any access by the public authorities of that third country to the personal data transferred as permitted under that third country’s legal system. It may be the case that additional safeguards over and above those contained in the SCCs must be implemented to provide an “adequate level of protection,” although it is not yet clear what form such safeguards would take. In addition, each supervisory authority in the exporting EU country is required to handle complaints submitted by data subjects. If, in the view of the supervisory authority, the SCCs are not being complied with by the parties or cannot be complied with in the third country and there are no additional safeguards in place to ensure an “adequate level of protection,” the supervisory authority is required to suspend or prohibit transfers of personal data. In essence, if the parties cannot police the agreement, then the supervisory authorities will be required to do so.
This places the onus onto data exporters in particular to make a thorough assessment of local law provisions of importing countries before exporting any personal data from the EU, and on EU supervisory authorities to police and suspend the export of personal data where these requirements are not sufficiently met by those relying on SCCs.
CJEU Decision: Privacy Shield
By contrast, the ruling that Decision 2016/1250 on the adequacy of the EU-US Privacy Shield is invalid was somewhat more surprising given that, in his December opinion, the AG suggested that it would not be necessary for the CJEU to rule on the validity of the Privacy Shield in this case as the dispute here centers on the SCCs. Nevertheless, the CJEU found that the European Commission’s assessment as part of its Privacy Shield decision of the adequacy of U.S. data protection safeguards is relevant to this case. According to the CJEU, the surveillance of personal data by U.S. public authorities goes beyond what is strictly necessary, and therefore conflicts with the EU’s principle of proportionality.
The CJEU focused on the effectiveness of judicial review mechanisms designed to ensure compliance with provisions of EU law. Laws which do not provide for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data, do not respect the fundamental right to effective judicial protection under EU law.
The GDPR requires the Commission, when assessing the adequacy of protection in a third country, to account for the “effective administrative and judicial redress for the data subjects whose personal data are being transferred.” The third country “should ensure effective independent data protection supervision and should provide for cooperation mechanisms with the Member States” data protection authorities. Data subjects should be provided with effective and enforceable rights and effective administrative and judicial redress. The CJEU held that the Ombudsperson mechanism under the Privacy Shield, which is intended to provide redress to individuals, is not sufficient to provide data subjects with a suitable recourse for protecting their rights. Although the Privacy Shield refers to a commitment from the U.S. government that the relevant component of the intelligence services is required to correct any violation of the applicable rules detected by the Privacy Shield Ombudsperson, it does not give the Ombudsperson the power to adopt decisions that are binding on those intelligence services. Neither does it mention any legal safeguards that would accompany that political commitment on which data subjects could rely.
Implications for International Transfers and Next Steps
This is a very significant decision, although data flows will not stop overnight. Businesses which have adopted a “belt and suspenders” approach and have implemented SCCs addition to Privacy Shield certification will have some relief. Businesses which rely on Privacy Shield will need to swiftly implement SCCs (since Binding Corporate Rules are not an option which can be implemented in the short term).
However, implementing SCCs will not be a quick paper exercise. They will need to be approached with much greater rigour and consideration, and data importers are likely to face much greater scrutiny from data exporters on the extent to which they are fully complying with their obligations under SCCs.
The same fundamental problems with the Privacy Shield (limited redress against access by the U.S. government to personal data) will also apply, in practice, to SCCs. It will be extremely difficult for data importers to represent that they will implement EU protections for personal data when U.S. domestic laws may override such protections based on national security grounds. It may be the case that organisations will also need to consider implementing additional safeguards in order to make sure there is an “adequate level of protection” for personal data being imported.
Members of the European Commission today confirmed in the wake of the judgment that they are continuing to work on modernising the SCCs in conjunction with the European Data Protection Board (EDPB) and EU member states. All developments will take this judgment into account, and the aim is to have these finalised as quickly as possible. The Commission has also confirmed it is in talks with U.S. counterparts to develop a strengthened transfer mechanism, in the same way that Privacy Shield was a reworked version of the previous Safe Harbour. It is anticipated that there will be a more thorough response to the decision in the coming days which might set out their plans in more detail.
It also remains to be seen what approach EU supervisory authorities will take in policing the agreements (as the CJEU requires them to do) and in response to inevitable complaints from individuals. Businesses will need to implement what they can immediately — but prepare for further developments.