On 16 July 2020, the privacy world shook once more when we finally found out that Europe’s highest court, the European Courts of Justice (ECJ) judgement in respect of the “Schrems II” case, where it was decided that the EU-US Privacy Shield is to be invalidated it seems from immediate effect.
This really is a ground-breaking judgement which is going to cause significant headaches to thousands of organisations that relied on the EU-US Privacy Shield as a legitimate safeguard in order to transfer data from the EU to the U.S. Thankfully at this moment in time standard contractual clauses (SCCs) which is another data transfer safeguard mechanism available to organisations has been upheld by the ECJ as still being a valid mechanism, however as you will read further below, the use of the SCCs have also some added complications as a result of the judgement.
Key points coming out of the judgement
The decision really does put into question how organisations are going to be able to transfer personal data to the U.S. but also now in relation to other third countries given that the validity and future use of the SCCs are now considered to be questionable. Some of the main points coming out of the judgement for consideration include:
- The EU-US Privacy Shield is invalidated as from the 16 July 2020. There appears to be nothing included within any of the judgement text on any grace period being afforded to organisations relying on this as an acceptable safeguard, so they will now be scrabbling around to try and find another legal basis in order to transfer data to the U.S. legally.
- The use of SCCs as noted above have been upheld for the time being by the ECJ, however it is not going to be as easy for organisations to just rely on falling back onto these (much as Facebook did as a result of the Safe Harbor invalidation) without first considering some significant factors coming out of the judgement yesterday.
- Basically the ECJ have stated that where there are any conflicts between the recipient third country laws and the future use of SCCs, these must be considered with the potential to suspend or prohibit the transfers where necessary.
- This means that in practice a data exporter and the recipient of data wanting to rely on SCCs in order to transfer personal data to a third country must on a case-by-case basis undertake a level of due diligence in order to demonstrate that the recipient third country ensures adequate protection under EU law for any personal data transferred. In the event that this cannot be achieved, the data exporter must then consider using additional safeguards or they will be left with no option but to suspend the transfer. Further to this it should also be noted that the supervisory authorities now have the power to suspend transfers where they take the view that the third country will not have an adequate level of protection in place required by EU law.
- It remains to be seen how this affects the transfer of personal data to the U.S. By virtue of the fact that the EU-US Privacy Shield has been invalidated, predominantly due to the lack of protections surrounding government access to the information, means that the ECJ’s view of the U.S. to have sufficient protections in place is somewhat lacking. As a result of this it will be extremely difficult for an organisation to conclude and justify relying on the use of SCCs in the context of personal data transfer to the U.S. so it remains to be seen how this one plays out over time.
- Of course this has a far wider reach than just personal data transfers to the U.S. This effectively affects any organisation that is transferring personal data to a third country and is currently relying on the use of SCCs as the lawful remedy to do this.
Back to top
What do you need to do now?
As we know, the ECJ’s decision is still very fresh. Privacy professionals all over the world are now speculating on how this will play out and to be honest, no one really quite knows at this point. Despite this there are a few things that your organisation can start looking at and considering in the meantime whilst the dust settles and more specific guidance is developed on what will be acceptable and what won’t be.
- It is extremely important that your organisation now sits down and fully understands the entire data transfer environment that you are exposed to. Remember this isn’t just in relation to personal data transfers to the U.S. Given the additional considerations required around the future use of SCCs this will affect all data transfers to any third country where adequacy is not provided where an organisation uses the SCCs as their data transfer safeguard.
- For any exposure to companies that are relying on the EU-US Privacy Shield, your organisation will need to look for an alternative legal basis in order to continue to transfer the personal data. There are several options provided by GDPR which include:
- SCCs (taking all of the above into consideration)
- Binding corporate rules
- Available derogations (outlined in Article 49 of the GDPR) which include consent
- When continuing to rely on the use of SCCs, it is now very important that your organisation starts reviewing each data transfer on a case-by-case basis and documenting the assessment on whether the third country have the required protections in place in respect of meeting the standards that the EU expects.
Back to top
Why have the ECJ invalidated the EU-US Privacy Shield
So why exactly has the ECJ decided to make this decision. In a very long judgement text that was issued, it came down to three main factors:
- Firstly, it was deemed that the current U.S surveillance programs are currently not limited to processing personal data to what is strictly necessary and proportional which in essence results in the conflict of individual rights in line with the requirements of Article 52 of the EU Charter on Fundamental Rights.
- Secondly, the subsequent review confirmed that the conditions built into the EU-US Privacy Shield were not considered to be sufficient enough to counter and mitigate the risks posed from the surveillance techniques used by the U.S. authorities. This translated into not being able to provide data subjects the adequate protection required under EU data protection regulation.
- The final point focuses on the function of the EU-US Privacy Shield ombudsperson, the fact the ombudsperson is not considered to be independent and that EU data subjects are not able to seek a course of action i.e. compensation, claim for damages and do not have the right to an effective remedy in the U.S as required by Article 47 of the EU Charter.
Back to top
To provide a brief background on the decision, you have to go back a few years to a gentleman called Max Schrems, an Austrian data privacy activist whose initial goal in life was to raise awareness around the misuse and lack of protection of personal data by Facebook. As this particular point in time, Facebook were relying on Safe Harbor which was the then equivalent of the EU-US Privacy Shield. As a result of this, Max Schrems ended up submitting a complaint which once again reached the ECJ ending up with the decision in October 2015 to invalidate Safe Harbor (known as Schrems I).
Facebook as a result of this judgement instantly fell back onto another available mechanism which was the SCCs and Max Schrems again issued a complaint, this time on the basis that the SCC’s did not provide adequate security to individuals in respect of the processing of their personal data specifically focusing on the U.S authorities and there surveillance capabilities.
This reached the ECJ in November 2019 (which also included a review of the EU-US Privacy Shield), which resulted initially in a non-binding decision issued by the Advocate General (AG) that for the moment the SCC’s were still deemed to a valid way to transfer personal data to third countries. That brings us onto the announcement of the ECJ on 16 July - it was widely expected that the AG’s recommendation would be upheld by the ECJ which in part, in relation to the SCC’s it was (with some added complications), however there was a surprising twist in the tale which has resulted in the invalidation of the EU-US Privacy Shield.
Back to top
This really is a day of reckoning in the world of data privacy for any organisation that has an exposure to third country data transfer. As a result of the judgement there is now a significant risk to all organisations in this regard that requires addressing.
We don’t know how this is yet to play out but there are a number of things that your organisation can be doing now in order to start reacting to the decision. It is imperative that you do sit up and start acting – there is a real risk now of private litigation in respect of data transfer violations occurring and this of course is in addition to the potential financial sanctions that remain available (GDPR 4% of global turnover or €20 million – the greater of) to any supervisory authority if they feel an organisation is not acting in their best interests.
Record keeping really will be so much more important going forward in order to demonstrate that your organisation is fully accountable for the data transfer conclusions you are making – do you fully understand your exposure to data transfer and have you formally documented the assessments needed in respect of continuing to use SCCs? It really isn’t sufficient any longer to just treat the use of SCCs as a paper exercise, sign them and just file them away.
And what about Brexit and the impact that this may have on personal data transfers from the UK into the EU. At the end of the transitional period on 31 December 2020, it is extremely unlikely that the UK will be granted adequacy by the European Union. This therefore will mean that any personal data transfers from the UK into the EU will also need to be considered urgently by organisations in advance of the end of the transitional period.
Finally, we are hearing a lot of noise around the possibility of a Schrems III being developed. We’re not so sure – any third throw of the dice in this regard would require considerable negotiation and this isn’t something that I can see happening any time soon.
Back to top