July 21, 2020
There has been much anticipation in the privacy world for the “Schrems II” judgment in the Court of the Justice of the European Union (CJEU), published on 16 July. The CJEU were essentially looking at the legitimacy of the EU-US Privacy Shield arrangement and the effectiveness of the European Commission’s Standard Contractual Clauses (SCCs) as means for transferring personal data originating in the EU.
Privacy campaigner Max Schrems has had long running battles with Facebook over the use and transfer of his personal data, bringing numerous cases over the recent years, mostly through the Irish Data Protection Commissioner which are then referred on to the European courts. He was previously successful in bringing action against Facebook relating to the safeguards set out in the “Safe Harbour” scheme, the previous version of Privacy Shield intended to legitimise transfers of personal data between the EU and US.
So, what did the judgment say?
Firstly, Privacy Shield was ruled an invalid mechanism for EU-US transfers as it did not offer “appropriate safeguards, enforceable rights and effective legal remedies” to individuals in relation to their personal data. This wasn’t a great surprise to those who had followed the thinking of the CJEU in the Safe Harbour case and their view on similar data protection issues.
Privacy Shield could be replaced by (another) successor scheme but it is difficult to see how it will not subject to the same challenge unless there is a major change in the approach to privacy in the US. And we could be on a 3-5 year cycle of a new scheme being created, challenged and invalidated, like a slightly less fun version of Groundhog Day. And no Bill Murray.
The outcome and future of the SCCs is less clear. The judgment did not invalidate them but has added some important caveats to their use and applicability. In certain circumstances, including with transfers to the US, the court did not consider the SCCs alone gave sufficient protection to the personal data in question.
Without reciting the full detail of the judgment, two important paragraphs should be noted (emphasis added):
“…that the appropriate safeguards, enforceable rights and effective legal remedies required by [the GDPR] must ensure that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses are afforded a level of protection essentially equivalent to that guaranteed within the European Union….the assessment of the level of protection afforded in the context of such a transfer must, in particular, take into consideration both the contractual clauses agreed between the controller or processor established in the European Union and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country, in particular those set out, in a non-exhaustive manner” [Paragraph 105]
“…recital 109 of the regulation states that ‘the possibility for the controller … to use standard data-protection clauses adopted by the Commission … should [not] prevent [it] … from adding other clauses or additional safeguards’ and states, in particular, that the controller ‘should be encouraged to provide additional safeguards … that supplement standard [data] protection clauses’.” [Paragraph 132]
The latter quote is important but what these “additional safeguards” may involve is not clear and more detail may be provided by the European Data Protection Board (EDPB) and national supervisory authorities in due course.
It is also important to note that this does not affect all US organisations, but all those subject to surveillance legislation such as the Foreign Intelligence Surveillance (FISA) are covered. This includes the main tech players such as Facebook, Microsoft, Apple and Google.
Of course, the judgment itself does not instantly end international data flows between the EU and US. Much of the impact of the decision will be seen in how the EDPB and national supervisory authorities across Europe interpret the judgment, the guidance they provide and how willing they are to use their powers as a result. Paragraph 121 of the judgment states (emphasis added):
“…the competent supervisory authority is required to suspend or prohibit a transfer of data to a third country pursuant to standard data protection clauses adopted by the Commission, if, in the view of that supervisory authority and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law” [Paragraph 121]
So, the CJEU is clear in how it expects supervisory authorities to respond and that they should be suspending transfers reliant on SCCs to a country that cannot meet relevant standards. Whether this will happen in practice remains to be seen and the words relating to the view of the supervisory authority and the circumstances of the transfer are also important to note as this again allows some wriggle room.
In the UK, the ICO is always very pragmatic in these situations and has already released a statement to say they “will be working with UK Government and international agencies to ensure that global data flows may continue and that people’s personal data is protected.”
Other European regulators may not be so kind and alignment across regulators is important given the consistency mechanisms set out within GDPR.
And finally, the B-word. While the judgment does not have an immediate impact on data flows from the EU to the UK, as of January the UK becomes a “third country” (equivalent to the US) and EU and UK organisations will need a mechanism that allows the transfer to take place lawfully.
The UK may obtain an adequacy decision from the European Commission, which would allow those transfers to take place. However, UK adequacy for data protection is far from certain, largely because the UK has similar security and surveillance issues (see the Advocate General’s Opinion from January in relation to a complaint by Privacy International). In the absence of an adequacy ruling, the SCCs were seen as the safety net for data transfers between the EU and UK but the judgment makes clear is that a contract in isolation is not sufficient to safeguard individuals’ rights and that there must be a more comprehensive review of the country to which personal data is being sent.
In addition, a recent letter from the Chair of the EDPB to members of the European Parliament also set out their specific concerns about the potential for onward transfers of personal data from the UK to the US. So, the UK government will have some important decisions to make about whether it wants to align itself closer to the US or retain certain ties with the EU. The former would likely have severe implications for data flows between Europe and the UK.
As ever, there is still much uncertainty about how this will play out in the longer term and keeping a watching brief would be advisable.
SCCs have long been due to be updated and this may be prioritised as a result, but whether an update can allay concerns remains to be seen. The fundamental issue is whether a single set of contractual terms can be effective unless there is a step change in the surveillance measures in place in the US (and elsewhere). It could lead to more data being hosted within the EU to remove transfers altogether and may result in organisations being much more selective about who they partner with to provide services. There is certainly a commercial opportunity there.
The best advice in the short term is to make sure you understand and document your current US and wider international data flows and the mechanisms you rely upon for those transfers. This will make it much easier to identify any high-risk areas to be prioritised as further information comes to light. We will of course be keeping a close eye on developments.
We’re the experts in getting data on your good side. Find out more about our data protection offering here.