Yesterday, the European Court of Justice (“ECJ”), handed down its much anticipated judgment in C-311/18 Data Protection Commissioner v Facebook Ireland and Schrems (“Schrems II”). The case concerns the validity of Standard Contractual Clauses (“SCCs”) and the EU-U.S. Privacy Shield (“Privacy Shield”) as mechanisms for transferring personal data outside the European Economic Area (“EEA”). In its judgment, the ECJ has upheld the SCCs as a lawful mechanism for transferring personal data outside of the EEA, subject to the controller determining that the SCCs can provide an essentially equivalent level of protection to be assessed on a case-by-case basis. However, the ECJ has held that the Privacy Shield is invalid on the basis that under the framework, US law does not provide for an essentially equivalent protection for EU data subjects.
For organisations that rely on the Privacy Shield for transfers of personal data from the EEA to the US, they will need put in place alternative data transfer mechanisms. In addition, for organisations relying on SCCs, they will need to ensure that such SCCs do in fact provide appropriate safeguards based on the particular transfer in question. If this is not the case, organisations may be required to supplement the SCCs or suspend the transfer. Failing this, Member State supervisory authorities must suspend or prohibit transfers pursuant to SCCs where they consider that the SCCs do not provide appropriate safeguards.
This article provides a deeper dive in the ECJ’s judgment, the likely next steps, as well as practical takeaways for organisations. The article also discusses the implications of the decision on UK organisations in light of Brexit.
Under the General Data Protection Regulation (“GDPR”), transfers of personal data to countries outside of the EEA (known as “third countries”) are prohibited unless certain conditions set out in Chapter V of the GDPR are satisfied. These conditions include the following:
- The transfer is to a third country that is subject to a European Commission adequacy decision;
- The transfer is subject to appropriate safeguards, such as SCCs or Bindings Corporate Rules (“BCRs”); or
- A derogation applies, for example the transfer is based on the data subject’s explicit consent.
The Privacy Shield falls within the first category as an adequacy decision. It is slightly unusual compared to other adequacy decisions (that ordinarily require no additional steps to be taken by organisations), as it requires US organisations to certify to the framework in order to benefit from the decision. Once certified, such US organisations can receive personal data from the EEA.
SCCs fall within the second category of data transfer mechanism, i.e. once put in place, they provide appropriate safeguards. SCCs are a set of template contracts that have been drafted and approved by the European Commission for use by data exporters and importers. Essentially, the SCCs impose obligations on data importers (i.e. the organisation located in the third country receiving personal data) that replicate many of the obligations contained within the GDPR. The purpose of which is to ensure that personal data, once transferred to the data importer in the third country, will be subject to similar protections as afforded under EU law.
The case began following a complaint by privacy activist, Maximillian Schrems, to the Irish Data Protection Commissioner (“DPC”) against Facebook Ireland’s transfer of his personal data to Facebook Inc. in the US in reliance on the European Commission approved SCCs. Schrems argued that in light of revelations about US government agencies’ surveillance practices, his fundamental rights to privacy could not be protected under the SCCs. In particular, he argued that the SCCs do not protect against US authorities mass and indiscriminate processing of personal data, and they do not provide for an adequate remedy for data subjects whose rights have been breached. Accordingly, Schrems asked the DPC to suspend Facebook Ireland’s transfer of his personal data to the US.
The DPC and the Irish High Court both agreed with Schrems that the US surveillance regime allows for mass and indiscriminate processing of personal data in breach of EU fundamental rights. It also agreed the SCCs do not provide adequate safeguards to make up for the inadequacies in the US regime, and do not provide EU citizens with any rights of redress against such breach. However, the DPC did not consider that it could suspend the transfer on the basis that the US is subject to an adequacy decision approved by the European Commission (the Privacy Shield). The DPC and Irish High Court referred a number of questions to the ECJ for determination. Given the nature of the questions raised by the DPC, the case also called into question the validity of the Privacy Shield.
In yesterday’s judgment, the ECJ has held the following:
- SCCs are valid. The ECJ held that just because the SCCs are not binding on third country governments does not mean they cannot, in all circumstances, provide for appropriate safeguards. Instead, the validity of the SCCs depend on whether “such a standard clauses decision incorporates effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law and that transfers of personal data pursuant to the clauses of such a decision are suspended or prohibited in the event of the breach of such clauses or it being impossible to honour them” (para. 137). The ECJ held that the SCC decision, and the clauses contained within the SCCs, does provide for this.
- SCCs must ensure an essentially equivalent level of protection which must be assessed within the context of the transfer. The ECJ confirmed that SCCs must ensure “a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union…” (emphasis added) (para. 94). Whether the SCCs ensure an essentially equivalent level of protection must be assessed on a case-by-case basis within the context of the transfer. For this assessment, the following considerations must be taken into account:
- the contractual clauses agreed between the controller and processor and the recipient of the transfer;
- any access by public authorities to personal data once transferred to the third country; and
- the relevant aspects of the legal system of the third country, taking into account the non-exhaustive factors set out in Article 45(2) of the GDPR (i.e. the factors the European Commission must take into account when determining an adequacy decision) (para. 104).
Where the SCCs cannot guarantee essentially equivalent protection, the ECJ provides that it may be necessary for the controller to adopt supplementary measures to “ensure compliance with that level of protection” (paras. 132 and 133).
- Controllers must suspend transfers / terminate the contract with the recipient if they cannot comply with the SCCs. Under the SCCs, data importers must notify the controller if they are unable to comply with the SCCs, for example, if there is a change to national laws that would have “a substantial adverse effect on the warranties and obligations provided” in the SCCs (para. 139). In this case, the controller must suspend and / or terminate the contract with the recipient or be in breach of data protection legislation.
- Supervisory authorities must suspend or prohibit transfers pursuant to SCCs if in their view they do not protect EU fundamental rights. The ECJ confirmed that unless there is a valid adequacy decision, Member State supervisory authorities must suspend or prohibit the transfer of data to a third country pursuant to the SCCs if they consider that the SCCs do not ensure a level of protection that is essentially equivalent to EU law (para. 121)
- The Privacy Shield is invalid. The ECJ found that US surveillance laws do “not provide for the necessary limitations and safeguards with regard to the interferences authorised by its national legislation and does not ensure effective judicial protection against such interferences” and the Privacy Shield Ombudsperson does not provide EU data subjects with effective judicial protection (para. 168). Accordingly, the ECJ found that the European Commission, in its adequacy decision, had not shown that US law and the Privacy Shield framework provides an essentially equivalent protection for EU data subjects.
In terms of next steps, there may be a few possible outcomes. Facebook Ireland may consider that following the ECJ’s judgment, the SCCs do not provide essentially equivalent protection for its transfer of EU customer personal data to the US, meaning they themselves elect to suspend the transfers. Alternatively, they may consider supplementing the SCCs to make up for any inadequacies. However, it is not clear from the ECJ’s judgment what these supplemental measures could look like.
Failing this, the case will return to the DPC who will need to determine whether, following the ECJ’s judgment, they believe that the SCCs do not provide essentially equivalent protection, and they must suspend / prohibit Facebook Ireland’s transfer of personal data to the US. In light of the ECJ’s findings on the inadequacies of the US regime, and the previous findings of the DPC and Irish High Court, it does seem likely that if this were to happen the DPC would suspend the transfer.
It is also worth noting that the European Commission is in the process of updating the current set of SCCs, which have not been updated to address the coming into force of the GDPR. The European Commission had put this on hold, pending the ECJ’s decision in Schrems II. It is likely that the updated SCCs will now be published in due course. It will be interesting to see whether the Commission make any additions to the SCCs to address the ECJ’s judgment. It will also be interesting to see whether the European Commission and the US Government return to the negotiating table with respect to determining a new EU-U.S. Privacy Shield.
For organisations that transfer personal data outside of the EEA, there are a number of practical considerations following the ECJ’s judgment. These are as follows:
- Organisations should review their data flows to determine what data transfer mechanisms they currently rely on for transferring personal data outside of the EEA.
- For transfers reliant on the Privacy Shield, alternative data transfer mechanisms will need to be put in place. Whether SCCs will be the appropriate replacement will require an assessment based on the considerations outlined by the court.
- For existing transfers pursuant to the SCCs, organisations may need to re-assess their reliance on those safeguards in light of the ECJ’s judgment (particularly for transfers to the US). Organisations will need to take into account the considerations outlined by the ECJ in making this assessment (as set out above).
- For future transfers pursuant to the SCCs, organisations will no longer be entitled to simply append the SCCs to a contract where data leaves the EEA. Steps must be taken to assess the level of protection and whether it is equivalent to that provided by the GDPR.
- Organisations will need to await the updated SCCs from the European Commission, which may require replacing existing SCCs with the new versions.
It is important to note that the ECJ judgment will still impact UK organisations, despite Brexit. This is because the UK government has implemented the GDPR into UK law, including the same provisions surrounding international data transfers. Accordingly, organisations transferring personal data outside of the UK must similarly rely on a data transfer mechanism, such as an adequacy decision or appropriate safeguards.
With respect to an adequacy decision, the UK government had negotiated changes to the Privacy Shield that would ensure its application for UK to US transfers at the end of the transition period. Yesterday’s decision from the ECJ will also be binding on the UK, meaning the Privacy Shield will also fall away for UK to US transfers.
For SCCs, the UK government expressed its intention to recognise the EC-approved SCCs meaning that organisations transferring personal data outside of the UK could continue to rely on these. Given the ECJ has upheld the validity of the SCCs these will continue to apply for transfers outside the UK. However, UK organisations will also need to carry out the assessment described by the ECJ in determining whether the SCCs provide appropriate safeguards in the light of the particular transfer. The UK Information Commissioner’s Office (“ICO”) will also need to step in where controllers fail to correctly make this assessment.
For more information on international data transfers and Brexit, see the ICO’s guidance available here. The ICO has also released a statement that it is considering the judgment and the impact on international data transfers. It is likely that more guidance for UK organisations from the ICO will follow.
For more information about how the ECJ’s judgment may impact your organisations international data transfers, please get in touch with one of our information law and privacy experts.