Health and Care Update - November 2023
Nov 30 2023
Policy and law relevant to those involved in health and social care work.Read More
Yesterday, the European Court of Justice (“ECJ”), handed down its much anticipated judgment in C-311/18 Data Protection Commissioner v Facebook Ireland and Schrems (“Schrems II”). The case concerns the validity of Standard Contractual Clauses (“SCCs”) and the EU-U.S. Privacy Shield (“Privacy Shield”) as mechanisms for transferring personal data outside the European Economic Area (“EEA”). In its judgment, the ECJ has upheld the SCCs as a lawful mechanism for transferring personal data outside of the EEA, subject to the controller determining that the SCCs can provide an essentially equivalent level of protection to be assessed on a case-by-case basis. However, the ECJ has held that the Privacy Shield is invalid on the basis that under the framework, US law does not provide for an essentially equivalent protection for EU data subjects.
For organisations that rely on the Privacy Shield for transfers of personal data from the EEA to the US, they will need put in place alternative data transfer mechanisms. In addition, for organisations relying on SCCs, they will need to ensure that such SCCs do in fact provide appropriate safeguards based on the particular transfer in question. If this is not the case, organisations may be required to supplement the SCCs or suspend the transfer. Failing this, Member State supervisory authorities must suspend or prohibit transfers pursuant to SCCs where they consider that the SCCs do not provide appropriate safeguards.
This article provides a deeper dive in the ECJ’s judgment, the likely next steps, as well as practical takeaways for organisations. The article also discusses the implications of the decision on UK organisations in light of Brexit.
Under the General Data Protection Regulation (“GDPR”), transfers of personal data to countries outside of the EEA (known as “third countries”) are prohibited unless certain conditions set out in Chapter V of the GDPR are satisfied. These conditions include the following:
The Privacy Shield falls within the first category as an adequacy decision. It is slightly unusual compared to other adequacy decisions (that ordinarily require no additional steps to be taken by organisations), as it requires US organisations to certify to the framework in order to benefit from the decision. Once certified, such US organisations can receive personal data from the EEA.
SCCs fall within the second category of data transfer mechanism, i.e. once put in place, they provide appropriate safeguards. SCCs are a set of template contracts that have been drafted and approved by the European Commission for use by data exporters and importers. Essentially, the SCCs impose obligations on data importers (i.e. the organisation located in the third country receiving personal data) that replicate many of the obligations contained within the GDPR. The purpose of which is to ensure that personal data, once transferred to the data importer in the third country, will be subject to similar protections as afforded under EU law.
The case began following a complaint by privacy activist, Maximillian Schrems, to the Irish Data Protection Commissioner (“DPC”) against Facebook Ireland’s transfer of his personal data to Facebook Inc. in the US in reliance on the European Commission approved SCCs. Schrems argued that in light of revelations about US government agencies’ surveillance practices, his fundamental rights to privacy could not be protected under the SCCs. In particular, he argued that the SCCs do not protect against US authorities mass and indiscriminate processing of personal data, and they do not provide for an adequate remedy for data subjects whose rights have been breached. Accordingly, Schrems asked the DPC to suspend Facebook Ireland’s transfer of his personal data to the US.
The DPC and the Irish High Court both agreed with Schrems that the US surveillance regime allows for mass and indiscriminate processing of personal data in breach of EU fundamental rights. It also agreed the SCCs do not provide adequate safeguards to make up for the inadequacies in the US regime, and do not provide EU citizens with any rights of redress against such breach. However, the DPC did not consider that it could suspend the transfer on the basis that the US is subject to an adequacy decision approved by the European Commission (the Privacy Shield). The DPC and Irish High Court referred a number of questions to the ECJ for determination. Given the nature of the questions raised by the DPC, the case also called into question the validity of the Privacy Shield.
In yesterday’s judgment, the ECJ has held the following:
Where the SCCs cannot guarantee essentially equivalent protection, the ECJ provides that it may be necessary for the controller to adopt supplementary measures to “ensure compliance with that level of protection” (paras. 132 and 133).
In terms of next steps, there may be a few possible outcomes. Facebook Ireland may consider that following the ECJ’s judgment, the SCCs do not provide essentially equivalent protection for its transfer of EU customer personal data to the US, meaning they themselves elect to suspend the transfers. Alternatively, they may consider supplementing the SCCs to make up for any inadequacies. However, it is not clear from the ECJ’s judgment what these supplemental measures could look like.
Failing this, the case will return to the DPC who will need to determine whether, following the ECJ’s judgment, they believe that the SCCs do not provide essentially equivalent protection, and they must suspend / prohibit Facebook Ireland’s transfer of personal data to the US. In light of the ECJ’s findings on the inadequacies of the US regime, and the previous findings of the DPC and Irish High Court, it does seem likely that if this were to happen the DPC would suspend the transfer.
It is also worth noting that the European Commission is in the process of updating the current set of SCCs, which have not been updated to address the coming into force of the GDPR. The European Commission had put this on hold, pending the ECJ’s decision in Schrems II. It is likely that the updated SCCs will now be published in due course. It will be interesting to see whether the Commission make any additions to the SCCs to address the ECJ’s judgment. It will also be interesting to see whether the European Commission and the US Government return to the negotiating table with respect to determining a new EU-U.S. Privacy Shield.
For organisations that transfer personal data outside of the EEA, there are a number of practical considerations following the ECJ’s judgment. These are as follows:
It is important to note that the ECJ judgment will still impact UK organisations, despite Brexit. This is because the UK government has implemented the GDPR into UK law, including the same provisions surrounding international data transfers. Accordingly, organisations transferring personal data outside of the UK must similarly rely on a data transfer mechanism, such as an adequacy decision or appropriate safeguards.
With respect to an adequacy decision, the UK government had negotiated changes to the Privacy Shield that would ensure its application for UK to US transfers at the end of the transition period. Yesterday’s decision from the ECJ will also be binding on the UK, meaning the Privacy Shield will also fall away for UK to US transfers.
For SCCs, the UK government expressed its intention to recognise the EC-approved SCCs meaning that organisations transferring personal data outside of the UK could continue to rely on these. Given the ECJ has upheld the validity of the SCCs these will continue to apply for transfers outside the UK. However, UK organisations will also need to carry out the assessment described by the ECJ in determining whether the SCCs provide appropriate safeguards in the light of the particular transfer. The UK Information Commissioner’s Office (“ICO”) will also need to step in where controllers fail to correctly make this assessment.
For more information on international data transfers and Brexit, see the ICO’s guidance available here. The ICO has also released a statement that it is considering the judgment and the impact on international data transfers. It is likely that more guidance for UK organisations from the ICO will follow.
For more information about how the ECJ’s judgment may impact your organisations international data transfers, please get in touch with one of our information law and privacy experts.