EU-U.S. DATA TRANSFERS UNDER ATTACK – THE SCHREMS II CJEU JUDGMENT
On July 16, 2020, the Court of Justice of the European Union (the CJEU) issued its judgment in the long-running Schrems litigation (the Schrems II decision), holding that the EU-U.S. Privacy Shield entered into between the EU and the U.S. is not valid under EU law. The CJEU did, however, hold that, in principle, standard contractual clauses do remain a valid method for EU to U.S. transfer of personal data (subject to certain conditions).
- Although the EU-U.S. Privacy Shield has been invalidated, other mechanisms remain available to permit personal data transfers from the EU to the U.S., including “standard contractual clauses” (SCCs), discussed below.
- Organizations should understand that, even though the SCCs are commonly used, they are not trivial agreements and may result in obligations to EU regulators or individuals. U.S. recipients of personal data from the EU should consider how they will comply with SCCs, in order to prepare for increased scrutiny from EU data exporters.
- Expect to see further developments in this area, whether in updated SCCs, challenges to the use of SCCs in certain circumstances, or in efforts to establish a program to replace the EU-U.S. Privacy Shield. There is wide recognition of the commercial importance of EU to U.S. personal data transfers.
- Organizations should evaluate their reliance on the EU-U.S. Privacy Shield—for internal transfers of personal data (such as HR data) and transfers of client data, as well as transfers conducted through vendors—and determine whether and how to execute SCCs to permit those data transfers.
- In considering entering into SCCs, organizations should pay particular attention to whether they are subject to section 702 of the U.S. Foreign Intelligence Surveillance Act (FISA), which formed part of the basis of the CJEU’s decision, or other laws that may conflict with obligations imposed by the SCCs.
- Organizations currently relying on SCCs for EU to U.S. transfers should assess whether the SCCs are functioning to adequately protect personal data, by auditing recipients, in the case of exporters, or by assessing internal compliance to prepare for audits, in the case of importers.
The EU General Data Protection Regulation (GDPR) governs the processing of personal data of EU residents. GDPR places certain restrictions on the extent to which data controllers can lawfully transfer personal data to non-EU third countries. In particular:
- Adequacy Decisions. Article 45 allows the transfer of personal data to a third country or an international organization “where the [European] Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection” (known as an “adequacy decision”). Although the European Commission has specified certain countries as having an “adequate level of protection,” this does not include the U.S.
- Appropriate Safeguards. Article 46 specifies certain circumstances in which transfers of personal data to countries that do not benefit from an adequacy decision are nonetheless permitted. It provides that “a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.” Article 46 then sets out various means by which “appropriate safeguards” can be provided. This includes “standard data protection clauses adopted by the [European] Commission in accordance with the examination procedure referred to in Article 93(2)” (commonly referred to as “standard contractual clauses” or “model clauses”), as well as “binding corporate rules,” discussed below.
- Binding Corporate Rules. Article 47 provides criteria for binding corporate rules, which may be adopted by a group of undertakings engaged in joint economic activities as a means of protecting personal data in international transfers. Binding corporate rules must be legally binding throughout the group and approved by supervisory authorities.
- Specific Derogations. Article 49 also sets out certain very limited circumstances in which transfers of personal data to (non-approved) third countries can be made where there are no “appropriate safeguards” referred to above. Three notable circumstances are where:
- the data subject has explicitly consented to the transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards (Article 49(1)(a));
- the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request (Article 49(1)(b)); and
- the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the data controller and another natural or legal person (Article 49(1)(c)).
Factual Background to the Case
Mr. Schrems is an Austrian individual who has had a long-running court battle with Facebook. He has been a Facebook user since 2008. Any EU resident who uses Facebook must enter into a contract with Facebook Ireland, a subsidiary of Facebook Inc, its ultimate U.S. holding company. Some or all of the personal data of Facebook Ireland’s users who are resident in the EU is transferred to Facebook Inc. in the U.S., where it undergoes processing.
In 2013, Mr. Schrems filed a complaint with the Irish data protection authorities (the Irish DPA) to request that Facebook be prohibited from transferring his personal data to the U.S., because U.S. law and practice did not ensure adequate protection of his personal data against surveillance activities by U.S. public authorities. At the time, Facebook relied on the “Safe Harbour” basis for the transfer of personal data from the EU to the U.S. Mr. Schrems’ complaint was eventually referred to the CJEU. In 2015 the CJEU gave its decision on his case and ruled that Safe Harbour was invalid as a lawful means of transfer of personal data from the EU to the U.S. (the Schrems I decision).
Following that decision, Facebook, like many other multinational companies, switched from using Safe Harbour to using SCCs as a lawful means by which to transfer personal data from the EU to the U.S. under EU data protection legislation.
Mr. Schrems then brought a further complaint before the Irish DPA alleging that U.S. law does not provide adequate protection for individuals because it permits certain U.S. intelligence agencies access to his personal data and this was incompatible with his rights under EU law. The matter was referred by the Irish DPA to the Irish High Court and from there it was referred on again to the CJEU.
Following the 2015 CJEU ruling that Safe Harbour was invalid, in 2016 the European Commission and the U.S. Department of Commerce established the EU-U.S. Privacy Shield, which formed an approved means by which personal data could be transferred from the EU to the U.S. lawfully.
The Irish High Court referred various questions to the CJEU for its decision. These issues covered not only the validity of SCCs but also the validity of the EU-U.S. Privacy Shield.
Validity of SCCs
The CJEU confirmed that, in principle, SCCs remain a valid means of lawfully transferring personal data from the EU to the U.S. under GDPR. It emphasized, however, that organizations relying on SCCs cannot simply assume that the use of SCCs without any further steps will be sufficient. It emphasized that, under Article 46 of GDPR, in the absence of a decision deeming a country to have adequate data privacy protections (as is the case with the U.S.), “it is for the controller or processor established in the European Union to provide, inter alia, appropriate safeguards.” The CJEU went on to say that SCCs cannot, having regard to their very nature, provide guarantees beyond a contractual obligation to ensure compliance with the level of protection required under EU law, and so they may require the adoption of supplementary measures by the controller in order to ensure compliance with that level of protection. It added that “it is therefore, above all, for that controller or processor to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to [SCCs], by providing, where necessary, additional safeguards to those offered by [SCCs].”
EU-U.S. Privacy Shield Invalid
The EU-U.S. Privacy Shield was effectively an adequacy decision by the European Commission under Article 45 of GDPR for companies in the U.S. that certified compliance with the EU-U.S. Privacy Shield Framework. In making an adequacy decision, the European Commission is required under Article 45(2)(a) to take account of “the rule of law, respect for human rights and fundamental freedoms, relevant legislation…concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation…including rules for the onward transfer of personal data to another third country…which are complied with in that country as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred.”
The CJEU examined U.S. legislation which permitted certain U.S. intelligence agencies to access personal data transferred to the U.S. It noted that section 702 of the FISA “does not indicate any limitations on the power it confers to implement surveillance programmes for the purposes of foreign intelligence or the existence of guarantees for non-U.S. persons potentially targeted by those programmes.” Accordingly, it held that “the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by U.S. public authorities of such data transferred from the European Union to the United States, which the [European] Commission assessed in the Privacy Shield Decision, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required, under EU law.” It also found that U.S. legislation does not afford actionable rights to data subjects in U.S. courts. Although U.S. authorities had established a “Privacy Shield Ombudsman,” the CJEU noted that that Ombudsman did not have the power to adopt decisions that are binding on U.S. intelligence agencies and there were no legal safeguards for relevant individuals. As such, the CJEU considered that the Ombudsman did not provide data subjects with any cause of action which might be equivalent to those rights under EU law. Accordingly, the CJEU held that the EU-U.S. Privacy Shield was incompatible with Article 45 of GDPR and is invalid.
In our view, the implications of the CJEU’s decision are likely to be as follows:
- We expect there to be a swift change from the use of the EU-U.S. Privacy Shield to using SCCs or other approved means of lawful EU to U.S. transfers of personal data by the 5,300 or so organizations that currently rely on the EU-U.S. Privacy Shield. Larger multinational corporations may also adopt binding corporate rules, but this is a longer-term strategy rather than an immediate change.
- The CJEU’s decision does not have any impact on day-to-day transfers of information where such transfer is “necessary” for the conclusion or performance of a relevant contract (e.g., information provided for holiday bookings or various business transactions). Such transfers have always relied on other exemptions under Article 49 of GDPR (such as transfers which are necessary for the performance of a contract) and will be unaffected by the decision.
- U.S. organizations are likely to insist on the use of SCCs for future vendor deals with EU counterparts. Such organizations are also likely to review legacy contracts to move any existing EU vendors who have previously relied on the EU-U.S. Privacy Shield over to SCCs.
- On transactions, parties needing to transfer personal data between the EU and the U.S. for the deal are likely to rely on SCCs going forward. Although EU transferors may seek greater assurances from U.S. counterparts about whether there is adequate protection apart from the SCCs themselves (as the CJEU indicated was necessary), we expect in practice that SCCs will continue to be the standard method of transfer of personal data between the EU and the U.S. on deals.
- There will likely be more scope for challenging the use of SCCs if the legal system of the recipient country does not provide safeguards and rights that are broadly equivalent to those of the EU’s data protection regime. This is likely to lead to the greater use of the tokenization or encryption of personal data being transferred pursuant to SCCs as a means of providing additional safeguards.
- The European Commission will likely publish updated SCCs to reflect the implementation of GDPR, as well as the effects of this decision as a matter of urgency. It is also possible that any such updated SCCs will be influenced by the CJEU’s broad view of the rights that must be available to data subjects in transferee countries.
- For the U.K., the decision represents a potential issue for 2021 and beyond. Even though the U.K. left the EU on January 31, 2020, it remains subject to GDPR during 2020 as part of a Brexit transition period. In 2021, the U.K. will be a third country outside of the scope of GDPR. The U.K. has, under its Investigatory Powers Act 2016, wide-ranging surveillance powers that could, in theory, place it under scrutiny from the EU as to whether the U.K. should be treated similarly to the U.S. with respect to personal data transfers.