CJEU invalidates EU-US Privacy Shield framework and upholds EC Standard Contractual Clauses

Nigel Parker

On 16 July 2020, the Court of Justice of the European Union (the CJEU) issued a landmark decision in Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (commonly referred to as Schrems II). The CJEU invalidated the European Commission’s (the EC) adequacy decision on the EU-US Privacy Shield and upheld the general validity of the EC standard contractual clauses for cross-border data transfers (SCCs). However, compliant data transfers under SCCs will become more onerous for data exporters, importers and supervisory authorities, and the reasoning of the CJEU will have significant impact on other mechanisms for international transfer from the EEA to third countries, in particular countries where national laws provide for surveillance powers and insufficient judicial redress for individuals from the EU.

Background of the case

The case revolved around the validity of transfers of personal data EU Facebook users to the US, following the Snowden revelations concerning mass surveillance practices by US agencies and law enforcement authorities. The claim by the Austrian citizen Maximillian Schrems resulted in invalidation of the EU-US Safe Harbor programme by the CJEU back in 2015 (Schrems I case). The EU and the US established since then a new framework for international data transfers, the EU-US Privacy Shield, and the EC had adopted an adequacy decision allowing free flow of personal data to recipients in the US certified under this framework.  In the meantime, Facebook implemented EC controller-processor SCCs to ensure its data transfers from the EU were covered. In the Schrems II case, Maximillian Schrems contested the legality of Facebook’s data transfers to the US under the SCCs, and the validity of the SCCs as a mechanism for cross-border transfers to third countries without adequacy status.

Our colleague David Smith discusses the background to the case in a blog published last week, available here.

EU-US Privacy Shield 

Although the referring court did not ask the CJEU to look into the EU-US Privacy Shield framework, the CJEU’s Advocate General (AG) had discussed it at length in its December 2019 opinion (available here) and questioned its validity, particularly in relation to the right to respect for private life and the right to an effective remedy. The AG considered, amongst other issues, Section 702 of the US Foreign Intelligence Surveillance Act and expressed doubts about the conformity of the EC’s Privacy Shield decision with Art. 45(1) GDPR.

In Schrems II, the CJEU has now examined the EC adequacy decision 2016/1250 for the EU-US Privacy Shield and declared it invalid. The CJEU noted that the framework does not protect personal data of EU residents from US surveillance, and fails to ensure that EU individuals have effective and enforceable remedies through the courts or an effective Ombudsman in relation to certain US mass surveillance laws.

This means that transfers from the EU can no longer be made to the US in reliance on the fact that the recipient is certified under the EU-US Privacy Shield. It is important to note that the CJEU decision does not affect the validity of the Swiss-US Privacy Shield framework, but the Swiss supervisory authority has already issued a press release stating that it will study the judgment and comment on its impact in due course.

Standard Contractual Clauses

The CJEU confirmed that the EC adequacy decision for Controller to Processor SCCs is valid and provide appropriate safeguards for transfers of personal data to third countries.  However:

  • SCCs should be viewed as offering the basic level of protection. Data exporters must assess on a case-by-case basis whether additional safeguards are needed. They should verify the legal conditions in a country and in particular the laws which may apply to the particular parties / data before making a transfer. Where necessary, they must put additional measures of protection in place to address any issues. However, where foreign law imposes obligations on the recipient contrary to the SCCs and which are therefore capable of impinging on the contractual guarantee of an adequate level of protection against access by the public authorities, the transfer cannot be made.
  • The SCCs already require the recipient to notify the exporter of any change in law affecting compliance with the SCCs. The CJEU states that if the situation cannot be remedied by the parties, the data must be returned or destroyed; transfer in breach may give rise to a compensation claim for damages suffered by individuals.
  • The extent of the obligation to verify and report under the SCCs is not clear. According to the CJEU, exporters should take into account the EC’s findings of adequacy. Necessary and proportionate access under mandatory requirements of foreign legislation which do not go beyond what is necessary in a democratic society to safeguard national security, defence and public security should not pose a problem, but compliance with an obligation which goes beyond what is necessary for those purposes must be treated as a breach of SCCs.
  • National supervisory authorities (DPAs) must suspend transfers based on SCCs where they take the view that, in the light of all the circumstances of a particular transfer, they are not or cannot be complied with in the destination country and the data cannot be protected by any other means. The CJEU noted the obligation under the SCCs on the recipient to make the controller aware of issues in a particular jurisdiction and on the controller to pass this information to the DPA to investigate.

Effect on Current and Future Transfers 

Transfers can no longer be made to the US in reliance on the fact that the recipient is certified under the EU-US Privacy Shield.

Controllers may continue to use SCCs to transfer data outside the EEA but will need to assess whether laws in the destination affect the protection provided by the SCCs in their particular case.  If not, or where they are notified by the recipient that there is an issue affecting compliance with the SCCs, they should take steps to implement additional measures to establish necessary protections under the SCCs and consider whether notification of DPAs is necessary. This is clearly burdensome for controllers and will impact the ease with which SCCs can be implemented.

Whether controllers may continue transferring personal data to the US on basis of the SCCs is unclear.  The CJEU invalidated the EU-US Privacy Shield because of surveillance powers and laws in the US and the lack of effective judicial redress mechanisms for EU residents. In this respect, the private contractual arrangements under the SCCs are unlikely to be considered to offer better protection or redress than the Privacy Shield.  Arrangements to store the data of Europeans in EU-based data centres or encrypt data will not likely change the situation, on their own, as recently adopted US laws (including the CLOUD Act) seek to capture any data of US companies stored worldwide.

In this respect, we expect that the same reasoning will also apply to transfers under binding corporate rules (BCRs). BCRs already require a corporate group to disclose to the BCR lead any national laws that might impede compliance with the BCRs. It is logical for supervisory authorities to expect assessment of transfers under the BCRs to specific jurisdictions and the restriction of transfers where a conflict leads to inability to enforce protections. In contrast to the SCCs and EU-US Privacy Shield, BCRs do offer judicial redress mechanisms to data subjects whose personal data are covered by the BCRs.

The CJEU referred to the alternatives for transfer under Art. 49 GDPR (such as a data subject’s explicit consent or transfer for performance of a contract, etc.) but these alternatives will not be suitable for general business use, given that the European Data Protection Board (EDPB) guidelines consider these alternatives appropriate only where safeguards such as SCCs are not available.

Next steps

The EC has stated in a press conference that it will produce guidance for businesses, issue a cross-border transfers toolbox under the GDPR, speed up adoption of the modernised SCCs, review current adequacy decisions to align with the CJEU decision and look into the future of the EU-US Privacy Shield framework.

The US Secretary of Commerce voiced disappointment with the invalidation of the EU-US Privacy Shield framework and stated that the Department of Commerce will continue administering the framework, including processing submissions for self-certifications and maintaining the Privacy Shield list. In addition, the certified organisations are not relieved of their obligations under the framework.

The EDPB chairperson noted yesterday that the CJEU’s ruling underlines the need to ensure that SCCs maintain essentially equivalent protection. The EDPB will discuss the judgment in a plenary session on 17 July 2020.

Various national supervisory authorities have already reflected on the Schrems II decision and raised their doubts that transfers to the US can continue under SCCs. For instance, the Irish Data Protection Commissioner has issued a statement saying that the use of SCCs for transfer to the US is now questionable not least because assessments will need to be made on a case-by-case basis.

Some German DPAs also commented on the case. The Hamburg DPA stated that the CJEU was not consistent in upholding SCCs. It says that although BCRs, individual agreements and SCCs can continue to be used for transfers, uncertainty for transfers has increased compared to 5 years ago, when the EU-US Safe Harbor was invalidated. The DPA noted that EU supervisory authorities should come promptly to a common understanding on how to deal with companies that continue relying on Privacy Shield. Taking a strict stance, the Rhineland-Palatinate DPA issued a FAQ where it clarified that following invalidation of the Privacy Shield, controllers should not wait for instructions from supervisory authorities but must immediately switch to alternative transfer mechanisms under the GDPR, as there is no transition period to remedy non-compliance is contemplated. The Rhineland-Palatinate DPA further stated that DPAs are reviewing the impact of the CJEU decision on other transfer mechanisms.

We are monitoring closely the developments following the decision of the CJEU in Schrems II and will keep you updated.

The press release of the CJEU is available here, and the Decision here.

Authors: Anna van der Leeuw-Veiksha, Nigel Parker