On 16 July 2020, the Court of Justice of the European Union (CJEU) made a significant ruling concerning the adequacy of the EU-US Privacy Shield and standard contractual clauses (SCCs), in accordance with GDPR principles. The Privacy Shield was a mechanism that allowed participating companies to comply with EU requirements for transferring personal data to the United States, particularly focusing on data transfer methods, including third-party transfers. Similarly, SCCs could be used to legitimize personal data transfers between the EU, the US, and other third countries by establishing contracts on EU-approved terms, often utilized by small and medium-sized businesses, in accordance with GDPR principles.
Surprising many experts, the CJEU declared the Privacy Shield invalid while confirming the validity of SCCs, albeit with certain conditions. In this context, we present the background leading up to these judgments, provide a high-level summary of the judgments themselves, and outline the potential implications and recommended next steps for organizations in the UK.
What was the Background to these Judgements?
The CJEU judgments that arose from this case are commonly known as 'Schrems II'. In this case, Maximillian Schrems, an Austrian privacy activist, lodged a complaint against the Irish Data Protection Commission (DPC), which is Ireland's data protection authority. Schrems argued that the United States does not offer adequate security measures and legal remedies to protect the privacy data of individuals in the EU.
Schrems specifically raised concerns about his personal Facebook data, which he claimed was transferred and processed by Facebook Ireland on servers owned by Facebook Inc., based in the US. At that time, these transfers between Facebook Ireland and Facebook Inc. were conducted using the SCCs, which were the applicable standard contractual clauses (although they have since been replaced with updated SCCs that are more in line with the Schrems II judgments).
Schrems contended that the former SCCs did not provide a sufficient level of protection for the personal data of EU individuals due to the intrusive nature of US surveillance activities. He argued that US legislation did not explicitly restrict interference with an individual's right to the protection of their personal data in the same manner as EU data protection laws.
The Irish DPC initiated legal proceedings against Facebook in the Irish High Court, which subsequently referred several questions to the CJEU for a preliminary ruling. The primary focus of these preliminary questions was the validity of the SCCs, but they also touched upon the EU-US Privacy Shield framework.
The CJEU judgments in the 'Schrems II' case emerged as a result of these proceedings, addressing the concerns raised regarding the validity of the SCCs and the EU-US Privacy Shield framework.
Top of Form
What was the Judgement on SCCs?
The CJEU's judgment on standard contractual clauses (SCCs) determined that they do offer sufficient protection for the transfer of EU personal data to third countries, including the United States. However, the Court emphasized that EU organizations relying on SCCs have an obligation to play an active role in ensuring an 'adequate' level of data protection in the respective third country before any transfer takes place. The CJEU also stated that organizations may implement additional safeguards, beyond what is included in the SCCs themselves, to ensure the adequacy of protection. The specific nature of these additional safeguards was left unspecified by the Court.
Moreover, the responsibilities do not solely lie with the data exporter. According to the CJEU's judgment, third country organizations that import data have an obligation to inform EU data exporters if they are unable to comply with the SCCs. When a data importer cannot comply with the SCCs and no additional safeguards are in place to guarantee the required level of protection, the EU data exporter is required to suspend the data transfer and potentially terminate the contract.
The CJEU also clarified that EU data protection authorities (DPAs) have a duty to take action. The Court emphasized that DPAs are "required to execute their responsibility for ensuring that the GDPR is fully enforced with all due diligence." This includes assessing and, if necessary, suspending or prohibiting transfers of personal data to a third country if the DPAs believe that the SCCs are not being or cannot be complied with, and if they determine that the transfers do not meet the EU's data protection requirements.
Furthermore, the European Data Protection Board (EDPB) issued Recommendations in June 2021, which provide guidance on the additional safeguards or measures that organizations can consider implementing. Annex 2 of these Recommendations includes a comprehensive list of possible additional safeguards or measures.
What was the Judgement on the Privacy Shield?
The CJEU determined that the Privacy Shield framework was inadequate and did not provide a level of protection for personal data transferred to the US that is equivalent to the protections mandated by the GDPR and EU law. The decision was primarily based on the intrusive surveillance programs carried out by the US government and intelligence agencies, as permitted by Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333. These programs allowed for the bulk collection of personal data, extending beyond what is considered "strictly necessary" and thus deemed disproportionate under the GDPR.
Additionally, the CJEU highlighted the lack of effective redress mechanisms available to EU citizens in the US under the Privacy Shield framework. Despite the establishment of the Privacy Shield Ombudsman's office by the European Commission to address this concern, its decisions were not binding on US intelligence services, and doubts were raised regarding its impartiality.
The CJEU's decision reflected the fundamental issues related to both the intrusive nature of US surveillance programs and the lack of adequate redress mechanisms, ultimately leading to the invalidation of the Privacy Shield framework.
What are the Implications and Next Steps for UK Organisations?
REVIEW DATA FLOW
If your organization or any of your third-party suppliers are currently engaged in transferring or providing routine access to personal data processed in the EU to the US under the Privacy Shield framework, it is recommended to conduct a data flow review. This review will help you identify the extent of data being transferred to the US, especially data that may fall under Section 702 of the Foreign Intelligence Surveillance Act.
It is important to note that the UK's Information Commissioner's Office (ICO) has advised that if you are currently utilizing the Privacy Shield framework, you may continue to do so until new guidance is made available. However, it is advised not to initiate new transfers or use the Privacy Shield framework during this interim period. Staying informed about updates and guidance from the ICO is crucial to ensure compliance with data protection requirements.
REVIEW EXISTING SCCS
The CJEU's judgment has broad implications for all transfers of EU personal data to jurisdictions that do not currently have an adequacy decision in place. If your organization relies on the June 2021 standard contractual clauses (SCCs), or plans to do so, for transferring personal data of individuals in the EU to third countries (including the US), it is crucial to review these clauses and ensure their enforceability in the specific third country.
Additionally, it is important to address any potential conflicts that may arise when the destination country's laws are incompatible with the GDPR. Finding appropriate solutions or safeguards to mitigate these conflicts is essential for ensuring compliance with data protection regulations.
Furthermore, staying updated and vigilant regarding any further protection measures or guidance that the European Data Protection Board (EDPB) may introduce regarding the use of SCCs is advisable. Keeping a close eye on any developments in this area will help ensure that your organization remains in line with evolving data protection requirements and best practices.
The effect of Brexit
The Schrems II ruling, delivered in July 2020 during the Brexit transition period, remains part of the "acquis" or common law of the EU, which still applies in the UK. However, as Brexit took place on 1 January 2021, the UK's Information Commissioner's Office (ICO) introduced its own set of Schrems-compatible SCCs called the International Data Transfer Agreement (IDTA) in March 2022. British businesses are required to use the IDTA instead of the June 2021 EU SCCs for data transfers outside of the UK that are subject to the UK GDPR, the amended version of the GDPR applicable to the processing of personal data of individuals in the UK.
However, there is a caveat with the IDTA. It is specifically designed for transfers of data originating from the UK and subject to the UK GDPR. If a UK-based exporting organization intends to transfer data that falls under both the unamended EU GDPR (applicable to individuals in the EU) and the UK GDPR, they must use the June 2021 EU SCCs in combination with an additional ICO document called an "Addendum." The Addendum aligns the language of the EU SCCs with UK data protection terminology to ensure compliance with both sets of regulations for transfers involving personal data of individuals in the UK and the EU.
Top of Form
CONSIDER OTHER OPTIONS FOR TRANSFERRING PERSONAL DATA TO THE US?
The CJEU has identified certain derogations under GDPR Compliance that can be used to facilitate personal data transfers to the US. One such derogation is when the data subject has provided informed and freely given consent for their data to be transferred abroad. However, even in these cases, additional safeguards and controls must be implemented to ensure GDPR Compliance with requirements. Another derogation allows for data transfers that are "necessary" for the performance of a contract. However, it is important to seek expert advice in such cases because the interpretation of transfers under this option is likely to be narrow. It is crucial to carefully assess and ensure that the transfer meets the specific requirements and conditions outlined in GDPR Compliance to maintain legal compliance. Overall, while there are limited derogations available under GDPR Compliance for personal data transfers to the US, it is crucial to exercise caution, seek expert guidance, and implement appropriate safeguards to ensure GDPR Compliance with data protection regulations.