Schrems II – what does it mean for you?
Yesterday (16 July 2020) the European Court of Justice (CJEU) published its decision in the case of Facebook Ireland and Schrems, Case C-311/18 (known as “Schrems II”). If you share any personal data with organisations in the US (for example, if any of your software or cloud service providers are based or use data centres in the US), then Schrems II could be a significant court decision for your organisation requiring changes in your day-to-day compliance operations.
Most organisations transferring personal data from the EU to the US will be relying on the EU-US Privacy Shield or data transfer agreements including Standard Contractual Clauses approved by the European Commission (SCCs) for those data transfers to be lawful. In this case the CJEU was asked to consider the validity of the EU-US Privacy Shield and the SCCs in light of the law and practice in the US under which the US intelligence services access personal data.
We have set out below the background, the legal issues and the CJEU’s decision, but here are the two main points you need to know:
1. The EU-US Privacy Shield has been declared invalid.
This means that organisations can no longer rely on the EU-US Privacy Shield for any transfers of personal data to the US from the UK (or anywhere in the EU) to be lawful. Other ‘appropriate safeguards’ will be required.
2. Whether or not you can rely on SCCs for transfers of personal data to the US and other countries outside the EEA from the UK (or anywhere in the EU) has been called into question.
The CJEU decision requires data exporters that wish to use SCCs to consider the law and practice in the country of the data importer and determine whether or not this is compatible with data subjects’ rights within the EU. This is unlikely to be the case if public authorities in that country have unfettered access to personal data and/or if data subjects have no effective judicial remedies. Additional safeguards may be required.
The case stems from an action brought by Maximillian Schrems, a privacy activist and a Facebook user. Any person wishing to use Facebook must enter into a contract with Facebook Ireland, a subsidiary of Facebook Inc based in the US. Some or all of the personal data of Facebook Ireland’s users who reside in the EU is transferred to servers belonging to Facebook Inc. that are located in the US.
Schrems objected to the transfer of his personal data to the US because of US surveillance laws and practices which require Facebook Inc. to make the personal data transferred to it available to certain US authorities for use in various monitoring and surveillance programmes, including the PRISM programme, the UPSTREAM programme and accessing data ‘in transit’ to the US (by accessing underwater cables on the floor of the Atlantic) before it becomes subject to US laws
Schrems requested that the Irish Data Protection Commissioner prohibit or suspend the transfer of his personal data by Facebook Ireland to Facebook Inc on the ground that the surveillance laws and practice in force in the US did not ensure adequate protection of his personal data. His request conflicted with the European Commission’s previous decisions that the EU-US Privacy Shield and the SCCs ensured an adequate level of protection for transfers of personal data from the EU to the US, prompting the referral to the CJEU.
The CJEU was asked to consider the interpretation and validity of those previous European Commission decisions in light of the US surveillance activities.
The legal issues
GDPR prohibits the transfer of any personal data to a country outside the EEA unless:
a) The European Commission has granted an adequacy decision for the country in question, declaring that it ensures an adequate level of protection.
b) The data exporter has provided appropriate safeguards and enforceable rights and effective legal remedies are available to the data subjects. The appropriate safeguards currently available to organisations (that are not public authorities or bodies) are:
· Binding corporate rules (available to multinational companies for intra-group transfers, although these can take up to 12 months to be approved and so, if not already in place, these will not be a quick fix)
c) One of the derogations under Article 49 of the GDPR applies, such as the data subject’s explicit consent to the proposed transfer after having been informed of the possible risks of such transfers for them due to the absence of an adequacy decision and appropriate safeguards.
The action brought by Schrems threw into doubt whether the EU-US Privacy Shield was valid, requiring the CJEU to consider whether it ensured an adequate level of protection for EU citizens.
The action also required the CJEU to consider whether SCCs could ever be valid for transfers of personal data to countries outside the EEA where those clauses are not binding on that country’s state authorities, particularly where the recipient is bound by laws and practices of that country which conflict with the guarantees provided by the SCCs, meaning that the SCCs are not or cannot be complied with in that country.
The CJEU’s decision
The CJEU declared the EU-US Privacy Shield invalid because, firstly, the limitations arising under US law on access and use by US public authorities of personal data transferred from the EU to the US mean that the level of protection of personal data is not essentially equivalent to that required under EU law. Secondly, certain of US surveillance programmes do not grant data subjects rights actionable in the courts against the US authorities, from which it follows that data subjects have no right to an effective remedy.
In relation to the SCCs, the CJEU held that in the absence of an adequacy decision for the country in question, the appropriate safeguards must be capable of guaranteeing to the data subject a level of protection essentially equivalent to that guaranteed within the EU (notably the right to a judicial remedy for breach of an individual’s data privacy rights).
In countries with laws which allow its public authorities to interfere with the rights of data subjects, the data importer may not able to comply with the SCCs which then means that the SCCs might not be enough to ensure the effective protection of the personal data transferred to that country. This requires an assessment of the level of protection afforded in the country of the data importer taking into consideration both the SCCs and the relevant aspects of the legal system of that country, in particular in relation to any access by the public authorities of that country to the personal data transferred.
What does this mean in practice?
Organisations that transfer personal data to another organisation in the US can no longer rely on the EU-US Privacy Shield. Therefore, other appropriate safeguards must be in place before the data transfer to the US can lawfully be made.
In addition, the ability to rely on SCCs as an adequate safeguard for transfers of personal data to the US has been called into question. Data exporters are now required to consider the laws and practices of the recipient country, including the extent to which its public authorities will have access to the personal data transferred. In itself, this new requirement will be a substantial burden on data exporters.
For transfers of personal data to the US, the Data Protection Commissioner in Ireland has given a preliminary ruling (before the CJEU decision) that personal data of EU citizens transferred to the US is likely to be consulted and processed by the US authorities in a manner incompatible with their data privacy rights within the EU and the Irish High Court had doubts as to whether US law provides those citizens with legal remedies compatible with their right to a judicial remedy for breach of their data privacy rights under EU law. Further, the Data Protection Commissioner in Ireland has suggested that the SCCs are not capable of remedying that defect, since the SCCs bind only the data exporter and data importer and are not binding on the US authorities.
The possibility of divergent decisions in different EU member states is possible and in the UK after the post-Brexit implementation period ends. The UK Information Commissioner’s Office has issued a statement that it is considering the CJEU judgment. However, it might not take a decision until it is required to do so following a complaint by a data subject.
The European Commission is also in the middle of reviewing and modernising the SCCs, which was put on hold until this case was resolved. We expect that updated SCCs will now be forthcoming, although we do not know when. This means that using the current SCCs is risky and uncertain in the long-term.