A recent European Union decision that directly impacts data transfers to the United States, could also affect Australian organisations seeking to transfer personal data.
Last year, the Court of Justice of the European Union (CJEU) delivered its decision on international transfers of personal data in Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd and Maximilian Schrems (Schrems II). The judgment dealt with how far data controllers and processors can rely on the EU-US Privacy Shield Framework and the European Commission's approved Standard Contractual Clauses to show compliance with the EU General Data Protection Regulation (GDPR).
The GDPR protects the data of individuals in the EU and personal data transferred outside of the EU.
Historically, some organisations have relied on the European Commission's approved Standard Contractual Clauses to show compliance with the GDPR when transferring data outside of the EU. These contractual clauses require the transferee to meet certain GDPR requirements.
Where data is transferred from the EU to the United States, some organisations have also used the EU-US Privacy Shield Framework, which was previously considered to provide adequate protection under the GDPR.
What was the case about?
Austrian lawyer, Maximilian Schrems, argued that Facebook Ireland should not be able to transfer his personal data to the United States because United States laws and data practices wouldn't protect his personal data adequately. He sought for the Irish Data Protection Commissioner to make an order suspending or prohibiting Facebook from transferring the data.
Facebook Ireland argued the use of the EU-US Privacy Shield showed that data transfers to the United States were adequately protected. The CJEU considered this argument and also whether the Standard Contractual Clauses were valid.
Standard Contractual Clauses: What were the CJEU's findings?
The CJEU found that Standard Contractual Clauses won't always be enough to ensure personal data transferred externally from the EU is adequately protected and therefore compliant with the GDPR.
Whether there is adequate protection requires a case-by-case assessment. The CJEU did not provide a full assessment framework, which has led to some uncertainty.
However, as a minimum, data processors and controllers should assess whether data subjects have adequate protection by considering the Standard Contractual Clauses in light of the local laws of the receiving country. For instance, the following questions could be considered:
- how do national security and surveillance laws apply to personal data?
- what kind of access do authorities have to personal data?
- what are the legal rights of the data subject?
EU-US Privacy Shield Framework: What were the CJEU's findings?
The CJEU found the EU-US Privacy Shield Framework does not provide equivalent rights to the GDPR. Equivalent GDPR protection isn't possible once data is transferred to the United States due to local surveillance programs and laws. The CJEU considered that United States authorities have broad powers to access data and that there are inadequate remedies for data subjects.
Is there any official guidance on implementing the CJEU's judgement?
Following the Schrems II decision, the European Data Protection Board has published draft recommendations here that outline six steps for data exporters:
- know your international data transfers from the EU
- identify the transfer tools relied on (such as Standard Contractual Clauses)
- consider whether laws or practices in the receiving country impact the effectiveness of the transfer tools relied on
- adopt supplementary procedures (such as contractual, technical or organisational measures) that provide an equivalent level of protection as that in the European Economic Area, if required
- take the procedural steps required to implement the supplementary measures
- monitor and re-evaluate at appropriate intervals.
Although the draft recommendations are useful, overall there is still little definitive guidance available for the industry following Schrems II.
What were Australian organisations' obligations before Schrems II?
Prior to the Schrems II decision, the GDPR already applied to certain Australian organisations, requiring them to protect personal data to GDPR standards. The GDPR covers many Australian businesses established in the EU and can also apply to companies outside of the EU, such as businesses that offer goods or services to individuals in the EU or that monitor the behaviour of individuals in the EU.
What does the decision mean for Australian organisations?
The CJEU specifically noted the decision wouldn't create a legal vacuum and may be applied to other transfers of personal data outside the EU. Going forward, Australian businesses may not be able to simply rely on Standard Contractual Clauses to prove they meet GDPR requirements and should analyse their data flows.
How should Standard Contractual Clauses be dealt with?
Where Standard Contractual Clauses are relied upon to prove GDPR compliance, Australian organisations should analyse whether these offer GDPR equivalent protection in light of local laws and practices. If not, can other steps be taken to ensure the data is adequately protected?
The ruling on the Standard Contractual Clauses may impact Australian businesses that receive data from the EU into Australia, as well as Australian organisations that also operate in other countries (in which case any applicable local laws and practices may need to be considered).
Why does the invalidation of the EU-US Privacy Shield matter in Australia?
Where any personal data is transferred from the EU to the United States, if only the EU-US Privacy Shield is relied upon to ensure GDPR compliance, further data protections should be implemented. This doesn't just affect American organisations. For instance, Australian businesses that use US processors in relation to data originating from the EU may be impacted.
What should Australian organisations do now?
The Schrems II decision means that Australian organisations involved in transferring data from the EU should carefully analyse their data flows as soon as possible. Analysing data flows on a case-by-case basis is likely onerous, but an important activity to ensure compliance.
This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.