The name Max Schrems is now as familiar to privacy professionals as the term GDPR. The Austrian lawyer and privacy activist has been instrumental in challenging data transfers from the EU to the US since 2013 when he first launched a challenge in Ireland against Facebook's transfer of his personal data to the US. Mr Schrems argued that in light of the Edward Snowden revelations, US law could not adequately protect his data from surveillance by the US authorities. Facebook had relied on the EU/US Safe Harbour Agreement to transfer data to the US but as a result of the first Schrems case the Safe Harbour Agreement was declared invalid in 2015.
By 2016 Safe Harbour was replaced by another EU/US mechanism, the Privacy Shield, and Facebook moved from relying on this adequacy mechanism to using Standard Contractual Clauses (SCCs) as the legal basis for data transfer to the US. However, privacy concerns remained and Mr Schrems reformulated his complaint to the Irish Data Protection Commissioner to include a challenge to SCCs.
The Irish High Court referred a number of questions to the Court of Justice of the European Union (CJEU) which handed down its decision on 16 July 2020. The CJEU ruled that:
- Standard Contractual Clauses (SCCs) for the transfer of personal data to an organisation in a country outside the EEA are valid, subject to conditions being satisfied, but
- the EU-US Privacy Shield is not
Given that over 5,000 organisations participate in the Privacy Shield and thousands more rely on the Privacy Shield when transferring data to these organisations, the judgment will have an immediate impact. Whilst SCCs remain valid, the ruling also highlights that SCCs should be used carefully and not without a careful analysis of whether the recipient jurisdiction has adequate data protections in place.
What are the implications of this decision for businesses involved in cross border data transfer?
- Businesses relying on the Privacy Shield for data transfers to the US must find an alternative legal basis for the transfer.
- Back in 2015 after the Safe Harbour invalidation the European data protection authorities established a three-month moratorium to allow businesses to find an alternative data transfer mechanism.
- No grace period has been established on an EEA wide basis as yet, but for UK businesses, the ICO has issued a statement to confirm that If you are currently using the Privacy Shield, continue to do so until new guidance becomes available.
- If you are a business which relies on SCCs you can continue to do so but additional due diligence will be required. Data exporters and importers must verify, on a case-by-case basis, whether a recipient jurisdiction provides adequate protections for data transferred and in some cases data exporters may be required to provide for "additional safeguards" to ensure appropriate privacy protections.
- Consider whether you can rely on Derogations or Binding Corporate Rules
- Consider whether you can avoid a transfer of data outside the EU
The European Commission is currently working on updating SCCs and further guidance in the aftermath of the Schrems decision in likely to come from the European Data Protection Board. However, given that the crux of the problem lies with the laws of the receiving country rather than the instrument for transfer, it is difficult to see how the issue can be satisfactorily resolved.
This article has been produced for general information purposes and further advice should be sought from a professional advisor. Please contact our Data Potection team at Cleaver Fulton Rankin for further advice or information.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.