On July 16, 2020, the Court of Justice of the European Union ('CJEU') handed down its long-awaited judgment in the 'Schrems II' Case (Facebook Ireland and Schrems (Case C-311/18)) concerning the legality of data transfers outside the European Economic Are ('EEA') under the General Data Protection Regulation ('GDPR')1.
In somewhat of a surprising judgment, the CJEU invalidated the EU-U.S. Privacy Shield2 ('Privacy Shield'), meaning that it is no longer available as a mechanism for legitimizing transfers of personal data to the U.S. The CJEU also held that the European Commission's Standard Contractual Clauses ('SCCs')3 remain valid as a legal mechanism for transferring personal data outside the EEA. However, the CJEU issued a number of clarifications and caveats on their use going forward. The CJEU emphasized that companies using SCCs to transfer data outside of the EEA should make case-by-case assessments on the effectiveness of the SCCs. They must also suspend their data transfers if it is not or no longer possible to adhere to the SCCs. Failing that, the competent supervisory authorities must block further data flows under the SCCs.
Businesses that have been relying on these legal mechanisms to transfer data outside of the EEA are now strongly advised to assess their options.
What happened in Schrems II?
Prior to Schrems II
The case under discussion in this article has come to be known as the 'Schrems II' case. As suggested by that name, this is not the first case involving the claimant Mr. Schrems - an Austrian privacy activist. Mr. Schrems first filed a complaint with the Irish supervisory authority - the Data Protection Commission ('DPC') - in 2013, which focused on Facebook's transfer of his personal data to the U.S. At the time, Facebook relied upon the 'U.S.-EU Safe Harbor' framework to legitimize the data transfer. Mr. Schrems' main concern was that in the U.S. his personal data was not adequately protected from unlawful access by U.S. authorities and agencies.
The resulting case has come to be known as Schrems I, and lead to the CJEU invalidating the U.S.-EU Safe Harbor framework in October 2015. The U.S.-EU Safe Harbor framework was eventually replaced by the Privacy Shield.
Key Issues in Schrems II
Following the Schrems I case, Mr. Schrems continued his quest against Facebook and reformulated his complaint to the DPC to take account of the fact that the U.S.-EU Safe Harbor framework had been struck down. The DPC established that Facebook continued to transfer personal data to Facebook Inc. in the U.S., in reliance in large part on the use of SCCs.
Schrems' reformulated complaint did not in fact focus on the validity of the SCCs as a means of legitimizing data transfers in general. Instead, Mr. Schrems requested that the DPC exercise its powers to suspend Facebook's particular transfers of personal data to the U.S., claiming that:
- The agreement that Facebook relied on to transfer data to the U.S. was not consistent with the relevant SCCs adopted by the European Commission.
- The SCCs could not in any event justify the transfer of Mr. Schrems' personal data to the U.S. According to Mr. Schrems, this is because under U.S. law Facebook Inc. was required to make the personal data of its users available to U.S. authorities and agencies, such as the NSA, in a manner incompatible with the Charter of Fundamental Rights of the European Union.
However, after Mr. Schrems made his complaint in 2015, the case took on broader significance:
- The DPC's investigation sought to determine (i) whether the U.S. ensures adequate protection of the personal data of citizens of the EU; and (ii) whether the SCCs offer sufficient safeguards to those citizens. The DPC subsequently brought proceedings before the Irish High Court to obtain clarification on the validity of the SCCs.
- In May 2018, the Irish High Court referred the case to the CJEU along with 11 questions, which not only bore on the validity of SCCs, but also indirectly on the validity of the Privacy Shield.
What did the CJEU conclude?
The CJEU held that the Privacy Shield is invalid. The CJEU's view was that the limitations on the protection of personal data arising from the domestic law of the U.S. on the access and use by U.S. public authorities are not sufficiently circumscribed by the Privacy Shield. The CJEU also held that the Privacy Shield does not provide individuals in the EU with a cause of action before a body (in the U.S.) that offers sufficient guarantees.
Conversely, the CJEU held that the SCCs remain valid as a legal mechanism for transferring personal data from EEA-based data controllers to recipients outside the EEA. It held this view on the basis that the Commission Decision adopting the SCCs: (i) includes effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law; and (ii) establishes a mechanism under which transfers of personal data under the SCCs are suspended or prohibited in the event of breach of the SCCs, or where it is impossible to honor them.
The CJEU also, however, issued a number of clarifications and caveats to the use of SCCs. It pointed out, in particular, that there is an obligation on the data 'exporter' (in collaboration with the recipient of the personal data) to verify - on a case-by-case basis - whether the law of the receiving country ensures adequate protection of personal data transferred under the SCCs. The data recipient is also under an obligation to inform the data 'exporter' of any inability to comply with the SCCs (e.g., as a result of local law obligations), and the data 'exporter' is in turn obliged to suspend the transfer of data and/or to terminate the contract with the recipient.
The obligation to suspend or terminate the transfer therefore falls primarily to the 'exporter' of the personal data. However, the CJEU also held that if the 'exporter' does not do so, the competent supervisory authorities are required to suspend or prohibit a transfer of personal data to a country where - in their view - the data recipient cannot comply with its contractual obligations under the SCCs and keep the data safe. The CJEU also highlighted the possibility of implementing additional protections 'by providing, where necessary, additional safeguards to those offered by [the SCCs]'.
What does this all mean for global businesses?
Businesses (previously) relying on the Privacy Shield
It is clear that - from the date of the Schrems II decision - the Privacy Shield can no longer be used to legitimize transfers of personal data to the U.S., and the 5300-plus organizations currently registered to the Privacy Shield will have to find alternative means of doing so.
One 'solution' mentioned by the CJEU in its judgment is reliance upon the 'derogations' provided by Article 49 of the GDPR. That article provides that transfers outside the EEA can be legitimized on other grounds, such as by:
- Obtaining individuals' explicit consent to the data transfer;
- Relying on the fact that the transfer is necessary for the performance of a contract, or for the implementation of certain pre-contractual measures ; and
- In some very restricted circumstances – relying on the fact that the data transfer is necessary for the data exporter's 'compelling legitimate interests'.
However, regulatory guidance from the European Data Protection Board ('EDPB') has construed these 'derogations' very restrictively, such that they can be relied on to cover occasional data transfers in exceptional circumstances only. Under that guidance, regular, day-to-day transfers of personal data outside of the EEA cannot be justified on the basis of the derogations in Article 49 of the GDPR. Similarly, the guidance provides that data exporters must first endeavor to apply other mechanisms available under the GDPR (such as SCCs) before turning to the derogations. Businesses should therefore approach them with caution - typically as a last resort - and ensure that they document their approach appropriately in order to comply with the GDPR's accountability principle.
Businesses relying on the SCCs
Businesses relying on SCCs should revisit their usage of them, and make a case-by-case assessment on whether it is appropriate to continue their use, or whether it is necessary to suspend the data transfer or terminate the underlying data transfer agreement. Exporters and recipients of data will need to work together to conduct this assessment, and in particular data exporters may look to recipients who are more familiar with the laws of their own country for reassurances that the data recipient can comply with the obligations contained in the SCCs, and provide the required level of protection.
As part of this self-assessment, exporters and recipients may wish to consider whether additional protections can be put in place in order to ensure the effectiveness of the SCCs. Businesses should be aware, however, that there are limits to the extent to which the SCCs can be amended without undermining their 'pre-authorized' nature, which would require ad hoc approval from a competent supervisory authority.
At present, regulatory guidance on the approach that exporters and recipients must take when making these assessments is limited. The day following the Schrems II decision, the EDPB published a statement which provides some preliminary guidance on the use of SCCs going forward. It notes, for example that:
- Exporters of personal data (if necessary, with the assistance of data recipients) must take into consideration the content of the SCCs, the specific circumstances of the transfer, as well as the legal regime applicable in the recipient's country;
- The assessment of the laws in the country of destination must be done in light of the non-exhaustive factors set out under Article 45(2) of the GDPR. Article 45(2) of the GDPR describes the criteria that the European Commission must take into account when assessing whether the laws of countries outside of the EEA ensure an adequate level of data protection, with a view to making a 'decision of adequacy'. Since the system of adequacy decisions was introduced by Directive 95/46/EC - the GDPR's predecessor - the European Commission has performed a handful of adequacy assessment only, and the process on average takes two to three years. It therefore appears unrealistic to expect that businesses in the EEA, and in particular SMEs, assess the adequacy of the laws in 'foreign' countries with the same rigor and intensity as the European Commission.
Some supervisory authorities have already begun to provide indications as to which data transfers businesses may find challenging to justify under SCCs. For example, the supervisory authority in the German state of Rhineland-Palatinate has released a set of Schrems II FAQs which indicate that 'as a rule,' SCCs cannot be used to transfer EU data to telecom companies in the U.S., and that SCCs may not be workable if personal data will ultimately be stored by U.S. cloud providers. The Irish DPC noted in a statement that 'in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable'.
One of the more 'extreme' reactions so far has come from the supervisory authority in Berlin. According to a statement issued on 20 July, the supervisory authority is of the view that companies in Berlin which are storing personal data in the U.S. must return the data back to the EU, and may not generally transfer personal data out to the U.S. until the legal situation changes. In particular, the regulator notes that businesses using U.S. cloud services must switch to service providers in the EU or another country that provides an adequate level of data protection. The Berlin supervisory authority further underlines that, before using SCCs, the data exporter and recipient must verify whether it is possible for the government in the recipient's country to access the transferred personal data. If that government access goes beyond what is permissible under EU law, SCCs cannot justify the transfer of personal data.
The initial focus by supervisory authorities on transfers to the U.S. is a consequence of the particular transfer in question in the Schrems II case, however the supervisory authorities' statements beg the question of how the analysis may change where businesses transfer personal data to non-EEA countries other than the U.S. Especially in countries where authorities and agencies have more extensive surveillance powers or fewer protections for individuals' privacy and personal data. In particular, for example, the Berlin supervisory authority's statement drew out China, Russia and India as potentially problematic.
There is therefore a need for consistency of approach across EU supervisory authorities. Helpfully, a number of supervisory authorities (such as the Irish, French, and German Federal supervisory authorities) have indicated that they intend to coordinate a common European approach. It is hoped that the output of this coordination will provide businesses with a clear and commercially viable path forward.
What are the alternatives?
Businesses should seriously consider alternative safeguarding mechanisms for transfers out of the EEA, such as Binding Corporate Rules ('BCRs'). BCRs are codes of conduct that can only be used for intra-group transfers (or transfers between enterprises engaged in a joint economic activity), and must be approved by a competent supervisory authority. However, because of their approved status they are considered by many to be the most reliable means of legitimizing transfers of personal data under the GDPR.
Businesses may also look to the upcoming revised SCCs, which are currently under development by the European Commission. Although it is not clear at this stage what form they will take, or how they will improve on the existing SCCs, there have been indications that they will be released before the end of 2020.
There have also been indications that the EU and the U.S. are willing to work together to replace the Privacy Shield. However, given the time which it may take for the EU and the U.S. to finalize negotiations around a new EU-U.S. data transfer framework, it will be difficult for businesses to justify waiting for the replacement to take effect.
Finally, the GDPR provides the possibility to justify data transfers outside of the EEA on the basis of sector-specific codes of conduct as well as data protection certification mechanisms, which should be easier to use especially for small and medium-sized companies. These codes and mechanisms must contain binding and enforceable commitments of the data recipient outside of the EEA to apply appropriate safeguards, including with regard to individuals' privacy and data protection rights. To date, however, no such codes and mechanisms have been approved by the supervisory authorities.
What about possible enforcement action?
Neither the Schrems II judgment nor the GDPR provide for any formal grace period for businesses affected by the outcome of the case. In the coming weeks and months, businesses should look out for statements from the EU member state supervisory authorities and the EDPB, which may indicate their appetite (or lack thereof) for taking immediate enforcement action against businesses impacted by this challenging, and somewhat unexpected judgment.
1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
2. Adopted by Commission Decision 2016/1250. The Privacy Shield was designed to allow companies to legitimize the transfer of personal data from the EEA to the U.S.. To benefit from the Privacy Shield, the organization had to self-certify annually that it agrees to adhere to the Privacy Shield's principles.
3. In particular, those adopted by Commission Decision 2010/87 for transferring personal data to data 'processors' outside of the EEA. The SCCs are another safeguard used to legitimize transfers of personal data. They are standard agreements which must be executed between the data exporter and the recipient to be effective, but cannot generally be amended. There are three different types of SCCs – adopted by a series of European Commission decisions - and they are by far the most common means of legitimizing personal data transfers under the GDPR.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.