News and developments
Court of Justice of the European Union invalidates UE-US Privacy Shield (Schrems II case)
On 16 July 2020, the Court of Justice of the European Union (CJEU) issued a landmark ruling on the Schrems II case (Case C-362/14). As expected, CJEU decided on the invalidity of the EU-US Privacy Shield, one of the mechanisms used by organisations to transfer personal data to the USA. In its judgment, the CJEU also noted on the use of the Standard Contractual Clauses (SCC) mechanism.
Following this ruling, which is effective immediately, organisations will necessarily have to reassess the mechanisms used for international transfers of personal data and take several actions to ensure compliance with the requirements of the General Data Protection Regulation (GDPR).
BACKGROUND FOR THE SCHREMS CASE
The Schrems case started in 2015 when Max Schrems challenged the validity of the Safe Harbor agreement (one of the mechanisms used for international data transfers to the USA prior to Privacy Shield) with the Irish supervisory authority.
The Schrems complaint was grounded on an alleged lack of guarantees provided by the Safe Harbor mechanism on the use of state surveillance systems, given the terms of USA law. As a result, the CJEU invalidated the Safe Harbor mechanism, in what became known as the Schrems I decision.
In its place, the Privacy Shield was created. This mechanism, like the Safe Harbor, constitutes a self-certification scheme to which USA-based companies adhere, attesting to the adequacy of their security measures for the protection of personal data and rights of the data subjects.
In 2018, the Court restarted discussion on the legality of the two mechanisms most commonly used for international data transfers, namely the Privacy Shield and the SCC. This became known as the Schrems II case.
INTERNATIONAL PERSONAL DATA TRANSFERS & THE GDPR
The GDPR establishes that personal data transfers to outside the European Economia Area are subject to the third country granting an adequate level of personal data protection, which must be essentially equivalent to the one provided by European legislation.
Whenever the European Commission has not published Adequacy Decisions in relation to certain countries or territories (as occurred, for example, for Argentina, Canada or Switzerland), data controllers and/or data processors must only transfer personal data if the third country applies appropriate safeguards.
Among the safeguards provided by the GDPR, we would point out mechanisms such as the SCC or the Binding Corporate Rules, together with the Privacy Shield (the latter only for transfers to the USA). The GDPR also provides for other circumstances, in which international data transfers may be carried out without resorting to these legal mechanisms.
Since the USA has not been subject of an Adequacy Decision, organisations transferring data to recipients based in the USA typically resorted to the EU-US Privacy Shield or to signing the SCC with the entities to which the data was transferred.
SCHREMS II CASE: THE CJEU’S DECISION
As was the case with its predecessor - the Safe Harbor - the CJEU invalidated the Privacy Shield mechanism due to its understanding the USA law did not provide for guarantees and safeguards that are essentially equivalent to those required by European Law.
Indeed, the CJEU considers that, when measures concerning national security and access to personal data by public authorities are at stake and as per the European Charter of Fundamental Rights, minimum safeguards must be observed. In particular, (i) there should be a legal basis, (ii) limits to access to data should be established and (iii) specific access-governing procedures should be implemented. The CJEU found that such safeguards are not guaranteed through the Privacy Shield.
The CJEU also based its decision on the lack of effective judicial protection of the data subjects’ rights- i.e. the impossibility of resorting to a court to enforce their rights – when the Privacy Shield is used.
The SCC, approved by the European Commission in 2010, are contractual clauses that apply to personal data transfers to third countries, which may be used between organisations established in the EU and organisations established outside the EU.
In its ruling, the Court did not invalidate the use of the SCC but made some considerations with a practical impact on data transfer operations.
The CJEU decided that organisations must, prior to using the SCC, confirm the effective level of protection that jurisdictions to which data are transferred ensure, and if the level of protection is similar to the one granted in the European Union.
As such, the CJEU sets more demands for controllers, in line with the GDPR’s accountability principle. The Court also advises organisations to implement additional safeguard measures, although it does not prescribe what kind of measures must be put in place.
In view of this ruling, it is to be expected that the SCC will be reviewed in order to include these TJEU considerations, as already foreseen in the European Commission’s Communication on the evaluation of the two years of GDPR application.
NEXT STEPS FOR ORGANISATIONS
Due to the immediate effect of the decision, all the organisations that are currently using the Privacy Shield mechanism must immediately identify and implement another mechanism for data transfers to the U.S., under penalty of GDPR non-compliance.
Organisations should:
- Review the categories and types of personal data being transferred outside the European Economic Area, as well as the legal basis used;
- Identify whether they transfer data to organisations that adhered to Privacy Shield;
- Identify if they transfer data to organisations using SCC, to assess the feasibility of this mechanism; and
- Assess the data transfer mechanism most appropriate to each case.
- Two years after the implementation of the GDPR and in view of the European Commission's communication where international transfers were singled out as being a point for improvement, developments regarding transfers of personal data outside the European Economic Area are expected in the coming months.
It is therefore recommended to monitor the positions of the supervisory authorities which, following the decision of the European Data Protection Board, may issue important guidelines.