The long-running Schrems II case has come to an end today, 16 July 2020, with the release of the Court of Justice of the European Union’s (CJEU’s) judgment.
The General Data Protection Regulation (EU) 2016/679 (GDPR) prohibits transfers of personal data from the EU (including, for the time being, the UK) to third countries unless appropriate safeguards are in place to protect that personal data. Such appropriate safeguards include standard contractual clauses (SCCs) adopted by the European Commission (EC), which can be put in place between EU data exporters and third country data importers to adduce adequacy. For transfers to the USA, EU data exporters have also, until now, been able to rely on the EU-US Privacy Shield arrangement, a scheme allowing transfers to organisations that self-certify adherence to certain data protection principles.
The case is the result of a complaint from Austrian privacy activist, Max Schrems, who famously brought down the EU-US Safe Harbor arrangement (the predecessor to Privacy Shield) in 2015. This was the result of a complaint by Mr Schrems to the Irish Data Protection Commissioner (DPC) against Facebook Ireland regarding Facebook’s reliance on Safe Harbor to transfer personal data to Facebook in the USA.
The complaint leading to the Schrems II case was a reformulation of his original complaint, this time focusing on Facebook’s reliance on SCCs to legitimise data transfers to Facebook in the US. The DPC referred questions to the CJEU concerning the validity of SCCs and Privacy Shield.
In a shock judgment, the CJEU has declared that Privacy Shield is invalid. The CJEU considered that US laws continue to grant rights to US public authorities to access and use EU personal data that do not include sufficient limitations and safeguards to ensure appropriate protection of data subjects. The Privacy Shield Ombudsperson mechanism (introduced in response to the invalidation of Safe Harbor) was also not considered to provide data subjects with an appropriate cause of action offering equivalent protections to the GDPR.
Taken together, the CJEU considers that these points mean that Privacy Shield does not ensure a level of protection that is essentially equivalent to that required by the GDPR and, as such, can no longer be valid in accordance with the GDPR requirements.
SCCs remain valid, but with some significant caveats. EU data exporters can only rely on SCCs where they satisfy themselves that the laws of the country to which personal data is being transferred offer an appropriate level of protection of that data. Data importers themselves are obliged to inform the data exporter if they become aware of circumstances that mean they can no longer comply with the SCCs. If exporters become aware (either through notification by the importer or via other means) of any such circumstances, they must cease transfers to that country.
The CJEU also reinforced that supervisory authorities in the EU must suspend or prohibit transfers of personal data if they consider that SCCs can no longer be complied with in that country due to deficiencies in that country’s laws.
As the decision has been released during the transition period, it applies to UK organisations in the same way as to EU organisations. The UK faces wider questions about what this will mean for its future trade negotiations with both the EU and the US. If the EC does not grant the UK adequacy, transfers from the EU to the UK will be likely to rely heavily on SCCs.
The UK’s approach to data transfers to the US will, no doubt, influence the EC’s views on UK adequacy. If the UK moves away from the judgment post-transition, for example by implementing its own “Privacy Shield” style arrangement or declaring the US adequate, this may affect how the EU approaches its adequacy decision in respect of the UK.
The judgment will have far-reaching effects for both EU/UK data exporters and their third country importers. SCCs will require far more thought and analysis of third countries’ data protection regimes before they can be comfortably relied on. A replacement to Privacy Shield may be proposed, but realistically an alternative is likely to require commitments from the US to change its legal regime, which are unlikely to be forthcoming. It will be difficult for organisations to rely on SCCs as an alternative to Privacy Shield in light of the CJEU’s clear view that the US does not provide appropriate protection for personal data.
EU and UK organisations will need to review all of their international data transfers and establish what adequacy mechanisms are currently being relied on. Many organisations may well look to move away from transfers to the US altogether. However, it is not just US transfers that are affected; all international data transfers covered by SCCs will also need to be reviewed to ensure that the laws of the relevant recipient countries provide appropriate levels of protection to continue to rely on SCCs. Many countries may struggle to satisfy this high bar – for example those countries which have previously applied (whether formally or informally) and been turned down for an EC adequacy decision.
Frustrations will also, no doubt, be felt by those who were hoping that the judgment would lead to an update of SCCs, which have been widely acknowledged for some time as being out-of-date and unfit for purpose. The 5,000 plus US businesses who invested significant resource in certifying with Privacy Shield will also be reeling, and wondering what their options are going forward.
Guidance from the Information Commissioner’s Office in the UK and, more widely, the European Data Protection Board, will be indispensable as organisations start to try and navigate these tricky waters.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at July 2020. Specific advice should be sought for specific cases. For more information see our terms & conditions.
Personal data transfers to US-hosted CRM tools could be unlawful Post...Read more
Beyond BrexitRead more
Beyond Brexit: services trackerRead more
New ICO guidance on handling DSARsRead more
The impact of flexible working on our towns and citiesRead more
Uber case highlights risks of automated decisions about employeesRead more
Schrems II: Answering your questionsRead more
Adtech: Assessing the lawful basisRead more
Confronting the challenges of vendor management in biometricsRead more
Helping you navigate your business through the risks and opportunities that Brexit will bring.Read more
The way people shop is constantly evolving, from the growth of online and the changing use of stores...Read more
The widespread disruption and closure of businesses caused by the Covid-19 pandemic and the subsequent national and local lockdowns has brought into sharp focus the question of available insurance cover for losses under...Read more
Watch our video series for information on the legal issues that are affecting the real estate sector. Each...Read more
The pandemic has had a deep and long-lasting effect on the leisure, food & drink sector, forcing operators to embrace new ways of attracting and servicing customers.Read more
The pandemic has forced the majority of the workforce into a world of remote working. As a result, our cities are evolving.Read more
Our countdown to Brexit and beyond podcast series looks at the impact for businesses on both sides of the pond of any free trade agreement between the UK and Europe and the UK and the US. ThisRead more
There's a growing demand for retailers to do more to attract the Purple Pound – the collective spending power of disabled shoppers, estimated to be worth around £274bn. We look at the opportunities, the legal issues and...Read more
Green finance is gaining speed, driven by global climate change pressures and the recognition of the vital role which sustainability plays in a resilient financial services sector.Read more
Data protection law is changing rapidly and mistakes can lead to significant financial penalties and reputational damage. We can help you secure your data and use it to its maximum potential.Read more
Our expertise and resources are regularly called upon by clients to deal with a variety of investigations including cyber security issues, whistleblowing reports, internal investigations, investigations by external agencies and advising on the remedial steps and the redress exercises that arise as a result .Read more