The long-running Schrems II case has come to an end today, 16 July 2020, with the release of the Court of Justice of the European Union’s (CJEU’s) judgment.
The General Data Protection Regulation (EU) 2016/679 (GDPR) prohibits transfers of personal data from the EU (including, for the time being, the UK) to third countries unless appropriate safeguards are in place to protect that personal data. Such appropriate safeguards include standard contractual clauses (SCCs) adopted by the European Commission (EC), which can be put in place between EU data exporters and third country data importers to adduce adequacy. For transfers to the USA, EU data exporters have also, until now, been able to rely on the EU-US Privacy Shield arrangement, a scheme allowing transfers to organisations that self-certify adherence to certain data protection principles.
The case is the result of a complaint from Austrian privacy activist, Max Schrems, who famously brought down the EU-US Safe Harbor arrangement (the predecessor to Privacy Shield) in 2015. This was the result of a complaint by Mr Schrems to the Irish Data Protection Commissioner (DPC) against Facebook Ireland regarding Facebook’s reliance on Safe Harbor to transfer personal data to Facebook in the USA.
The complaint leading to the Schrems II case was a reformulation of his original complaint, this time focusing on Facebook’s reliance on SCCs to legitimise data transfers to Facebook in the US. The DPC referred questions to the CJEU concerning the validity of SCCs and Privacy Shield.
In a shock judgment, the CJEU has declared that Privacy Shield is invalid. The CJEU considered that US laws continue to grant rights to US public authorities to access and use EU personal data that do not include sufficient limitations and safeguards to ensure appropriate protection of data subjects. The Privacy Shield Ombudsperson mechanism (introduced in response to the invalidation of Safe Harbor) was also not considered to provide data subjects with an appropriate cause of action offering equivalent protections to the GDPR.
Taken together, the CJEU considers that these points mean that Privacy Shield does not ensure a level of protection that is essentially equivalent to that required by the GDPR and, as such, can no longer be valid in accordance with the GDPR requirements.
SCCs remain valid, but with some significant caveats. EU data exporters can only rely on SCCs where they satisfy themselves that the laws of the country to which personal data is being transferred offer an appropriate level of protection of that data. Data importers themselves are obliged to inform the data exporter if they become aware of circumstances that mean they can no longer comply with the SCCs. If exporters become aware (either through notification by the importer or via other means) of any such circumstances, they must cease transfers to that country.
The CJEU also reinforced that supervisory authorities in the EU must suspend or prohibit transfers of personal data if they consider that SCCs can no longer be complied with in that country due to deficiencies in that country’s laws.
As the decision has been released during the transition period, it applies to UK organisations in the same way as to EU organisations. The UK faces wider questions about what this will mean for its future trade negotiations with both the EU and the US. If the EC does not grant the UK adequacy, transfers from the EU to the UK will be likely to rely heavily on SCCs.
The UK’s approach to data transfers to the US will, no doubt, influence the EC’s views on UK adequacy. If the UK moves away from the judgment post-transition, for example by implementing its own “Privacy Shield” style arrangement or declaring the US adequate, this may affect how the EU approaches its adequacy decision in respect of the UK.
The judgment will have far-reaching effects for both EU/UK data exporters and their third country importers. SCCs will require far more thought and analysis of third countries’ data protection regimes before they can be comfortably relied on. A replacement to Privacy Shield may be proposed, but realistically an alternative is likely to require commitments from the US to change its legal regime, which are unlikely to be forthcoming. It will be difficult for organisations to rely on SCCs as an alternative to Privacy Shield in light of the CJEU’s clear view that the US does not provide appropriate protection for personal data.
EU and UK organisations will need to review all of their international data transfers and establish what adequacy mechanisms are currently being relied on. Many organisations may well look to move away from transfers to the US altogether. However, it is not just US transfers that are affected; all international data transfers covered by SCCs will also need to be reviewed to ensure that the laws of the relevant recipient countries provide appropriate levels of protection to continue to rely on SCCs. Many countries may struggle to satisfy this high bar – for example those countries which have previously applied (whether formally or informally) and been turned down for an EC adequacy decision.
Frustrations will also, no doubt, be felt by those who were hoping that the judgment would lead to an update of SCCs, which have been widely acknowledged for some time as being out-of-date and unfit for purpose. The 5,000 plus US businesses who invested significant resource in certifying with Privacy Shield will also be reeling, and wondering what their options are going forward.
Guidance from the Information Commissioner’s Office in the UK and, more widely, the European Data Protection Board, will be indispensable as organisations start to try and navigate these tricky waters.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at July 2020. Specific advice should be sought for specific cases. For more information see our terms & conditions.
Schrems II: Answering your questionsRead more
Adtech: Assessing the lawful basisRead more
Confronting the challenges of vendor management in biometricsRead more
Scale-up insights: episode four - getting to grips with dataRead more
Brexit legal risk report 2020 - transition and beyondRead more
Data Protection Day 2020Read more
ICO publishes Age Appropriate Design CodeRead more
Biometrics and data protection in financial servicesRead more
EDPB publishes final text of Danish standard data processing clausesRead more
Keep on top of the employment law issues that matter most to you and your business with our new podcast.Read more
As businesses adjust to new ways of working and plan for an uncertain future, we keep track of the emerging legal and regulatory issues.Read more
Keeping you up to date with the latest guidance on regulatory change and legal impact of the coronavirus pandemic.Read more
While future trading relationship with the EU is negotiated, we will be in a 'status quo' transition period until 31 December 2020. Follow our latest updates.Read more
Our Senior Managers Regime hot topic features news and insight to help banks, building societies, investment firms and UK branches of foreign banks prepare for the new regime.Read more
The clock is ticking for firms to prepare for moving from LIBOR to sterling risk-free rates. Follow our insights and events for strategic advice.Read more
We approach a brave new world of Gigabit full-fibre fixed communications, 5G mobile technologies, data driven markets enabled by true AI, with the potential for huge commercial and social growth and benefits. Follow our...Read more
Open Banking is driving innovation in banking and customer experience but also presents new challenges around security and data protection.Read more
As the UK moves towards a carbon neutral future, electric vehicles are the new watchword. We explore what this means for the energy market and investors through a series of legal insights.Read more
Data protection law is changing rapidly and mistakes can lead to significant financial penalties and reputational damage. We can help you secure your data and use it to its maximum potential.Read more
Our expertise and resources are regularly called upon by clients to deal with a variety of investigations including cyber security issues, whistleblowing reports, internal investigations, investigations by external agencies and advising on the remedial steps and the redress exercises that arise as a result .Read more