Schrems II: The Saga Continues
On July 16, 2020 the Court of Justice of the European Union (the “CJEU”) released the latest judgment in the Schrems saga, which will have a major impact on the state of affairs for transfers of personal data out of the EU. This so-called ‘Schrems II’ decision invalidates the EU-US Data Protection Shield (the “Privacy Shield”), which was put in place after the ‘Schrems I’ decision invalidated the prior ‘Safe Harbor’ framework in 2015. Further, while the ‘Schrems II’ decision upholds the technical validity of the standard contractual clauses, it creates a new legal diligence burden on organizations relying on them and introduces practical uncertainty, risk and complications in connection with their use.
Under EU law, an organization may only transfer “personal data” about an individual to a non-EU country for processing if the destination country “ensures an adequate level of protection”. The European Commission has the authority to make a determination of whether the protections afforded to personal data in a given third country are or are not ‘adequate’ in this regard.
In some cases ‘adequacy’ decisions apply broadly. In the case of Canada, for example, the European Commission concluded that Canada’s PIPEDA is sufficiently similar to European laws that they were inherently adequate. But the US has a very different legal regime in this regard. As a result, the European Commission has taken a more circumstantial approach, considering incremental measures that can be applied by the exporting and importing organizations.
The European Commission had previously recognized three bases for lawful transfer of EU personal data to the US:
- a voluntary arrangement, originally known as ‘Safe Harbour’, by which U.S. organizations self-certify compliance with certain privacy principles;
- standardized contractual commitments between the data controller and data processor, based on approved model clauses; and
- similar commitments adopted in binding non-contractual rules applicable within a corporate group.
In the wake of the 2013 Snowden revelations about US data surveillance programs, Austrian law student Max Schrems brought a complaint against Facebook in Ireland, arguing that Facebook’s transfer of his personal data to the US was unlawful under both Irish and EU law. This case was eventually referred to the CJEU, which struck down the Safe Harbour regime in what is now called the ‘Schrems I’ decision. (See previous posts detailing this decision and its fallout here, here, here and here.)
Following ‘Schrems I’, Facebook purported to rely on contractual commitments as the basis for its transfer of personal data to the US. Mr. Schrems renewed and reformulated his original complaint, alleging both that Facebook’s specific contracts did not meet the obligations of EU law and that, in any case, the contracts could not provide adequate protection where national laws of the third country would override them. The Irish Data Protection Commissioner published a “draft decision” and obtained an order from the Irish High Court for a second reference to the CJEU. This ‘Schrems II’ decision is the CJEU’s judgment on the reference questions arising from that reformulated complaint.
CJEU’S SCHREMS II DECISION
The main practical results of the ‘Schrems II’ decision are (i) the invalidation of the Privacy Shield, and (ii) the uncertainty, risk and complications introduced into the use of the standard contractual clauses.
Invalidation of the Privacy Shield
The CJEU examined the Privacy Shield in consideration of the requirements of the GDPR and the provisions of the Charter of the Fundamental Rights of the European Union that guarantee respect for private and family life, personal data protection and the right to effective judicial protection. These requirements were considered against the backdrop of the limitations imposed by US law that allows access to personal data by US public authorities, including Section 702 of FISA and Executive Order 12333. Based on this analysis, the CJEU concluded that:
- the limitations on the protection of personal data arising from US law that allows US public authorities to access and use personal data are not circumscribed by the Privacy Shield in a way that satisfies EU law; and
- the Privacy Shield does not provide individuals with a sufficient level of judicial redress to satisfy EU law.
In sum, effective immediately, the Privacy Shield no longer provides a valid legal basis for transfer of EU personal data to the US, suffering the same fate that the Safe Harbor framework did five years earlier. Organizations relying solely on Privacy Shield for such transfers must therefore take urgent action or face potentially significant liability.
Impact on Standard Contractual Clauses
With respect to the standard contractual clauses, the central question before the CJEU was whether it is possible that such clauses could provide an adequate level of protection over personal data transferred outside of the EU, given that those standard contractual clauses cannot bind public authorities of the third country (i.e. the clauses only bind the controller and processor that are parties to the agreement).
Ultimately the CJEU confirmed the theoretical validity of the standard contractual clauses as a mechanism for the transfer of personal data outside of the EU. However, this validation came with a rather large caveat: the court stressed that entering into the standard contractual clauses is not sufficient in-and-of-itself. The controller or processor must also, on a case-by-case basis, verify that the laws of the destination country ensure adequate protection under EU law of any personal data transferred pursuant to the standard contractual clauses. Where the laws of the destination country do not ensure adequate protection, controllers must implement supplementary measures and additional safeguards to attain the required level of protection or else cease the transfer.
Furthermore, the CJEU expressly concluded that EU supervisory authorities are required to suspend or prohibit transfers to third countries pursuant to standard contractual clauses if they are of the view that the clauses are not or cannot be complied with in the third country in a way that ensures the required level of protection. Based on the court’s findings in respect of the Privacy Shield, it is difficult to see how supervisory authorities would be able to avoid such a conclusion in the case of transfers to the US.
The practical impact of this aspect of ‘Schrems II’ is likely to be quite significant, given that the most popular method for transfers out of the EU is the use of standard contractual clauses. The decision creates a new diligence burden on organizations seeking to rely on them, and creates significant risk that such transfers may be challenged. The resulting uncertainty, risk and complexity that the decision introduces further highlights the advantages and benefits of transfers made under adequacy judgments, such as the adequacy status currently enjoyed by Canada’s PIPEDA.
For more information regarding this development or its impact on your business or organization, please contact the authors and see our Cybersecurity, Privacy & Data Management group page.