The ECJ’s Judgment in Schrems II and the future of international data transfers
On 16th of July 2020, the EU Court of Justice (ECJ) delivered a long-awaited judgment annulling the EU-US Privacy Shield and declared the validity of SCCs in the context of international data transfers under EU law. There is no transitional period. Consequently, personal data of EU citizens can no longer be lawfully transferred to the USA relying on the EU-US Privacy Shield.
The case stemmed from the ECJ’s decision in a previous proceeding brought by Max Schrems (socalled “Schrems I”), which led to the invalidation of the Safe Harbor transfer mechanism between the EU and the United States. The decision was then substituted by the Privacy Shield, which allowed undertakings to self-certify their adherence to the principles set out in that decision in order to transfer personal data to the United States without further formalities.
Mr. Schrems had lodged a complaint with the Irish Data Protection Commissioner (“DPC”) concerning the transfer of his personal data by Facebook Ireland to its parent company in the US. The DPC initiated proceedings and took the view that the complaint was conditional on the validity of Commission Decision 2010/87 (“SCC Decision”) which establishes so-called Standard Contractual Clauses (SCCs) for transferring personal data to a third country.
SCCs are the most widely used data transfer mechanism to third countries, from which the EU derives a yearly €912 billion in exports of services. In particular, SCCs are incorporated into contracts between data-exporting companies (EU-based data controllers) and data importers (third country data controllers or processors) and serve as the legal basis for transfers to a multitude of third countries which have not been recipients of Commission’s adequacy decisions.
Schrems’ complaint referred to the adequacy of the level of protection guaranteed by the United States with regard to the interferences by the US intelligence authorities with the exercise of the fundamental rights of the individuals whose data are transferred to the US, which have become particularly critical following Edward Snowden’s revelations.
The Irish Proceedings
Within the national proceedings, the High Court of Ireland concluded that the US does engage in mass indiscriminate processing of EU personal data and that its laws do not respect the essence of the right to an effective remedy (Article 47 of the EU Charter). Therefore, the Irish High Court referred eleven questions to the ECJ for a preliminary ruling on different aspects of international data transfers and the SCC Decision.
The AG’s Opinion
In his Opinion of December 2019, Advocate General Øe had held that the SCC Decision was valid, as SCCs provide sufficient protection for EU personal data. The AG however had also raised the issue that organizations which rely on SCCs may have to take a proactive role in their evaluation. Accordingly, data exporters would have to undertake additional measures for compliance, i.e. assess whether the data importer will be able to comply in practice with all requirements provided in the SCCs. A data exporter cannot merely enter into SCCs without making a specific assessment.
AG Øe also indirectly raised concerns regarding the EU-US Privacy Shield, albeit not being the principal object of this proceeding, on whose validity another case was pending before the EU General Court, stayed until the Schrems II resolution.
The ECJ’s Judgment
Essential equivalence test
The Court reiterates that transfers of personal data to third countries under the SCC mechanism must ensure a level of protection that is essentially equivalent to that guaranteed by the GDPR within the European Union and understood in light of the EU Charter. In particular, the “essential equivalence” assessment must take into consideration both the contractual clauses agreed between the EU data exporter and the data importer concerned, as well as the possibility of access by third country public authorities and any other relevant aspects of its legal system.
With regards to the supervisory authorities’ obligations – the heart of Mr. Schrems’ request – the
ECJ rules that insofar as the third country is not a recipient of an adequacy decision by the Commission, supervisory authorities have the power to suspend or prohibit transfers to that third country, if they find, taking into consideration all the circumstances of the transfer, that SCCs cannot be complied with in that country and that protection cannot be ensured by other means.
The Court rejected several objections that the GDPR did not apply to the case under Art. 2 GDPR (paras. 82-85), and also found that Art. 4(2) TEU placing national security within the sole responsibility of the Member States could not affect the applicability of the GDPR (para. 81). The Court did not distinguish between “processing consisting in the transfer itself”. However, the Court stated that the possibility of such subsequent processing did not matter in light of its being mentioned in Art. 45 GDPR (para. 87).
The Court supported the AG’s view on the “essential equivalence” with EU law under Art. 45 GDPR also applies to the SCCs under Art. 46 (para. 96). It confirmed that these standards must be considered in the light of the EU Charter of Fundamental Rights (the “Charter”) (para. 99), and not on Member State law (para. 100).
Regarding DPAs, the Court stated that their duties under Art. 46 are to suspend or prohibit data transfers if the SCCs is incompliant or if protection of the data cannot be fully ensured (para. 113). This will put pressure on the DPAs to suspend data flows under the SCCs, if need be.
Standard Contractual Clauses (SCC)
The Court does not call into question the validity of the SCC Decision, as it finds that the Decision establishes effective mechanisms to ensure compliance in practice and the possibility to suspend or prohibit transfers when SCCs are violated or cannot be complied with. In fact, SCCs intend to provide contractual guarantees that apply uniformly in all third countries to EU controllers and processors.
Moreover, the ECJ highlights that the data exporter and the data importer have an obligation to verify on a case-by-case basis, prior to any transfer, whether the level of protection is ensured in the third country in question and provide, where necessary, additional safeguards than those of SCCs. Where compliance with a domestic obligation of the third country goes beyond what is necessary for those national legitimate purposes, it must be treated as a breach of SCCs.
The data importer must inform the exporter of any inability to comply with the SCCs’ commitments, with the rise of a consequent duty upon the exporter to suspend or prohibit the transfer and/or terminate the contract in the event that the level of protection is lowered below the legal threshold.
The ECJ annuls the Privacy Shield Decision on the following grounds:
- Requirements of US national security, public interest and law enforcement. While nationally they prevail over the Commission’s decision, the ECJ finds that that such interferences with EU data subjects’ fundamental rights are not limited to what is strictly necessary. In particular, the Decision does not set any limitations to the powers and implementation of US surveillance programs, nor provides guarantees for non-US individuals who may be targeted by those programs. Therefore, the US legal system does not provide an essentially equivalent level of protection to that established in the EU and does not respect the principles of proportionality and necessity.
- Judicial protection. The Ombudsperson mechanism established by the Privacy Shield decision does not provide cause of action before a body affording substantially equivalent guarantees for EU data subjects. In particular, there are no rules to ensure the independence of the Ombudsperson, nor to empower him or her to adopt binding decisions toward US intelligence services.
Next steps for businesses
This ruling marks another landmark judgment in the EU data protection framework, re-confirming the EU’s primary protection of the fundamental right to data protection. Despite the Privacy Shield’s annulment, the judgment has preserved intact the validity of the contractual based (SCC) mechanism, preventing an otherwise explosive global shock.
This judgment sets the parameters for the regulation of international data transfers under EU law for the years to come. More concretely, it lays out standard of protection in line with GDPR, outlines strong powers for the DPAs to police violations, and increased burdens for both data controllers that transfer data and the parties in third countries that receive the data. All the above perfectly fits with the Court’s approach in its recent data protection case law.
From the outset, if your organization is currently relying on Privacy Shield to legitimize the transfer of personal data from the EU to the United States, you must find another transfer mechanism as a priority. The following aspect should be considered carefully:
- EU organizations/businesses relying on SCCs for their international data transfers will therefore be able to continue their business without the feared groundbreaking consequences. Nevertheless, we recommend initiating careful reviews of existing contracts including SCCs and decisions regarding new transfers, in order to assess compliance in practice, as the mere signing of SCCs is in itself insufficient to ensure compliance.
- EU organizations/businesses should undertake a due diligence exercise to identify all current data flows that rely on Privacy Shield (including but not limited to, supplier and service agreements). Such assessments should become part of regular due diligence for controllers and processors dealing with international transfers and should continue to be carefully monitored as circumstances evolve throughout time.
- To continue transferring data to the US under the SCCs’ framework, it will be necessary, at the very least, to perform risk assessments on the relevant transfers involved and the company’s specific situation. If considerable risks emerge, additional safeguards will have to be examined and taken. Such additional measures may take the form of additional technical safeguards (e.g. encryption or tokenization) and policy-related solutions, such as enquiries into policy and transparency standards and practices, as well as decisions relating to how the company may act in relation to requests by the authorities.
- To design a strategy, most likely considering the use of SCCs or another transfer mechanism providing deep assurance and possibly change management clauses.
- To verify that the importer is not prevented under local law from complying with the SCCs. Exporters may consider requesting additional warranties and assurances or undertaking further level of due diligence on the data importer. Despite all the above, there is considerable uncertainty in these early days about what level of change will be expected on the transatlantic data transfer. The judgment sends mixed signals about how quickly businesses must change their data flows.
One immediate possibility from EU businesses could be data localization—companies deciding to store in the EU all personal data originating there, due to the foreseeable lack of a lawful exportation. This may be a very strict version of data localization than some jurisdictions require. However, storing all personal data in Europe could be highly expensive and cause several technical implications. It remains hard to foresee how multinational businesses could carry out their activities if data entering the EU cannot emerge from it.
What to expect
Going forward, institutional updates and guidance are expected. On the one hand, by the EU Commission has been revising the existing SCCs and will likely speed up the process of publishing modernized SCCs (as well as the yet unseen processor-to-processor SCCs). On the other hand, National Data Protection Authorities have also issued statements in the aftermath of Schrems II and may provide further instructions for controllers residing in their respective jurisdictions. Particular attention should be given to the risk of national DPAs issuing potentially differing and even contrasting guidance. Accordingly, the EDPB’s uniform intervention and guidance is highly welcomed and expected
Do not hesitate to contact us should you require further information and assistance on the issues discussed in this note, or any other data protection and privacy related matter.