Privacy Shield invalidated by CJEU but Standard Contractual Clauses remain

The Court of Justice of the European Union (CJEU) issued its judgment this week in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18) (Schrems II). 

Schrems II began by way of a preliminary reference made by the Irish High Court to the CJEU on foot of a challenge brought by Austrian privacy activist, Max Schrems, to Facebook’s use of Standard Contractual Clauses (SCCs) to transfer personal data from Facebook Ireland to Facebook Inc servers located in the United States. The challenge argued that SCCs do not adequately safeguard individuals’ data protection rights. SCCs are model commercial contractual terms and conditions, adopted by the European Commission, to which EU-based exporters and non-EU based recipients of personal data mutually adhere in relation to personal data transfers out of the European Economic Area. 

The preliminary reference contained eleven detailed questions which included a request for the CJEU to assess the validity of the EU-US Privacy Shield framework (Privacy Shield), an adequacy decision of the Commission. SCCs and adequacy decisions are two permitted mechanisms for transmitting personal data out of the EU to a third country.

Standard Contractual Clauses

The CJEU upheld the validity of SCCs, however, their use and operation will be valid only where the non-EU recipient country has an equivalent level of data protection to that found in the EU. The judgment goes a step further by placing a positive obligation on Data Protection Authorities, such as the Irish Data Protection Commission, to stop transfers under SCCs that do not achieve an adequate level of protection. 

For controllers and processors, the CJEU’s ruling emphasised that SCCs are not an end in themselves and that organisations seeking to rely upon SCCs must assess the risks associated with the proposed transfers of personal data and where necessary take additional measures to ensure compliance with the level of protection found under EU law. Only then can the SCC be utilised as a valid means for transferring personal data. 

EU-US Privacy Shield 

In the same judgment, the CJEU has invalidated the Privacy Shield on the basis that the access and use of personal data of EU citizens by US public authorities, namely surveillance programmes, was not sufficiently limited to that which was strictly necessary and an adequate right to an effective legal remedy, as required by the GDPR and the EU Charter of Fundamental Rights. Therefore, EU companies that have been relying upon the Privacy Shield as a means for transferring data to the United States will now have to look to implement one of the other stated transfer mechanisms under GDPR.

This judgment represents the second time a data transfer regime between the EU and the US has been struck down by the CJEU following the invalidation of the Safe Harbor agreement in 2015. 

Third Country Transfers

For transfers to the US, the concerns which caused the invalidation of the Privacy Shield will need to be considered in the implementation of SCCs also. In response to the CJEU’s judgment, the DPC published a statement noting that in such scenarios, “in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable.” 

The CJEU’s criticism of the reach of surveillance measures are also of note for future data transfer arrangements with the United Kingdom following the end of the transition period on 31 December 2020. At present no adequacy decision is in place for the United Kingdom and its national surveillance laws have also been the subject of controversy and judicial challenge on privacy grounds. 

More generally, the ruling has implications for data transfers to all third countries without adequacy decisions. Data transfers on the basis of SCCs will now clearly be subject to greater levels of scrutiny by DPAs, including the power to suspend or prohibit the transfer of personal data to a third country where an adequate level of protection cannot be assured. The European Commission Vice-President Jourová responded to the judgment by stating that work on modernising the SCCs to ensure they are fit for purpose was well underway. 

Next Steps for your Business

* Any transfers to the United States on the basis of Privacy Shield will need to be identified and suspended or replaced with an alternative legal transfer mechanism.

* All transfers on the basis of SCCs to any third country that does not currently have an adequacy decision should be assessed in light of the CJEU’s pronouncements in relation to ensuring adequate levels of protection of personal data. 

*Monitor the DPC for forthcoming position clarifications on transfers to the United States and to third countries more generally under SCCs. 

* Watch out for updates to SCCs and other legal mechanisms for data transfers from the European Commission.

We will continue to keep you updated on the future development of SCCs and adequacy decisions and other updates in data protection and privacy. For further information or advice on how the recent judgment of the CJEU impacts upon your organisation, please contact Seán O’Donnell, Zelda Deasy or Kelly Mackey or any other member of the ByrneWallace Data Protection Team.