Loretta Maxfield: EU organisations face compliance nightmare after Schrems II decision
Standard contractual clauses (SCCs) remain valid but the EU-US Privacy Shield has been struck down, explains Loretta Maxfield.
On Thursday 16th July, the Court of Justice of the European Union (CJEU) made a landmark decision in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (the “Schrems II” case): while it upheld the use of Standard Contractual Clauses (SCCs), it invalidated the EU-US Privacy Shield.
In 2000 the European Commission established a mechanism for the transfer of personal data from the EU to the US known as “Safe Harbour”. Thirteen years after the data transfer mechanism had been established Max Schrems, an Austrian lawyer and privacy advocate, made a complaint to the Irish Data Protection Commissioner regarding data transfers by Facebook Ireland to the US under Safe Harbour. At the time, organisations which complied with the Safe Harbour Privacy Principles were permitted to transfer data from the EU to the US. However, as a result of Schrems’ complaint, in 2015 the CJEU invalidated Safe Harbour as it was found that this mechanism did not adequately protect the personal data of EU Citizens (Schrems I, case C-362/14). As a result of Safe Harbour’s swift ending, the US Department of Commerce and the European Commission worked quickly to create a new mechanism which would again allow the transatlantic transfer of personal data from the EU to the US. The EU-US Privacy Shield became operational in 2016 and has become a well-known and well-used mechanism for transatlantic data transfer ever since.
Moving onto the current case (Schrems II, case C-311/18), where the CJEU looked at the validity of both SCCs - another data transfer mechanism which has been approved by the European Commission to ensure that the personal data of EU Citizens is protected when transferred outside of the EU - and the EU-US Privacy Shield. Surprisingly, the CJEU upheld the use of Standard Contractual Clauses, but invalidated the EU-US Privacy Shield.
Why was the EU-US Privacy Shield invalidated?
Under the General Data Protection Regulations (GDPR), the self-proclaimed ‘toughest privacy and security law in the world’, personal data can only be transferred outside the European Economic Area (EEA) if the country to which the data is being transferred can offer adequate protection. The EU-US Privacy Shield was invalidated over whether adequate protection could be offered to the personal data on EU Citizens. The Court stated on the matter that “the access and use by US public authorities of such data transferred…are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required, under EU law”.
There was concern regarding the surveillance of personal data by public authorities in the US in terms of such surveillance not being limited to what is strictly necessary. Other concerns were raised that the Privacy Shield does not provide data subjects with any cause of action before a body which guarantees substantially equivalent to those required by EU law.
Why do the Standard Contractual Clauses remain valid?
Much to the relief of all the organisations that currently use them as a way to share personal data outside of the EEA (including the US), the CJEU yesterday upheld the validity of the SCCs. However, although their validity has been upheld, the Court examined GDPR’s requirement of ensuring appropriate safeguards are in place for international data transfers and concluded that while the SCC met part of this requirement, that it was also necessary for the data controller to assess the practical ability of the recipient to comply with the SCC against the backdrop of their legal system.
In practice, this means that prior to signing up to agreements that involve the international sharing of personal data, not just to the US, but any other country outside of the EEA, simply incorporating the SCC into the Agreement will not be sufficient. Data Controllers ought to be assessing whether the recipient can realistically comply with the SCC and thus provide adequate protection in the relevant jurisdiction taking into account the recipient’s legal system. If it is felt that adequate protection could not be met under the SCCs, then organisations must seek to provide additional safeguards or suspend transfers.
It is currently unclear how Data Controllers ought to realistically assess whether the recipient’s legal system supports the recipient’s compliance with the SCC other than seeking a legal opinion from suitably qualified practitioner in the relevant jurisdiction, which will add not only additional cost to the project but also possible time delays. It could also result in situations where significant time is spent assessing adequacy to find it is inadequate and other routes to transfer must be explored. It is suggested that one way to help manage this would be to create ‘a black list’ of countries whose legal systems have been reviewed by e.g. the European Commission and considered not providing adequate protection thus allowing Data Controllers to identify recipient countries easily where reliance on SCC would not be a route to support international data transfers. It may well be that the US is already on the ‘black list’ on the basis that the Privacy Shield was invalidated as it was considered the US did not provide adequate protection in practice.
The Court continues to state that if the Data Controller does not suspend or cease transferring data where this requirement has not been met, the Supervisory Authority (the Information Commissioner’s Office in the UK), should step in and suspend or prohibit such transfers. This raises the question about how the ICO will have knowledge of all of these transfers and/or the resources to timely confirm whether checks undertaken by Data Controllers are adequate in order to step in. It would seem that this would be difficult to manage on a practical level.
Schrems II case is a landmark case and will have significant implications for not just EU – US transfers but transfers to other countries outside of the EEA. No doubt, many organisations will be concerned about the validity of their data transfers in light of yesterday’s judgement, with particular concern over any data transfers to the US.
The case raises questions about how organisations should support international data transfers in a practical and cost-effective manner. Also, while early indications are that there may well be a replacement to the Privacy Shield; what will that look like and when will it be in place? In the meantime, how should organisations approach any current data transfers to the US or otherwise outside of the EEA? Do they remain valid? Will contractual provisions require to be amended for each transfer relying on Privacy Shield and moved over to another basis that provides adequate protection? Will we see mass contract variations suddenly being issued overnight akin to the run up to GDPR where organisations issued Data Processing Addendums to support Art 28 of GDPR? Likewise, in relation to SCCs, how can organisations that operate in a fast paced environment realistically assess the legal jurisdictions of recipient countries to identify whether that law provides adequate protection by supporting compliance with SCCs?
Over the coming months, there will hopefully be answers to these questions. In the meantime, the UK’s Information Commissioner’s Office (ICO) has recommended that if an organisation is currently using the EU-US Privacy Shield that they continue to do so until further guidance is issued. However, the ICO also states that organisations should not start using the mechanism from this date going forward.
We would recommend that in the meantime, prior to any further guidance being issued by the ICO, that arrangements which rely on the EU-US Privacy Shield or SSCs should be identified. This is a significant task and hopefully the organisation’s Record of Processing Activities will provide assistance in this regard. Once identified, organisations must consider alternatives to relying on the Privacy Shield. Likewise, if relying on SCC, some thought should be given as to whether they alone will continue to provide adequate protection and how the organisation can evidence, for accountability purposes, that it has undertaken appropriate consideration of the recipient’s legal system. Once solutions have been identified, consideration will need to be given as to how to execute the solution on a practical level.
Loretta Maxfield is a GDPR and intellectual property law specialist at Thorntons