Schrems II and its Impact on Data Transfers

23 July 2020

Data_protection

Introduction

For many organisations, the international transfer of data is essential for business operations. The recent decision by the Court of Justice of the European Union (“CJEU”) in the “Schrems II” case (Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems), may now require organisations to re-examine the legal basis for such data transfers. In its judgment, the CJEU invalidated the use of the EU-US “Privacy Shield” and also called into question the use of the European Commission’s Standard Contractual Clauses (“SCCs”) as a mechanism to transfer data to countries outside the EEA.

Background

Maximilian Schrems, a well-known data privacy campaigner, filed his initial complaint against Facebook with the Irish Data Protection Commissioner in 2013. He protested against the surveillance activities undertaken by the US intelligence agencies and claimed that the law and practice in the US did not offer adequate protection for personal data transferred from the European Union.

The case was ultimately referred to the CJEU which, in October 2015, rendered the EU-US Safe Harbour framework invalid. The EU-US Privacy Shield mechanism was introduced in its place shortly thereafter following assurances from the US government that the privacy rights of EU data subjects would be upheld and enforceable in the US and kept under review by an oversight body.

Following the CJEU decision in 2015, numerous organisations continued to use SCCs as a primary legal mechanism for international data transfers, however, the complainant continued to question and object to the validity of SCCs.

As a result, the Irish High Court referred the question regarding the validity of the Privacy Shield and the SCCs as a data transfer mechanism to the CJEU.

Schrems ll Decision

1. Invalidation of Privacy Shield

The previously introduced Privacy Shield was examined by the CJEU in light of the requirements imposed by GDPR and the provisions of the Charter of the Fundamental Rights of the European Union, specifically the right to a private and family life, personal data protection and the right to effective judicial protection.

The Court stated that US laws regulating the use of personal data transferred from the EU by US authorities are not constrained in a way to ensure protections “essentially equivalent” to those required under EU law. In addition, the framework does not grant non-US individuals actionable rights before a body offering guarantees that are essentially equivalent to those required under EU law.

Furthermore, attention was drawn to the excessive US state surveillance powers which unreasonably impact the rights of data subjects and it was decided that the US Ombudsman had insufficient binding authority over the US intelligence services.

Based on the above, the EU-US Privacy Shield was deemed invalid.

2. Impact on SCCs

The Irish Commissioner pointed out that the SCCs potentially allow the recipient to reveal personal data to public authorities, who are not themselves bound by the SCCs, and asked the CJEU to consider if this meant that the SCCs themselves were invalid.

However, the CJEU highlighted the importance of the existing obligations on both data exporter and importer to confirm, on a case-by-case basis, whether the required standard of protection is offered by the third country in question. The importer must confirm with the exporter whether there are any factors preventing compliance with the SCCs.

In other words, the Court held that entering into SCCs is insufficient alone – when considering whether to enter into SCCs, it is the responsibility of the exporter and the importer to assess whether the country to which data is being sent offers adequate protection under EU law. Where the laws of the third country show inadequacy as to the level of protection, controllers must implement additional measures and safeguards to ensure that data protection is essentially equivalent to EU standards.

What does this mean for organisations?

Organisations must now consider if there are any additional steps they need to take in order to ensure that data transfers outside the EEA are adequately protected. This may include:

  • Analysing existing data exports to determine the countries to which data is transferred and the mechanisms used to safeguard that data transfer;
  • Identifying whether technological changes can be made to an organisations system to omit the need for data to be transferred outside the EEA;
  • If an organisation is relying on the Privacy Shield, it must identify an alternative data transfer mechanism to continue personal data transfers to the US, as transfers based on the Privacy Shield are now technically unlawful;
  • Identifying if it is possible to rely on an alternative to the SCCs, such as an EU adequacy decision, a derogation under GDPR or Binding Corporate Rules;
  • Although data transfers outside the EU on the basis of SCCs can continue, organisations relying on SCCs will now be required to undertake a detailed examination of the circumstances surrounding each transfer in order to verify whether the level of protection required by EU law is respected in the third country concerned. This may include developing due diligence processes and carrying out risk assessments whenever a data transfer outside the EEA occurs. In cases where there may be an inadequate level of protection, organisations must consider if additional safeguards can be implemented in order to comply with EU law requirements. Moreover, EU authorities will be required to suspend and/or terminate transfers of data to non-EU states if they consider that the SCCs are not complied with in the third country and that the required level of protection cannot be guaranteed.

The Information Commissioner’s Office and the European Data Protection Board have confirmed that they are considering the judgment and that further clarification will be provided. We will continue to monitor the guidance released in respect of this decision.

If you wish to discuss any aspect of this CJEU judgment and what it means for your organisation, please contact the Commercial Law team at Carson McDowell for further information.

*This information is for guidance purposes only and does not constitute, nor should be regarded, as a substitute for taking legal advice that is tailored to your circumstances.

Back