In a landmark ruling (‘Data Protection Commissioner v Facebook Ireland and Maximilian Schrems’)[1], the CJEU invalidated the Privacy Shield Decision[2], whereby the Commission had determined that the United States ensured an adequate level of protection for personal data transferred from the Union to organisations in the US. Many organisations involved in transborder data transactions will now have to adjust their processing operations accordingly.
This ruling now constitutes the second time that the ECJ declared a US related adequacy decision by the Commission invalid. Previously in 2015, the Court invalidated the Privacy Shield predecessor called ‘Safe Harbor’.[3]
Background
The General Data Protection Regulation (‘GDPR’) imposes additional requirements upon companies in case the personal data is transferred outside the EU/EEA according to Art. 44 GDPR. The reason for this is that the person who the data relates to (so called data subject) should be afforded in such third countries a similar protection of his data as he or she receives within the EU. In case of a transfer to the US, these obligations were met in case the data was transferred to a company that self-certified itself according to Privacy Shield or a standardized agreement (so called Standard Contractual Clauses, or in short SCC according to Art. 46(2)(c) concluded between the exporting and the importing company).
Preliminary Questions
In the case at hand, Facebook Ireland transfers personal data of the data subjects in the EU to Facebook Inc, located in the US to further process it. It does so on the basis of SCCs as well as Privacy Shield. Austrian national and resident Maximilian Schrems, an affected data subject, challenged this practice in front of the Irish Data Protection Authority, arguing in essence that both SCCs as well as Privacy Shield cannot guarantee an adequate level of protection in light of US surveillance legislation.
The Irish supervisory authority brought this case before the Irish High Court. The High Court referred to the CJEU for its opinion on the issues contended by the claimant Mr. Schrems.
The Court of Justice invalidating Privacy Shield
The Court ruled the Privacy Shield decision to be invalid. First of all, it clarified that the GDPR applies to all cross-border data transfers, even if the processed data is to be used for national security and law enforcement purposes. The data protection level to be attained must essentially reach the equivalent to that secured within the EU under the GDPR. This, according to the CJEU is not the case with the Privacy Shield decision as it, in light of the US legal framework, allows public authorities to generally access personal data. According to the CJEU, the authorization to access and use personal data is not sufficiently circumscribed, is not proportionate and is not confined to what is strictly necessary. Thereby, the level of data protection is not equivalent to EU law. Furthermore, contrary to what the Commission holds, the Ombudsman mechanism does not grant data subjects adequate actionable rights against the US authorities due to its lack of independency and as a consequence, does not attain the minimum safeguards threshold as required by EU law.
Validity of SCCs and role of Supervisory Authorities Obligations
The Court made clear that it considers the SCCs to still be valid. However, after the CJEU’s ruling on Privacy Shield, it is to some extent questionable whether the SCCs can still be used for a transfer to the US. According to the Court, what is relevant is the specific legislation of the third country in question. Companies will have to make a case-by-case analysis to ensure that even where SCCs are signed with a party based in a third country, both the contractual clauses agreed between the parties and any access by the public authorities and the legal system of that third country guarantee standards that are equivalent to those established within the EU by the GDPR.
With regards to the duties of supervisory authorities, the Court stated that in the absence of a valid Commission adequacy decision, supervisory authorities are obliged to suspend or prohibit a transfer of personal data to a third country where they take the view that the SCCs are not or cannot be adhered to in that country and that the protection of the data transferred that is necessary under EU law cannot be guaranteed by other means, in case the data exporter established in the EU has not itself suspended or ceased such a transfer. The CJEU’s decision therefore encourages a more active role from data protection authorities and indicates a more stringent requirement wherein companies cannot just rely on signing Standard Contractual Clauses (SCCs) as an alternative measure to the now-repealed Privacy Shield.
What does this decision mean for companies?
A large number of companies have relied on the Privacy Shield framework as an adequate level of protection for transferring data to the US so far. BBC confirmed in its publication that according to UCL’s European Institute, around 65% of these companies are small-medium enterprises (SMEs) or start-ups[4]. This decision will have an impact on a large number of corporations that have established contractual relationships with vendors (specifically the ones requiring transfer of data to the US) and have large sets of databases with transfers to overseas (such as US) recipients.
This decision imposes an extensive effort on the companies that will now have to consider restructuring their processing operations that were based upon Privacy Shield. This essentially means that companies will have to review any services that they are a party to and which involves data transfer to the US in order to ensure that compliance with Article 44 of the GDPR is maintained which could involve entering into agreements such as the SCCs. This article discusses below some aspects of data protection that could be implemented (may vary on case-by-case basis) by companies to be compliant with the CJEU’s decision.
Measures that companies will now have to take to be compliant
Can the US then offer an adequate level of protection to the personal data of data subjects? In this decision, as previously mentioned, the CJEU did not invalidate the use of SCCs which can now be used as valid means to transfer data to the US. There are a few measures that companies could adopt to ensure compliance with this decision.
Restructuring of processing operations is now required to reduce or remove transfers to the US. Whilst restructuring the processing operations, companies should try to identify the risks that are associated with data transfers such as by assessing level of protection that the recipient country guarantees prior to just signing the SCCs. It is important to carefully and deeply analyze whether the SCCs are sufficient to ensure data moving overseas in line with GDPR as data protection authorities (DPAs) can suspend the contracts if the adequate level of safeguard is not guaranteed.
A way forward for companies would be to check the existing transfers that were solely based on Privacy Shield and replace with SSCs for now, as well as monitor the situation.
Companies could also make use of alternative mechanisms such as the Binding Corporate Rules (BCRs) in accordance with the consistency mechanism that has been set out in Article 63 of the GDPR to make data transfers effective. However, even in the case of BCRs although the CJEU has made no specific mention of this mechanism in its decision, a case-by-case analysis of any data transfer situation has been implied. BCR mechanism cannot serve for external vendors, however, they can only regulate intra-company transfer.
Conclusion
Although the CJEU’s decision is aimed at ensuring that the GDPR level of protection is guaranteed when data is transferred to third countries, there remains a fair amount of uncertainty for both companies and data protection authorities in terms of implementing this decision. For example, how far do companies need to go to ensure that compliance with this decision is maintained, should companies review all of the processing operations that were contractually reliant upon the Privacy Shield? How much time will companies be given to restructure their processing operations? Likewise, how would data protection authorities align with each other to maintain a uniform approach throughout the European Union territories, will they decide to grant a grace period of non- enforcement for companies to be able to adjust and take measures to comply with this new decision?
The next few months or years will bring significant changes to the way data is processed between the EU and non-EU countries as we await to discover further developments based on this decision.
[1] Case C-311/18
[2] Commission Decision 2016/1250 on the adequacy of the protection provided by the EU-U.S. Privacy Shield
[3] Case-362/14, Maximilian Schrems v Data Protection Commissioner
[4] https://www.bbc.com/news/technology-53418898