What You Need to Know
On July 16, 2020, the Court of Justice of the European Union (CJEU) issued its long-awaited judgment in the Schrems II case (case C-311/18). The Schrems II judgment impacts transatlantic personal data transfers under the EU’s General Data Protection Regulation (GDPR) in two key ways:
- The judgement invalidates the EU-US Privacy Shield ̶ a framework that over 5,300 European and American companies have relied upon to transfer EU personal data stateside since 2016.
- The judgement affirms, albeit with compliance caveats, the use of Standard Contractual Clauses (SCCs) as a valid international data transfer mechanism under the GDPR.
While the decision upholds the validity of SCCs, it requires companies seeking to export personal data from the EU to conduct case-by-case analyses to determine whether foreign protections are sufficient to satisfy EU standards. When they do not, companies must provide additional safeguards or refrain from transferring the personal data.
The Schrems II controversy began when data privacy champion, Max Schrems, asked Facebook Ireland to disclose the grounds on which it had relied to transfer Facebook users’ EU personal data from the EU to the U.S. Facebook Ireland responded that it was reliant on a data transfer agreement with its U.S.-based parent company, Facebook, Inc. This data transfer agreement incorporated SCCs, along with other terms and conditions governing the processing of Facebook users’ personal data.
Mr. Schrems, dissatisfied with Facebook Ireland’s response, lodged a complaint with Ireland’s Data Protection Commission (DPC). He alleged that SCCs do not protect EU personal data to the same extent as EU data protection law. This allegation stemmed from a fear that since SCCs do not bind public authorities in the country of transfer, and U.S. law does not openly restrict government interference with individual privacy rights, personal data transferred to the U.S. would be subject to unfettered access and use by the U.S. government.
After reviewing Mr. Schrem’s complaint, the DPC brought proceedings before the Irish Hight Court. The Irish High Court sought a preliminary ruling from the CJEU on several questions the DPC presented. The questions related to the validity of data transfers under both SCCs and the Privacy Shield.
CJEU’s Judgment on Privacy Shield
The CJEU invalidated the E.U.-US Privacy Shield on three grounds. The first ground was that U.S. law does not sufficiently limit U.S. authorities’ access and use of transferred personal data in a way that satisfies the GDPR’s proportionality principle. The second ground was that U.S. surveillance activities involving EU personal data are not subject to an access test based on U.S. authorities’ strict need for such data. The third ground was that the Privacy Shield Ombudsperson ̶ the body the U.S. government established to field complaints from EU individuals about U.S. authorities accessing their personal data in connection with surveillance activities ̶ did not guarantee complainants the substantive rights required under EU law.
CJEU’s Judgment on SCCs
The CJEU ruled that while SCCs remain a valid mechanism for data transfers, in principle, it is no longer sufficient to put SCCs in place and assume that, if they are followed, the parties to the SCCs are safe. Rather, the judgment requires any organization seeking to export personal data out of the EU using SCCs to perform due diligence on both the jurisdiction and the entity to which it seeks to transfer the personal data. The purpose of this due diligence is to determine whether the law of the destination country, together with the measures of the importing organization, guarantee an adequate level of personal data protection under EU law.
If at the conclusion of the exporting organization’s due diligence process there does not appear to be an adequate level of protection for the personal data in question, the CJEU indicated that the exporting organization may supplement the protections afforded under SCCs with additional measures. However, the CJEU did not specify what those measures are.
Schrems II Enforcement is Still a Work in Progress: Stay Tuned
Though invalidated, the ITA continues to administer the EU-U.S. Privacy Shield Framework. And the International Trade Administration (ITA) is in talks with the European Commission on a new EU-U.S. data transfer framework, though some are doubtful that these talks will yield an acceptable replacement framework.
As far as SCCs are concerned, there remain questions as to the types of acceptable supplemental measures exporting organizations may utilize when their data transfer due diligence results in potential protection inadequacies. Perhaps Data Protection Authorities ̶ the local data privacy enforcement bodies in each EU member state ̶ will begin to clarify acceptable forms of supplemental measures for their respective jurisdictions in the weeks to come.