Data Transfers to the USA – Fall of Privacy Shield – Standard Contractual Clauses Request: Informational Purposes Only
On July 16, 2020, the Court of Justice of the European Union (the “CJEU”) issued its landmark judgment in the Schrems II case (case C-311/18). In its judgment, the CJEU concluded that the Standard Contractual Clauses (the “SCCs”) issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid. Unexpectedly, the Court invalidated the EU-U.S. Privacy Shield framework.
The case concerns Max Schrems, an Austrian privacy advocate, who filed a complaint with the Irish Data Protection Commissioner (the “Irish DPA”) in 2015, challenging Facebook Ireland’s reliance on the SCCs as a legal basis for transferring personal data to Facebook Inc.
In the U.S. Facebook turned to SCCs after the CJEU invalidated the U.S.- EU Safe Harbor Framework in 2015, following an earlier challenge by the same privacy advocate.
Specifically, Schrems alleged that the SCCs do not ensure an adequate level of protection for EU data subjects, as U.S. legislation does not explicitly limit interference with an individual’s right to protection of personal data in the same way as EU data protection law. A key concern was that EU personal data might be at risk of being accessed and processed by the U.S. government once transferred, in a manner incompatible with privacy rights guaranteed in the EU under the Charter of Fundamental Rights and that there is no remedy available to EU individuals to ensure protection of their personal data after transfer to the U.S. Following the complaint, the Irish DPA brought proceedings against Facebook in the Irish High Court, which referred 11 questions to the CJEU for a preliminary ruling. The preliminary questions primarily addressed the validity of the SCCs, but also concerned the EU-U.S. Privacy Shield framework.
With respect to the SCCs, the CJEU judgment mainly followed the CJEU’s Advocate General’s (“AG”) non-binding opinion on the case (published on December 19, 2019). The CJEU stated that the SCCs provide sufficient protection for EU personal data, but underscored the fact that EU organisations relying on them have an obligation to take a proactive role in evaluating, prior to any transfer, whether there is in fact an “adequate level of protection” for personal data in the importing jurisdiction. The CJEU also noted that organisations may implement additional safeguards, over and above those contained in the SCCs, to ensure an “adequate level of protection” for personal data transferred, although it is unclear at this stage what form those additional safeguards would take. The CJEU further noted that non-EU organisations importing data from the EU based on the SCCs must inform data exporters in the EU of any inability to comply with the SCCs. When non-EU data importers are unable to comply with the SCCs, and there are no additional safeguards in place that would ensure an “adequate level of protection,”
The EU data exporter is required to suspend the transfer of data and/or to terminate the contract. In addition, the judgment highlights the role of supervisory authorities in assessing and, where necessary, suspending and prohibiting transfers of personal data to an importing jurisdiction “where they take the view that the SCCs are not or cannot be complied with in that country and that the protection of the data transferred that is required by EU law cannot be ensured by other means.”
Contrary to the approach suggested by the AG in his opinion, the CJEU decided to examine and rule on the validity of the EU-
U.S. Privacy Shield framework. In ruling that the Privacy Shield is invalid, the CJEU took the view that “the limitations on the protection of personal data arising from U.S. domestic law on the access and use of the transferred data by U.S. public authorities limited in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.” Further, the CJEU found that the EU-U.S. Privacy Shield framework does not grant EU individuals actionable rights before a body offering guarantees that are substantially equivalent to those required under EU law. On those grounds, the CJEU declared the EU-U.S. Privacy Shield invalid.
Logical Next Steps for Organisation’s reliant on Privacy Shield
While SCCs remain valid, organisations that currently rely on them will need to consider whether, having regard to the nature of the personal data, the purposes and context of the processing, and the country of destination, there is an “adequate level of protection” for the personal data as required by EU law. Where that is not the case, organisations should consider what additional safeguards may be implemented to ensure there is in fact an “adequate level of protection.”
Organisations that currently rely on the EU- U.S. Privacy Shield framework will need to urgently identify an alternative data transfer mechanism to continue transfers of personal data to the U.S. Organisations may be able to rely on derogations provided in the GDPR for certain transfers (such as when the transfer is necessary to perform a contract), and SCCs or Binding Corporate Rules should also be considered as alternative mechanisms.
Inherent Problems remain – DPO View
I think there is a lot more in the CJEU decision than most are seeing - their comments on Executive Order 12333- United States intelligence activities and The Foreign Intelligence Surveillance Act (FISA) Section 702 are repugnant with European law and cannot be overcome. These instruments essentially pave the way to outlaw any US company from processing personal data of EU persons.
(In 2008, Congress passed a set of updates to the Foreign Intelligence Surveillance Act (FISA), including Section 702 which authorised warrantless surveillance of non-U.S. persons reasonably believed to be outside the country.)
I believe this is the most important line in the Judgment: "Furthermore, according to the findings of the referring court, the
NSA’s activities based on E.O. 12333 are not subject to judicial oversight and are not justiciable."
As long as these issues remain - there is literally no mechanism (now or in the future) which can meet the requirements of EU law - so either EU law needs to change, or US law needs to change. Coupled this with the US Cloud Act and it would not even be possible for US Companies to process EU data in the EU because it is still at risk - only way forward is for US companies to use escrow services for data processing & that is hugely complex and costly.
Furthermore under the same principles the judgment considered SCC with regards to suspension of processing - it is likely that lead Supervisory Authorities would have to make the same considerations for Binding Corporate Rules because exactly the same risks are presented when using BCR to transfer to countries like US & China.
What does this mean in Practice?
European Supervisory authorities will begin start suspending transfers made under SCC for the Facebooks and Twitters of this world. The Berlin Data Protection Authority has been the first to issue such an order to Data Controllers based in Berlin.
What are the alternatives for Business?
Binding corporate rules (BCR)are data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a group of undertakings or enterprises. BCRs are a private arrangement used in large multinationals and much the same as SCCs offer no more protection against the US Government asking for data than the SCCs.
Helen Dixon (Irish DPC) confirmed in the IAPP webinar that BCRs share the same issues as SCCs regarding transfers to the US. Outside of this there are limited exceptions/derogations provided for in the GDPR.
Realistically there are no viable options for business at this time and industry will be looking to law makers to bridge the gap as seen following the fall of Safe Harbour.
The reality is, that there is currently no mechanism for international transfer that will curtail foreign government surveillance, for the purposes of this document, the US governments surveillance. This is a case of conflict of laws and no contractual agreement not even the SCC is a solution. We will need to wait and see what the regulators approach to this.
This should be an immediate cause for concern for companies that utilise US companies directly or indirectly through onwards processing via sub-processor as a transfer mechanism. It will be the policy of IDPAA to guide companies to put SCCs in place for international transfers outside the EEA, with sufficient review and enquiry into the processing that is considered and the rule of law in those countries where the processing is to take place . IDPAA will continue to monitor the DP landscape.
At this time, the SCCs remain a lawful transfer mechanism with the onus on the transferring entity to have concluded an assessment of the necessity, proportionality and security of any transfer.
Any proposed data transfers to processors or sub processors in the United States should be assessed as to necessity and proportionality. Please also note this will include the United Kingdom, given the current situation with Brexit and with any other country outside the EEA where SCC’s are the lawful transfer mechanism.
Boards of Management, Directors and Senior Managers should be advised to contact their DPO who will support with any assessment or review prior to any transfer in compliance with current available guidance from EU regulators.
IDPAA recommend these initial steps to support in this ruling;
• Review personal data inventories and processor reviews to identify geographical region of data transfers
• Engage with processors who are US based where you may have relied on Privacy Shield and provide SCC’s
• Contact current processors who are EU based but who use sub-processors who are based outside EEA and confirm that they have adequacy measures in place for transfers as required by your Data Processing Agreements.
• Ensure data flow maps for the processing are updated
• Update the corporate risk register to include the ruling and describe any potential business impacts
• Engage with any relevant stakeholders such as managers within the body corporate and any joint controllers that are party to a contract that includes data transfers outside the EEA