On July 16, 2020, the Court of Justice of the European Union (the “CJEU”) issued its judgment in the Schrems II case. In its judgment, the CJEU concluded that the Standard Contractual Clauses (the “SCCs”) issued by the European Commission for the transfer of personal data to data processors established outside of the European Union (EU) are valid. However, the Court invalidated the EU-U.S. Privacy Shield framework.
The current judgment has its roots in 2013, when Maximillian Schrems originally brought a complaint before the Irish Data Protection Commissioner (DPC) claiming that personal data transfers under the EU-US Safe Harbor were unsafe. That led to the invalidation of Safe Harbor and a few months later Privacy Shield was born.
Many companies continued to use, or switched to, the SCCs approved by European Commission Decision. Hence, SCCs were a legal basis for cross-border data transfers. However, Schrems’ ongoing complaint led the Irish Data Protection Commission to question the validity of SCCs.
In May 2018, the Irish High Court referred several questions regarding the validity of SCCs and Privacy Shield to the CJEU, focusing on whether data transfers under SCCs and Privacy Shield violated the EU Charter of Fundamental Rights (Charter).
On December 19, 2019, the CJEU’s Advocate General (AG) issued a (non-binding) formal Opinion advising the CJEU to rule that SCCs as they stand are valid but need to work in practice in order to result in “essential equivalence” with EU law. With regard to Privacy Shield, the AG voiced certain doubts regarding the adequate level of data protection provided in the US, particularly considering the activities in question by law enforcement and intelligence agencies.
The CJEU highlighted the responsibility of the data exporter and importer to verify, prior to a transfer, whether a level of protection is achieved in the third country concerned. The recipient would need to inform the data exporter of any hindering factor that would prevent it from complying with the clauses. If there was a hindering factor, the data exporter would be obliged to suspend the transfer and/or terminate the contract with the data importer. In the event that the transfer was suspended or terminated , a supervisory authority is required to mediate.
The CJEU then examined the validity of Privacy Shield in light of the requirements set forth in the General Data Protection Regulation (GDPR). The Court determined that domestic United States (US) laws regulating access and use by US authorities of personal data imported from the EU into the US are not circumscribed in a way to provide protections “essentially equivalent” to those required under EU law. In this regard, the CJEU pointed out the lack of limitation on the power conferred to the implementation of certain US government surveillance programs, and also of sufficient guarantees for non-US persons that might be potentially targeted.
In practice, the shortcoming observed by the CJEU translates into a lack of actionable data subject rights before the courts against US authorities. In this respect, the CJEU also held that the Ombudsperson mechanism contemplated by Privacy Shield does not actually provide data subjects with any cause of action before a body that offers guarantees substantially equivalent to those required under EU law; such as to ensure the independence and the existence of rules empowering the Ombudsperson to adopt decisions binding on US intelligence services.
With regard to businesses in the US, companies should take significant steps to confirm that data transfers under their responsibility comply with the GDPR and the judgment of the CJEU. In particular:
A switch from Privacy Shield to alternative safeguards; Where Privacy Shield was used to authorize the transfer, companies should take steps to ensure coverage under another safeguard, for example SCCs.
Companies should verify the level of protection of international data flows; in this way, once the relevant personal data flows are identified, companies should evaluate the safeguards they apply to data transfers, including an analysis of the local laws in the non-EU country. For example data transfers to the US, subject to Section 702 Foreign Intelligence Surveillance Act (FISA).
Assist EU customers; Providers with data processing operations in the US have an obligation to consider how best to assist their European customers to authenticate the level of protection for their data.
It is also advisable to monitor activities on updated SCCs; this is as a result of the Court concluding that the SCCs issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid.
If your company is interested in learning more about how this ruling affects their data transfers to the EU, contact Curated Privacy LLC.
https://epic.org/privacy/intl/schrems/
https://www.jonesday.com/en/insights/2020/07/schrems-ii-confirms-validity
