On 16 July, the Court of Justice of the European Union (CJEU) ruled that the mechanism that allowed the transfer of personal data of European Union citizens to the United States was no longer legitimate under European data protection laws. The mechanism is known as the Privacy Shield. In 2016 it replaced the Safe Harbor Principles which were themselves invalidated on similar grounds. The Privacy Shield has been ruled as being incapable of protecting personal data exported from the EU to the US because of the possibility of exposure to intrusive and potentially unlimited surveillance on law enforcement and national security grounds.
What is the Privacy Shield?
The Privacy Shield has been a mechanism whereby US entities that fulfil a self-certification process could be found to be “adequate” and named on a register kept by the International Trade Administration (ITA) under the US Department of Commerce. Being signed up to the Privacy Shield meant that some 5200 US adherents could import and process personal data from EU entities.
Max Schrems, an Austrian national, is the privacy activist who brought the case (Data Protection Commissioner-v-Facebook Ireland and Maximillian Schrems – Case C-311/18), now generally known as “Schrems II”. He initially complained to Facebook claiming that it was not entitled to use contracts containing Standard Contractual Clauses (SCCs) to transfer data from Ireland to the US. SCCs are the usual mechanism in which separate entities in each jurisdiction agree formal data protection provisions in a binding contract with wording that cannot significantly be varied. The case came to the Irish High Court and involved a general challenge to SCCs as a valid data transfer method as well as to the validity of the Privacy Shield. These questions were referred to the CJEU. The judgment applied the principle that EU standards of data protection must travel with the personal data when it is exported to other jurisdictions.
What is the detail of the CJEU’s findings in Schrems II?
- The CJEU ruled that the Privacy Shield is illegal since it does not give EU residents actionable rights equivalent to those they have in the EU before a body that can guarantee to protect their personal data (this was much the same finding made in “Schrems I” in 2015 in connection with Safe Harbor). Personal data of EU residents may be processed freely by US government authorities for public, defence and state security reasons but US law does not ensure an equivalent level of protection.
- However, the CJEU also found that the 1987 Decision that implemented SCCs was valid. SCCs are therefore permissible as a mechanism for transferring personal data anywhere outside the EU. Such validity is however based only on contract law. There is a secondary obligation on exporters and importers of personal data to verify if the level of protection of personal data in the country of the importer is acceptable and that there are no circumstances in the importer’s jurisdiction that would impinge on the protective efficacy of the SCCs. It is also the case that importers must inform exporters on an active basis if they have any inability to comply with the SCCs. If there is a difficulty in this regard, the data transfer must be suspended and the contract terminated if necessary. Accordingly, the ensure that the data export is legitimate, an impact assessment taking all these factors into account must be made.
What have been the reactions to Schrems II?
The case will no doubt have a negative effect on data transfers, whether B2B, domestic or in relation to health data, to third countries especially the US. Regulators will be looking for ways to mitigate the impact of Schrems II.
- The European Data Protection Board (EDPB) has welcomed the ruling as it underlines the fundamental right to privacy in the transfer of personal data to all third countries. It has adopted a document in the form of answers to anticipated questions which are well worth reading.
- The UK regulatory authority, the Information Commissioner’s Office (ICO), more pragmatically has said that entities using the Privacy Shield to transfer personal data to the US should continue to do so until further guidance is available. SCCs may still be used, but the ICO has followed the findings in Schrems II by stating that companies transferring data on SCCs should conduct a risk assessment as to whether they provide enough protection in the context in which they are used. These assessments will take account of contractual validity and the possibility of the SCC contract being overridden by draconian surveillance laws (as with the US).
- The US Department of Commerce has reminded Privacy Shield participants that the ruling does not relieve them of their contractual obligations to EU data exporters. They must keep their Privacy Shield certification in force or withdraw from the Privacy Shield entirely.
- Facebook has confirmed that the Irish Data Protection Commissioner has made an order against it preventing it from transferring the personal data of EU users to the US.
What action should data exporters now take?
If you are an exporter of data to a country outside the EU, you should be taking the following steps:
- Check guidelines issued by the ICO relevant to data transfer overseas to understand the latest position. Get in touch with the ICO, or with ourselves, if you have any questions.
- Now is good time to review all data transfers you make, whether out of the EU to third countries, or, in anticipation of the imminent ending of the post-Brexit transition period, from the UK to EU member states and ensure that they are legitimate.
- SCCs and the Privacy Shield are not the only mechanisms that may legitimate personal data exports. You should review if any of the alternatives such as Binding Corporate Rules (BCRs), general adequacy findings pertaining to certain third countries or explicit consent of all relevant data subjects.
- If you export data to any Privacy Shield adherents in the US, you should terminate and replace the arrangement with a contract with the importer based on SCCs. You should only implement the contract after you have carried out a data protection impact assessment that takes into account the ability of the importer to comply fully with the contract in the context of the data protection laws of the country in which the importer is based.