For latest guidance and information on the Schrems II decision, visit the TrustArc Privacy Shield Ruling Resources page.
On July 16th, 2020, the European Court of Justice (CJEU) released its highly anticipated decision in Case C-311/18, otherwise known as Schrems II. The CJEU ruled that the EU-U.S. Privacy Shield is to be invalidated. In turn, the Court ruled that the system of Standard Contractual Clauses (SCCs) which allows for data transfers from the EU to third countries, is valid. While the Court ruled that existing SCCs remain valid, supervisory authorities and data controllers must now assess the situation in the destination country on a transfer-by-transfer basis. TrustArc’s team of experts actively monitor global privacy developments and have provided the top ten frequently asked questions about the Schrems II decision to help organizations understand the impact of this judgement.
What do I need to do about my current Privacy Shield self-certification?
The U.S. Department of Commerce (DOC) has stated that it will continue to operate Privacy Shield and it expects participants to continue to uphold their Privacy Shield obligations. The U.S. DOC, European Commission, and European Data Protection Board all have indicated that they intend to create a successor to Privacy Shield. Remaining in Privacy Shield may simplify your transition to a successor arrangement between the EU and the U.S. At this time, you are required to continue to uphold your Privacy Shield protections for data you have collected pursuant to Privacy Shield. You do need to ensure an alternative mechanism to transfer personal data from the EU to the U.S., since Privacy Shield can no longer be used to do so.
Are prior data transfers under EU-US Privacy Shield affected?
All prior data transfers remain subject to the obligations of Privacy Shield.
Will there be a grace period?
EDPB has released guidance stating that there will be no grace period. Given that the Privacy Shield has been invalidated by the Court, companies that used the Shield so far for EU-U.S. data transfers will need to find an alternative legal basis for the transfer without undue delay.
Will there be a replacement for Privacy Shield?
We expect a replacement for Privacy Shield to be negotiated between the EU Commission, the EU Member States and the U.S. Government. At this time, no details on timeline or scope are available. Based on the CJEU decision, if changes are not made to U.S. law, it is possible that a replacement arrangement may have a more limited scope to organizations that are not subject to national security surveillance program requests.
The Department of Commerce has stated that it will continue to operate the Privacy Shield. Is there a benefit of continued participation?
The U.S. DoC, European Commission, and European Data Protection Board all have indicated that they intend to create a successor to Privacy Shield. Remaining in Privacy Shield may simplify your transition to a successor arrangement between the EU and the U.S. At this time, you also are required to continue to uphold your Privacy Shield protections for data you have collected pursuant to Privacy Shield. Remaining in Privacy Shield will simplify these processes for your organization and, depending upon how you have structured your privacy program, may also help your organization comply with other international data transfer commitments, such as those you would need to make if you are able to enter into SCCs for data transfers you receive.
What have the European regulators and authorities said about the decision and Privacy Shield?
Various authorities have provided guidance or statements on the decision including specifics regarding data transfers under Privacy Shield. Visit our website’s Resources page to read the latest regulator guidance. On 24 July, the EDPB released a first version of a FAQ document, providing initial answers on the Schrems-II fallout.
Can I transfer personal data from the EU to the U.S. under SCCs?
As long as the data are not subject to collection and/or access by U.S. authorities for national security purposes, SCCs can be used on a case-by-case basis subject to assessment of whether the U.S. data importer can meet its SCC obligations for the specific data processing. This means the burden of proof on both the data exporter and the data importer in the third country, has increased, to verify they can meet all the requirements of the SCCs. The data importer will also need to confirm that they will fully respect all the core principles under GDPR. It also means that the data importer and exporter will need to assess the legislation of the third country to see if for example they are subject to surveillance laws which may cause an interference of the supplemental rights. If that is the case, then the transfer cannot take place based on SCCs. This is similarly applied to Binding Corporate Rules (BCRs).
In their FAQ document, the EDPB has indicated it will provide further guidance on the legal, technical and organisational measures that could be taken to supplement SCCs to ensure a continued legal data transfer.
What assessment criteria should I consider for whether the data importer can meet its obligations under the SCCs?
- Is the data importer a provider of services that facilitate communications or electronic interactions between individuals, e.g., an Internet Service Provider or electronic communication services provider?
- Has the data importer ever been subject to a data access request for national security purposes?
- Has the data importer ever been subject to a data retention request for national security purposes? If the answer is “yes” to any of these, and the data importer is not in a country recognized by the EU as providing “adequate protection,” then SCCs are unlikely to be a valid transfer option in the absence of express authorization from the DPA in the originating country. If, “no,” proceed with a third party risk assessment to evaluate effectiveness of the importer’s controls.
Are the other transfer methods still valid for transferring data?
All data transfer mechanisms included in the GDPR have remained valid. The CJEU has invalidated one of the adequacy decisions (for the Privacy Shield) and has set stricter assessment criteria for the use of the other transfer mechanisms.
If my U.S. business shifts server or data location to the EU do I still have a need for a data transfer mechanism?
That depends on how the data is being processed within the company. As long as the data is stored on servers in the EEA and only accessed from within the EEA, no data transfer mechanisms will be needed. However, as soon as access to the data is made from outside the EEA countries, a data processing operation is taking place (according to the definition of Article 4(2) GDPR), which would also constitute a data transfer, thus requiring the use of a transfer mechanism. In addition, if the company is subject to U.S. surveillance legislation, including but not limited to Section 702 FISA and E.O. 12333, using an EU server is not a guaranteed protection. Both have a broad scope, that allow the U.S. intelligence and security services to also collect data outside the U.S. territory.
Need guidance with next steps? Learn about the International Data Transfer Risk Package.
Privacy is like driving a car – lots of rules which change across borders and you need to look both ways before crossing the street. In both the US and EU, the Schrems-II decision on 16 July is a major development in data protection navigation. But we are just at the beginning of understanding all the consequences of the verdict of the EU Court of Justice. Don’t worry – also in the coming weeks, we’ve got you covered. #SeriousPrivacy will keep you posted on important developments and views.
In this episode, Paul Breitbarth and K Royal speak with Professor Dan Solove with the George Washington University Law School, a renowned educator in both privacy and data security legislation, an internationally-known expert and a prolific writer of books and articles on these topics. He certainly has an opinion of what happens next in transatlantic data relations and intra-US with the California Privacy Rights Act (CPRA).
Listen in as we discuss the implications of Schrems-II, the CPRA, privacy legislation and enforcement, and developments in this space. For example, the CPRA now faces opposition from a coalition led by the American Civil Liberties Union (ACLU) of California. In addition, we discuss Prof. Solove’s views over the past few decades of the advance of the privacy field and what he hopes to see in the coming years. Listen to this week’s episode on our website or stream the episode below.
Following the first analysis of the Schrems-II verdict from the Court of Justice of the European Union, delivered on 16 July 2020, it is time to take a closer look at some of the core issues discussed by the Court.
The EU law carve-out for national security legislation
The Schrems cases both have their origin in the revelations Edward Snowden made in 2013 on the existence of large-scale government surveillance programs in the United States, including PRISM and UPSTREAM. Under these programs, the U.S. intelligence and security services can collect personal data from outside the United States, and use it at their own discretion in order to protect the interests of the state. And although most countries around the world have intelligence and security services that collect and analyse large volumes of data, the scale with which this seems to happen in the United States for many came as a surprise.
In the European Union (EU) however, national security, and thus any activity by intelligence and security services, falls outside the competence of the Union. According to Article 4 of the Treaty on the European Union, “national security remains the sole responsibility of each Member State”. Thanks to this provision, we have the somewhat cynical situation that it doesn’t matter what the intelligence and security services of the EU Member States, but that it could be relevant what those in foreign countries do, at least from a data protection perspective. That is also the first question that was raised before the CJEU: why, if the EU is not competent to discuss national security, would foreign national security activity have an impact on data transfers under the GDPR.
According to the Court, the answer is relatively straightforward: the transfer from the EU to a third country is taking place between two commercial entities, in the Schrems-II case between Facebook Ireland and Facebook Inc. in the U.S., and that is a regular transfer that is covered by the provisions of the GDPR. The fact that in theory the data at some point may be intercepted by, or need to be handed over to, intelligence and security services in the U.S., does not make a difference. Since national security is not the purpose of the processing, it can also not be taken into account when deciding on the legality of the processing.
The ‘essentially equivalent’ requirement
The national security issues do become relevant when assessing if the third country to which the personal data flow (again, the U.S. were just used as an example in the case, but the judgment has an effect vis-a-vis all countries outside the European Economic Area) offers sufficient protection to personal data originating from Europe. In the judgment, the Court makes an explicit link between the various data transfer mechanisms and Article 44 GDPR, which requires that in case of cross-border data transfers “the level of protection of natural persons guaranteed by [the GDPR] is not undermined”. This means that any safeguards that are agreed for the international transfer of personal data, need to meet the same high standards.
Although Article 46 of the GDPR does not specify the nature of the requirements which flow from that reference to ‘appropriate safeguards’, ‘enforceable rights’ and ‘effective legal remedies’, it should be noted that that article appears in Chapter V of that regulation and, accordingly, must be read in the light of Article 44 of that regulation, entitled ‘General principle for transfers’, which lays down that ‘all provisions [in that chapter] shall be applied in order to ensure that the level of protection of natural persons guaranteed by [that regulation] is not undermined’. That level of protection must therefore be guaranteed irrespective of the provision of that chapter on the basis of which a transfer of personal data to a third country is carried out. [Schrems-II, §92]
For adequacy decisions, it was not a big surprise that the Court requires high standards of data protection in third countries. Already in the Schrems-I decision, it introduced the standard of “essential equivalence” to assess if the legal regime of the third country would sufficiently protect European data.
The word ‘adequate’ in Article 25(6) of Directive 95/46 admittedly signifies that a third country cannot be required to ensure a level of protection identical to that guaranteed in the EU legal order. However, as the Advocate General has observed in point 141 of his Opinion, the term ‘adequate level of protection’ must be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of Directive 95/46 read in the light of the Charter. [Schrems-I, §73]
The Court confirms in the Schrems-II decision that the “essential equivalence” is also required under the GDPR. What is new however, is that the Court has extended this standard to other transfer mechanisms, in situations where no adequacy decision exists. So far, it had been widely assumed that adequacy decisions would indeed require the highest level of equivalence between EU data protection law and that in a third country, but that the use of contractual clauses – whether the standard contractual clauses or tailor-made, DPA-approved ones – a slightly lower level of data protection was acceptable. The Court now makes clear this is not the case. Also when transferring personal data on the basis of Article 46 GDPR, using appropriate safeguards like Standard Contractual Clauses (SCCs),
(…) such appropriate guarantees must be capable of ensuring that data subjects whose personal data are transferred to a third country (…) are afforded, as in the context of a transfer based on an adequacy decision, a level of protection essentially equivalent to that which is guaranteed within the European Union.
Following this argument, a similar reasoning would need to be applied to transfers based on Binding Corporate Rules, although this is not explicitly mentioned by the Court.
Using Standard Contractual Clauses
What does this mean for the use of SCCs going forward? The good thing is that they still exist, and that means that it is possible to include SCCs in your contracts when exporting personal data from the EU. It is however less straightforward than before – just signing them is not enough. The Court agrees that the SCCs can be helpful for international data transfers, but also spells out that they
(…) are solely intended to provide contractual guarantees that apply uniformly in all third countries to controllers and processors established in the European Union and, consequently, independently of the level of protection guaranteed in each third country. [Schrems-II, §133]
The Court also explains that the existence of national surveillance laws in a third country in principle should not be problematic. National security is recognised as a possible necessary limitation to the fundamental right to data protection, including in the SCC decision itself (as per a footnote to the heading of Clause 5).
A data exporter and data importer therefore need to assess whether they consider they can meet the requirements of the SCCs in their specific situation. Do they assume they will be able to guarantee the protections enshrined in the clauses, and thus avoid undermining the level of data protection offered by the GDPR? If not, it might be possible to agree on additional safeguards – this is allowed, as long as the provisions of the SCCs themselves are not changed (they can only be included in a contract on a “as they are” basis). This additional step implies that the data exporter and data importer will need to undertake an assessment of the law of the country where the data are flowing to. Without such an assessment, agreeing on the adequate safeguards would not be possible.
The assessment of a third country’s level of data protection should take a broad look at the legal framework, but in the light of the Schrems-II decision it should in any case include an assessment of any national surveillance legislation: is the data importer subject to such legislation, are the data likely to be intercepted by intelligence and security services based on their nature, have there been requests from intelligence and security services to hand over personal data in the past, etc. If national security legislation applies, it is unlikely that contractual clauses in any form could result in the required “essentially equivalent” level of protection, meaning the data export from the EU can not (or no longer) take place.
If the data exporter and importer conclude that the transfers are not or unlikely subject to surveillance laws, and they have agreed on other additional safeguards to be included in the contract, the data transfers can likely take place without problems. It is however important to document both the assessment of the third country’s legislation, as well as the reasons for which additional safeguards have been agreed. With the Court’s decision in hand, we expect that data protection authorities will more actively look at international data transfers using SCCs or other contracts, and thus it could be that they will ask you to show your assessments. Maintaining the relevant documentation is also part of your accountability requirements under Articles 5(2) and 24 GDPR and could for example be included in your Article 30 processing activities register, which should include all information related to international transfers.
The Privacy Shield deficits
The “essential equivalence” requirement also decided the faith of the Privacy Shield. Based on his assessment of the U.S. national security legislation and the additional safeguards that were agreed as part of the Privacy Shield arrangement, the Court found that the fundamental rights to privacy and data protection of Europeans could not be guaranteed when their data would flow to the U.S.
Where for SCCs the decision whether or not to suspend data transfers needs to be taken on a case-by-case basis, for the Privacy Shield a generic decision was required. That is the distinction between a binding adequacy decision, that binds all EU Member States as well as their organs, including data protection authorities, and contracts, that only bind the parties to the contracts. You could therefore still argue an adequacy decision is still assessed against a higher standard, since the protections need to be effective under all circumstances.
In the case of the U.S. national security legislation, in particular section 702 FISA, Executive Order 12333 and Presidential Policy Directive 28, the CJEU concluded the legislation is too wide and too vague. It is therefore not possible for an individual to fully understand what might happen with their data. In addition, the U.S. surveillance laws go beyond what should be regarded as proportional or strictly necessary, at least from the EU perspective. Here, the Court refers to standing case-law, which includes the Schrems-I decision, but also decisions on massive and continuous data collections in the EU itself (e.g. Digital Rights Ireland, on the mandatory retention of telecommunications data to help fight terrorism and prevent serious crime) or in relation with other third countries (e.g. the transfer of Passenger Name Records data by airlines to the Canadian authorities).
The Court has held that the communication of personal data to a third party, such as a public authority, constitutes an interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter, whatever the subsequent use of the information communicated. The same is true of the retention of personal data and access to that data with a view to its use by public authorities, irrespective of whether the information in question relating to private life is sensitive or whether the persons concerned have been inconvenienced in any way on account of that interference. [Schrems-II, §171]
Also the fact that the U.S. surveillance laws do not allow Europeans to file a complaint in Court meets an objection from the Court. This point was already recognised by the European Commission when drafting the Privacy Shield. The EU and the U.S. therefore agreed to create an alternative redress mechanism with the introduction of the Ombudsperson. This person would be able to review upon request the processing of personal data of a given individual, and confirm if the processing was taking place in accordance with the protections offered by the Privacy Shield, if it was taking place at all. The Court concludes the Ombudsperson is mainly a political role. Since it is not supported by a legal obligation, for example to correct or delete data from the files of an intelligence and security service, and also does not allow for a legal remedy (e.g. an appeal in Court), it cannot replace judicial redress.
When looking at the conclusions of the CJEU on the Privacy Shield, the Court provides some important guidelines in order to assess the national security legislation in other third countries. First of all, the legislation in the third country needs to be sufficiently clear, detailed and foreseeable for an individual to understand what might happen to their data once it is used for national security purposes (even if that was not the intention of the data transfer). In addition, there need to be adequate means of judicial redress available to the individual. In other words: they need to be able to have their day in court, to fight any alleged misuse of their personal data by intelligence and security services.
Important Update: CJEU Ruling on EU-US Privacy Shield and ‘Schrems-II’
Schrems-II – The Day After
Following the first analysis of the Schrems-II verdict from the Court of Justice of the European Union, delivered on 16 July 2020, it is time to take a closer look at some of the statements given by the European and American authorities in response to the verdict.
The European Commission, the body responsible for the adequacy decision establishing the Privacy Shield, as well as for the creation of the Standard Contractual Clauses, held a press conference shortly after the verdict was published. V?ra Jourová, Vice-President of the European Commission responsible for Values and Transparency, confirmed the Commission’s position: “When personal data travels abroad from Europe, it must remain safe.” She added that she and her team would continue to work to ensure the continuity of safe data flows, including by modernising the Standard Contractual Clauses (SCCs). The new SCCs, that will also take into account the requirements of the GDPR, will now be “swiftly finalised (…) in consultation with the European Data Protection Board or Data Protection Authorities.”
Commissioner Jourová continued that she is determined to work with her U.S. counterpart, Secretary of Commerce Wilbur Ross, in a constructive way in order to find “solutions that reflect the values we share as democratic societies”.
Her colleague, Commissioner Didier Reynders (Justice), added that he wants “a formal approval to modernise the Standard Contractual Clauses as soon as possible”. As to the future of the Privacy Shield, Reynders mentioned he expects the conversations with the United States to start on Friday (17 July). Once the analysis of the CJEU verdict is completed, the EU will work to develop “a strengthened and durable transfer mechanism”.
The modernisation of the SCCs was long overdue. The current clauses are still based on the old data protection legislation, Directive 95/46/EC, and do not take into account some of the additional protections created by the GDPR. The Commission has been working on the new draft model clauses for some time, but had been reluctant to release them pending the outcome of the Schrems-II case. With the case now decided upon, and the conditions for transfers using SCCs a lot clearer, the Commission will likely be able to finalise the new model clauses within a couple of weeks. We expect the new versions to become available in the early fall.
Data Protection Authorities
The European Data Protection Board discussed the Schrems-II decision during its weekly teleconference on Friday (17 July). A press statement was released after the meeting, but does not yet contain a lot of detail on the way forward. The Board did announce it will take a bit more time to fully understand the intricacies of the judgment, and provide further clarifications at a later date.
Following the Schrems-I decision in 2015, the Article 29 Working Party (the predecessor of the Board) announced a grace period during which no enforcement action would take place on international transfers to the United States, to allow both supervisory authorities and companies to take stock of the existing processing operations, to consider alternative options and to allow the European Commission to start the negotiations that in the end led to the Privacy Shield. A similar approach seems likely this second time around, but will of course have to be confirmed by the Board. In 2015, the announcement of the grace period did not come until 10 days after the verdict.
Individual data protection authorities have released statements about the judgment. The CNIL, among others, only provides a procedural response, stating that it “is currently conducting a precise analysis of the judgment, together with its European counterparts assembled within the European Data Protection Board. This joint work aims at drawing conclusions as soon as possible on the consequences of the ruling for data transfers from the European Union to the United States.”.
The German DPAs are especially vocal on their views. The German Federal data protection authority BfDI adds: “The ECJ makes it clear that international data traffic is still possible. However, the fundamental rights of European citizens must be respected. Now, special safeguards have to be taken for the data exchange with the USA. Companies and authorities can no longer transfer data on the basis of the Privacy Shield, which has been declared null and void by the ECJ.” His colleague from Hamburg goes a bit further and declares “Ultimately, however, this will not only affect states which, like the USA, have at least made an effort to give the impression that they are creating adequate structures for data protection. For countries like China, such data protection standards are a long way off. With regard to Brexit, too, the question of permissible data transfer will arise. Hard times are dawning for international data traffic.” In addition, the Hamburg Commissioner considers that “if the invalidity of the Privacy Shield is primarily justified by the excessive intelligence activities in the USA, the same must also apply to the standard contractual clauses. (…) At least with regard to the conclusion of the SCC with the US company in dispute, the ECJ should have come to the same conclusion.” The Berlin DPA goes even a step further. In a press release, she announces that data controllers transferring personal data to the United States, especially those using cloud services, will need to stop doing so henceforth, and ensure the data are stored in the EU or in a country with an adequate level of protection”.
Also various pundits have concluded from the verdict of the Court that it is henceforth almost impossible to rely upon SCCs in relation to data transfers to the U.S., at least where social media and cloud services are concerned.
The European Data Protection Supervisor in his statement welcomed the verdict of the Court, which reaffirms “the importance of maintaining a high level of protection of personal data transferred from the European Union to third countries”. He expects the “United States will deploy all possible efforts and means to move towards a comprehensive data protection and privacy legal framework, which genuinely meets the requirements” of the Court. As to the SCCs, the Supervisor announces he has already started a review of the consequences of the judgment on the contracts concluded by EU institutions, bodies, offices and agencies. And he may not be the only supervisory authority undertaking such a review.
As to the United Kingdom, which since 1 February 2020 no longer forms a part of the European Union, the ICO declared it stands “ready to support UK organisations and will be working with UK Government and international agencies to ensure that global data flows may continue and that people’s personal data is protected”. The Swiss data protection authority stated that the Switzerland – U.S. Privacy Shield will remain valid for the time being, but that it will examine the judgment and provide comments in due course.
As was to be expected, the U.S. government expressed disappointment with the verdict of the Court. Secretary Ross stated he and his team were still studying the verdict, while announcing at the same time that “the Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and recertification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. [The Court’s] decision does not relieve participating organizations of their Privacy Shield obligations.” This means that even though the Privacy Shield can no longer be used as a mechanism to transfer personal data from the EU to the U.S., companies that have processed personal data under a Privacy Shield certification so far, will need to continue to do so. This way, the U.S. government likely intends to facilitate a new version of the Privacy Shield to be put in place at some point in the future, while in the meantime ensuring that companies show that their business practices remain privacy friendly, also without the added benefit of easy data transfers.
Important Update: CJEU Ruling on EU-US Privacy Shield and ‘Schrems-II’
Schrems-II: Further Analysis of the Core Elements of the Verdict
The Schrems II decision is a Serious Privacy topic. Privacy professionals in the EU and the US had the 16th of July marked on their calendars for a long time. Today was the day the Grand Chamber of the Court of Justice of the European Union would publish their verdict in the case between the Irish Data Protection Commissioner on the one hand, and Facebook and Max Schrems on the other. The Schrems-II case, as it is commonly known, has made as much of an impact as its predecessor did in 2015.
On Thursday morning, July 16, the Court invalidated the EU-US Privacy Shield, and seriously restricted the use of standard contractual clauses. Reason enough for a special Serious Privacy episode to discuss the case and what comes next. Paul Breitbarth and K Royal talked briefly with Gabriela Zanfir-Fortuna of the Future of Privacy Forum and Sophie in ’t Veld, Dutch member of the European Parliament. We were looking for their reactions to the decision, their expectations, and their recommendations of what happens now. They did not disappoint in providing their insight.
We had an open discussion with two preeminent privacy professionals to discuss a critical privacy event, that may have global consequences.TrustArc was prepared for any eventuality, and rest assured, we have you covered. Listen to this week’s episode on our website or stream the episode below.
On the Schrems-II decision
Earlier today, the Grand Chamber of the Court of Justice of the European Union delivered the verdict in the case Data Protection Commissioner v. Facebook Ireland Ltd and Maximilian Schrems, more commonly known as the Schrems-II decision. In short, the Court ruled that the system of Standard Contractual Clauses, allowing for data transfers from the European Union to third countries, is valid. In turn, it decided that the Privacy Shield is to be invalidated. In this blog, we’ll take a look at the two main elements of the case and look ahead at what’s next.
What is the case about?
The court case is part of a long-running battle in various European courts between the Austrian privacy advocate, Maximilian Schrems, and U.S. tech giant Facebook. It goes back to 2015, when Mr. Schrems also stood before the CJEU in a case dealing with the validity of the EU-U.S. Safe Harbor Agreement (allowing for the transfer of personal data from the EU to the U.S. under specific conditions). The Court at the time decided to nullify Safe Harbor, since it was not deemed to offer an adequate level of protection, not being essentially equivalent to the European Data Protection Directive. In its ruling, the CJEU basically concluded that the U.S. legislation related to surveillance of electronic communications, as revealed by Edward Snowden and since confirmed by the U.S. administration, had too large an impact on personal data of people in the EU whose data were transferred to the U.S.
Given this conclusion, Mr. Schrems raised his concern that a data transfer using so-called Standard Contractual Clauses (SCCs, an alternative legal arrangement to export personal data from the EU) would have a similar effect to a transfer under the Safe Harbor Agreement: no adequate protection would be offered. He therefore filed an updated complaint against Facebook – as a use-case – with the Irish Data Protection Commissioner (DPC), requesting that the transfer of personal data from Facebook Ireland to Facebook Inc. in the U.S. using SCCs would be suspended. Suspension is one of the possibilities under data protection law for enforcement of the SCCs in case insufficient safeguards are available. Instead, the Irish DPC decided to file a separate case in court trying to suspend or invalidate the use of SCCs altogether. Today’s verdict, which offers a response of the CJEU to the High Court in Ireland on a series of preliminary questions on the interpretation of EU law, is part of this case.
Standard Contractual Clauses
One of the main questions of the Schrems-II case was if the use of Standard Contractual Clauses to guide international data flows should be possible at all. The Court confirms this should be possible, although it has tightened the rules for the use of SCCs quite a bit. In the Schrems-I case, the CJEU had explained that data transfers outside the EU based on an adequacy decision, would require a level of protection in the third country that could be seen as “essentially equivalent” to the level of protection in Europe. The Court now basically extends the “essential equivalence” requirement to all international transfers. According to Article 44 GDPR, the general principle for transfers, the level of protection of natural persons when their personal data is transferred abroad, cannot be undermined. This is irrespective of the method used to transfer personal data, from adequacy decisions to contractual safeguards and possibly, although not explicitly mentioned, Binding Corporate Rules. The guarantees that are included in a contract should therefore also be “essentially equivalent” to the level of protection that is guaranteed within the EU. In case the SCCs are deemed not to be sufficient to guarantee such an essentially equivalent level of data protection for the country the company is exporting data to, “it may prove necessary to supplement” those guarantees, which is allowed as long as the provisions of the SCCs themselves are not changed.
The Court furthermore recognises that there could be situations where a company would not be able to take adequate additional measures. If so, they are “required to suspend or end the transfer of personal data to the third country concerned”. They would need to take a similar decision, if they consider they would not or no longer be able to comply with the provisions of the SCCs, or if they would no longer be able to ensure the high level of protection awarded to personal data originating in Europe.
If the company does not suspend the data flows themselves, it is up to the data protection authorities to do so in their stead, following an investigation. In order to ensure a consistent assessment of the laws in a third country, the Court also brings to mind that decisions to suspend a transfer because a third country doesn’t offer sufficient guarantees for data protection, are likely subject to a decision by the European Data Protection Board (EPDB).
The Privacy Shield self-certification mechanism was more than a contractual safeguard. It was an official adequacy decision from the European Commission, meaning that as long as a company adheres to the Privacy Shield principles, the data transfer could take place without objection. The CJEU makes clear that a decision to suspend or repeal an adequacy decision, can only be made by the European Commission itself, or by the Court, but not by an individual data protection authority. Data protection authorities are however competent to investigate a complaint against data transfers based on an adequacy decision, and could, if they find fault with the level of protection offered by the third country, refer the case to a court to get a decision on the validity of the adequacy decision.
In this case, the Court has indeed assessed the validity of the Privacy Shield adequacy decision, and it finds fault with it. Starting from the question if the Privacy Shield indeed offers an essentially equivalent level of data protection, the CJEU explains that based on standing case-law, communication of personal data to a third party, including providing access, constitutes an interference with the fundamental rights to private life and data protection, irrespective of the question if the data are used. This in itself is not a problem, as long as the interference still respects the essence of the fundamental rights, is necessary and genuinely meets an objective of general interest recognised by the EU. These objectives include national security.
The problem the Court finds however, is that the U.S. government surveillance programs run under section 702 FISA, Executive Order 12333 and Presidential Policy Directive 28, are vague. They don’t lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards to effectively protect personal data against the risk of abuse. Based on EU case-law, this is a requirement, especially with regard to the circumstances and conditions under which surveillance can be used. Paragraphs 179-184 of the verdict discuss each of the U.S. surveillance programs in more detail and explain why they, in the eyes of the CJEU, are not limited to what is strictly necessary. In short: the risk of bulk collection and/or over-collection of personal data is too large.
A second objection of the Court lies with the redress possibilities. Again according to standing case-law, individuals should have the possibility to pursue legal remedies in order to get access to personal data related to them, or to ask for the rectification or erasure of such data. Especially in light of data transfers, the existence of such redress mechanisms in the countries where data flow to are important, since EU authorities cannot effectively protect personal data themselves when it has gone abroad. They have no powers outside their national borders. The European Commission recognised that redress would be difficult when data is flowing to the U.S. and therefore created, together with the U.S. administration, the Ombudsperson, a mechanism to oversee data originating from Europe processed by the U.S. intelligence and security services. The Court however considers the introduction of the Ombudsperson cannot remedy the deficiencies of effective redress, because it is a political commitment to correct any violation, without an underlying legal obligation. Also, there is no cause of action open to EU citizens following a decision from the Ombudsperson.
The combination of data collections by government bodies that go beyond what is regarded in Europe as strictly necessary, and a lack of effective redress, makes the Court conclude the Privacy Shield does not meet the standards of an essentially equivalent level of protection. Because of that, the adequacy decision is invalid, and therefore also the rest of the Privacy Shield is invalidated.
The verdict of the CJEU leaves data transfers from the EU to the U.S. in limbo for now. It is clear the Privacy Shield can no longer be used, but a lot of questions remain as to whether SCCs remain valid for data transfers between the EU and the U.S., or other countries with impactful national surveillance systems for that matter. Clarity on that issue is expected on Friday, when the EDPB will convene at Commissioner’s level. It is likely a grace period will be announced, as was the case in 2015, in order for a negotiated solution to be found between Europe and the United States.
Justice Commissioner Didier Reynders said immediately after the verdict he is “committed to having strong and protective data transfers systems. I will work closely with national data protection authorities and the European Data Protection Board. As of today, I will reach out to my US counterparts and look forward to working constructively with them to develop a strengthened and durable transfer mechanism.” European Commission Vice-President Vera Jourova added that the Commission will swiftly finalise the modernisation of the Standard Contractual Clauses, bringing them in line with the GDPR. U.S. Secretary of Commerce Wilbur Ross stated his disappointment with the CJEU decision. He added “the Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and recertification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. Today’s decision does not relieve participating organizations of their Privacy Shield obligations.”
More in general, the CJEU verdict clarifies that the European Union expects a high level of data protection for data originating from their shores, wherever it is flowing. The United States in this case was just an example, because of the existing evidence on the various surveillance programs. For all third countries, it is now up to data exporters, as well as to the supervisory authorities, to start their assessments of the legal frameworks in the countries they export their data to. If putting in place additional safeguards in contracts would appear not to be possible, it could be the only way forward is to suspend data processing operations until a better solution is found.
Rest assured: TrustArc has you covered.
As the pioneer and leader in enterprise certifications, TrustArc is committed to keeping you informed of the latest developments, share perspective on the impact and provide tangible actions to ensure ongoing compliance with the evolving international standards.
Today, those enterprises in TrustArc’s Privacy Shield Program may remain in the program while the EU and U.S. governments are working to negotiate a new data transfer arrangement.
Alternatively, TrustArc is also providing you a new and current solution so that you can demonstrate to your customers and regulators that you are continuing to protect data in the same way.
TrustArc’s International Privacy Verification Program, is a Privacy Shield aligned verification that preserves the regulation’s core principles and standards for protecting personal data by commercial enterprises. Organizations interested in maintaining demonstrable compliance while the EU-U.S. regulators make clarifications can verify their privacy program practices via the TRUSTe International Privacy Verification Program.
To learn more about the CJEU decision and what it means for your business, register for the webinar on July 21st, “The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Consent”.
Schrems-II – The Day After
Schrems-II: Further Analysis of the Core Elements of the Verdict