On the Schrems-II decision
Earlier today, the Grand Chamber of the Court of Justice of the European Union delivered the verdict in the case Data Protection Commissioner v. Facebook Ireland Ltd and Maximilian Schrems, more commonly known as the Schrems-II decision.
In short, the Court ruled that the system of Standard Contractual Clauses, allowing for data transfers from the European Union to third countries, is valid. In turn, it decided that the Privacy Shield is to be invalidated.
What is the case about?
The court case is part of a long-running battle in various European courts between the Austrian privacy advocate, Maximilian Schrems, and U.S. tech giant Facebook.
It goes back to 2015, when Mr. Schrems also stood before the CJEU in a case dealing with the validity of the EU-U.S. Safe Harbor Agreement (allowing for the transfer of personal data from the EU to the U.S. under specific conditions). The Court at the time decided to nullify Safe Harbor, since it was not deemed to offer an adequate level of protection, not being essentially equivalent to the European Data Protection Directive.
In its ruling, the CJEU basically concluded that the U.S. legislation related to surveillance of electronic communications, as revealed by Edward Snowden and since confirmed by the U.S. administration, had too large an impact on personal data of people in the EU whose data were transferred to the U.S.
Given this conclusion, Mr. Schrems raised his concern that a data transfer using so-called Standard Contractual Clauses (SCCs, an alternative legal arrangement to export personal data from the EU) would have a similar effect to a transfer under the Safe Harbor Agreement: no adequate protection would be offered.
He therefore filed an updated complaint against Facebook – as a use-case – with the Irish Data Protection Commissioner (DPC), requesting that the transfer of personal data from Facebook Ireland to Facebook Inc. in the U.S. using SCCs would be suspended.
Suspension is one of the possibilities under data protection law for enforcement of the SCCs in case insufficient safeguards are available. Instead, the Irish DPC decided to file a separate case in court trying to suspend or invalidate the use of SCCs altogether.
Today’s verdict, which offers a response of the CJEU to the High Court in Ireland on a series of preliminary questions on the interpretation of EU law, is part of this case.
Standard Contractual Clauses
One of the main questions of the Schrems-II case was if the use of Standard Contractual Clauses to guide international data flows should be possible at all. The Court confirms this should be possible, although it has tightened the rules for the use of SCCs quite a bit.
In the Schrems-I case, the CJEU had explained that data transfers outside the EU based on an adequacy decision, would require a level of protection in the third country that could be seen as “essentially equivalent” to the level of protection in Europe. The Court now basically extends the “essential equivalence” requirement to all international transfers.
According to Article 44 GDPR, the general principle for transfers, the level of protection of natural persons when their personal data is transferred abroad, cannot be undermined. This is irrespective of the method used to transfer personal data, from adequacy decisions to contractual safeguards and possibly, although not explicitly mentioned, Binding Corporate Rules.
The guarantees that are included in a contract should therefore also be “essentially equivalent” to the level of protection that is guaranteed within the EU.
In case the SCCs are deemed not to be sufficient to guarantee such an essentially equivalent level of data protection for the country the company is exporting data to, it may prove necessary to supplement those guarantees, which is allowed as long as the provisions of the SCCs themselves are not changed.
The Court furthermore recognizes that there could be situations where a company would not be able to take adequate additional measures. If so, they are required to suspend or end the transfer of personal data to the third country concerned.
They would need to take a similar decision, if they consider they would not or no longer be able to comply with the provisions of the SCCs, or if they would no longer be able to ensure the high level of protection awarded to personal data originating in Europe. If the company does not suspend the data flows themselves, it is up to the data protection authorities to do so in their stead, following an investigation.
In order to ensure a consistent assessment of the laws in a third country, the Court also brings to mind that decisions to suspend a transfer because a third country doesn’t offer sufficient guarantees for data protection, are likely subject to a decision by the European Data Protection Board (EPDB).
The Privacy Shield self-certification mechanism was more than a contractual safeguard. It was an official adequacy decision from the European Commission, meaning that as long as a company adheres to the Privacy Shield principles, the data transfer could take place without objection.
The CJEU makes clear that a decision to suspend or repeal an adequacy decision, can only be made by the European Commission itself, or by the Court, but not by an individual data protection authority. Data protection authorities are however competent to investigate a complaint against data transfers based on an adequacy decision, and could, if they find fault with the level of protection offered by the third country, refer the case to a court to get a decision on the validity of the adequacy decision.
In this case, the Court has indeed assessed the validity of the Privacy Shield adequacy decision, and it finds fault with it.
Starting from the question if the Privacy Shield indeed offers an essentially equivalent level of data protection, the CJEU explains that based on standing case-law, communication of personal data to a third party, including providing access, constitutes an interference with the fundamental rights to private life and data protection, irrespective of the question if the data are used.
This in itself is not a problem, as long as the interference still respects the essence of the fundamental rights, is necessary and genuinely meets an objective of general interest recognized by the EU. These objectives include national security.
The problem the Court finds however, is that the U.S. government surveillance programs run under section 702 FISA, Executive Order 12333 and Presidential Policy Directive 28, are vague. They don’t lay down clear and precise rules governing the scope and application of the measure in question. And there are no minimum safeguards to effectively protect personal data against the risk of abuse.
Based on EU case-law, this is a requirement, especially with regard to the circumstances and conditions under which surveillance can be used. Paragraphs 179-184 of the verdict discuss each of the U.S. surveillance programs in more detail and explain why they, in the eyes of the CJEU, are not limited to what is strictly necessary.
In short: the risk of bulk collection and/or over-collection of personal data is too large.
A second objection of the Court lies with the redress possibilities. Again according to standing case-law, individuals should have the possibility to pursue legal remedies in order to get access to personal data related to them, or to ask for the rectification or erasure of such data.
Especially in light of data transfers, the existence of such redress mechanisms in the countries where data flow to are important, since EU authorities cannot effectively protect personal data themselves when it has gone abroad. They have no powers outside their national borders.
The European Commission recognized that redress would be difficult when data is flowing to the U.S. and therefore created, together with the U.S. administration, the Ombudsperson, a mechanism to oversee data originating from Europe processed by the U.S. intelligence and security services.
The Court however considers the introduction of the Ombudsperson cannot remedy the deficiencies of effective redress, because it is a political commitment to correct any violation, without an underlying legal obligation. Also, there is no cause of action open to EU citizens following a decision from the Ombudsperson.
The combination of data collections by government bodies that go beyond what is regarded in Europe as strictly necessary, and a lack of effective redress, makes the Court conclude the Privacy Shield does not meet the standards of an essentially equivalent level of protection.
Because of that, the adequacy decision is invalid, and therefore also the rest of the Privacy Shield is invalidated.
The verdict of the CJEU leaves data transfers from the EU to the U.S. in limbo for now. It is clear the Privacy Shield can no longer be used, but a lot of questions remain as to whether SCCs remain valid for data transfers between the EU and the U.S., or other countries with impactful national surveillance systems for that matter.
Clarity on that issue is expected on Friday, when the EDPB will convene at Commissioner’s level. It is likely a grace period will be announced, as was the case in 2015, in order for a negotiated solution to be found between Europe and the United States.
Justice Commissioner Didier Reynders said immediately after the verdict he is “committed to having strong and protective data transfers systems. I will work closely with national data protection authorities and the European Data Protection Board. As of today, I will reach out to my US counterparts and look forward to working constructively with them to develop a strengthened and durable transfer mechanism.”
European Commission Vice-President Vera Jourova added that the Commission will swiftly finalize the modernization of the Standard Contractual Clauses, bringing them in line with the GDPR. U.S. Secretary of Commerce Wilbur Ross stated his disappointment with the CJEU decision.
He added “the Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and recertification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. Today’s decision does not relieve participating organizations of their Privacy Shield obligations.”
More in general, the CJEU verdict clarifies that the European Union expects a high level of data protection for data originating from their shores, wherever it is flowing. The United States in this case was just an example, because of the existing evidence on the various surveillance programs.
For all third countries, it is now up to data exporters, as well as to the supervisory authorities, to start their assessments of the legal frameworks in the countries they export their data to. If putting in place additional safeguards in contracts would appear not to be possible, it could be the only way forward is to suspend data processing operations until a better solution is found.
Rest assured: TrustArc has you covered
As the pioneer and leader in enterprise certifications, TrustArc is committed to keeping you informed of the latest developments, share perspective on the impact and provide tangible actions to ensure ongoing compliance with the evolving international standards.
Today, those enterprises in TrustArc’s Privacy Shield Program may remain in the program while the EU and U.S. governments are working to negotiate a new data transfer arrangement.
Alternatively, TrustArc is also providing you a new and current solution so that you can demonstrate to your customers and regulators that you are continuing to protect data in the same way.
TrustArc’s International Privacy Verification Program, is a Privacy Shield aligned verification that preserves the regulation’s core principles and standards for protecting personal data by commercial enterprises. Organizations interested in maintaining demonstrable compliance while the EU-U.S. regulators make clarifications can verify their privacy program practices via the TRUSTe International Privacy Verification Program.