On 16 July 2020, the Court of Justice of the European Union (CJEU) issued a judgment in the so-called “Schrems II” case (case C-311/18, see full text and press release), which will have a significant impact on transferring personal data outside the EU and the EEA. The decision is likely to cause some uncertainty and fragmentation across Europe. More scrutiny will likely be applied to the legality of data transfers, making it even more crucial for businesses to assess their compliance with data protection legislation.
The main takeaways from the judgment are the following:
- The CJEU invalidated the European Commission decision on the EU-US Privacy Shield, similarly to invalidating the Safe Harbour principles in 2015. Transfers of personal data to the USA that rely solely on the Privacy Shield therefore become unlawful.
- The European Commission’s standard contractual clauses (SCCs) remain valid. However, data exporters must verify ‒ on a case-by-case basis ‒ whether mere use of SCCs provides an adequate level of personal data protection which is essentially equivalent to that guaranteed in the EU. This assessment must take into account the law of the third country, particularly as regards potential access to data by the third country’s authorities. If necessary, data exporters must provide additional safeguards, such as supplements to SCCs. It is likely that mere use of SCCs will be considered as inadequate for transfers to the USA.
- Data exporters are obliged to suspend or put an end to data transfers if the recipient is not able to comply with SCCs and/or additional safeguards. A data exporter that fails to provide additional safeguards or fails to suspend or end the transfer when needed will be in breach of the GDPR. In that case, the competent supervisory authorities are required to suspend or end the transfers themselves.
Privacy Shield invalidated
Under the General Data Protection Regulation (the GDPR), transferring personal data to third countries outside the EU and the EEA may only take place if certain safeguards are applied to ensure that the data is adequately protected in the third country. One of the grounds for lawful transfers is an adequacy decision of the European Commission.
With the last week’s judgement, the CJEU invalidated the Commission’s adequacy decision on the EU-US Privacy Shield framework. The Court found that the framework does not satisfy the requirements of adequate protection of personal data due to the US surveillance activities. This means that transatlantic transfers of personal data to Privacy Shield certified companies in the USA cease to be lawful if other safeguards are not applied. The invalidation of the Privacy Shield follows the judgement of the CJEU in 2015 (the “Schrems I” case), whereby the Court invalidated the previous EU-US privacy framework – the Safe Harbour principles.
The standard contractual clauses remain valid, but are they enough?
An alternative to relying on the Commission’s adequacy decisions for data transfers is to include standard data protection clauses adopted by the Commission into the agreements between data controllers and processors. The validity of these standard contractual clauses (SCCs) was also challenged before the CJEU.
The Court declared that the SCCs remain valid. The SCCs can therefore still be used for transferring personal data to third countries. However, the CJEU emphasises in its judgement, that data exporters must diligently verify, on a case-by-case basis (and if necessary, in collaboration with the data recipient), whether the law of the recipient country ensures adequate protection essentially equivalent to that guaranteed in the EU. This assessment must take into account both the SCCs, as well as the law of the third country as regards the access rights of public authorities. Where necessary, the data exporter must provide additional safeguards to those offered by the SCCs.
The Court furthered considered, that the controller is bound to suspend the transfer of data and/or to terminate the contract, if the data recipient is not, or is no longer, able to comply with the SCCs. If the data exporter fails to provide additional safeguards when required, or fails to suspend the transfers or terminate the relevant contracts, it will be in breach of the GDPR and will risk being fined for the infringement.
If the data exporter fails to take the adequate measures, or suspend or put an end to the transfer, the competent supervisory authority is required to suspend or end the transfer of personal data to the third country concerned. The CJEU explicitly stresses that this is particularly the case, where the law of the third country imposes obligations contrary to the SCCs and therefore does not provide an adequate level of protection against access by the public authorities of that third country.
In light of the judgement, companies should verify whether they transfer any data to the USA on the basis of the Privacy Shield only. If so, alternative safeguards should be put in place. Companies should, however, exercise diligence when relying on the SCCs, and if necessary, apply additional safeguards. More scrutiny will likely be applied to the use of the SCCs in the future. There is a considerable risk that for data transfers to the USA, the mere use of the SCCs will be considered as inadequate.
The decision causes legal uncertainty and possibly different conclusions among the supervisory authorities in the EU. Businesses risk with infringing the GDPR if they use the SCCs without additionally assessing on a case-by-case basis the level of protection provided in the third country.
Our Data Protection specialists remain at your disposal should you have any questions on how to ensure the legality of data transfers.