Today the European Court of Justice (CJEU) published its highly anticipated judgement in the case of Data Protection Commissioner Ireland v Facebook Ireland Limited, Maximillian Schrems, colloquially known as "Schrems 2.0". There were three key elements to the decision:
What companies should do now:
If you were relying on the Privacy Shield:
You need to find other ways to permit data transfers into the United States or should consider locating data processing operations to the European Union. Other methods of cross-border data transfer include the SCC or establishing Binding Corporate Rules (Art. 47 GDPR). However, in both cases the level of data protection in the respective third country would need to be assessed. BCR are not a practically feasible option for many, not least given the time that would be needed for supervisory authorities to review and approve the flood of BCR approvals. Likewise, exceptions in Art. 49 GDPR are purposefully narrow and are designed to form exceptions to the general prohibition rather than an adequate legal ground for persistent transfers.
This leaves a large portion of companies with limited options for transfers to the U.S. In particular, the invalidity of the Privacy Shield puts U.S. companies without a contractual partner in the European Union in the unfortunate position of transferring personal data outside the EU without a European counterpart to sign the SCCs to provide an approved transfer mechanism. While there is room to argue that such U.S. companies are subject to the GDPR in any event by virtue of Art. 3(1) or (2), and so, by virtue of being little slices of Europe for data protection purposes, may not be subject to the specific requirements for international data transfers, this legal view is not commonly shared among regulators. Business should thus look to the exceptions under Art. 49 GDPR or, as a risk mitigating measure, contractually commit to unilaterally be bound by the SCCs.
If you were relying on SCCs:
You must revisit their data transfers to third countries on a case-by-case level and assess the level of data protection in the respective recipient country. This obligation does not only apply to data transfers into the United States but to all countries located outside the European Union.
While the CJEU emphasized the need to evaluate transfers on a “case by case” basis, the CJEU’s reasoning does not make it easy for companies to self-assess the validity of the data transfer. Parts of the ruling could be understood as if a data importer needed to generally confirm its ability to, for example, notify the data exporter of access requests by, for example, national intelligence services and to confirm that there is no excessive access to such data. If so, U.S. companies may have trouble justifying the transfer. In fact, the Irish DPC already said that transfers to the U.S. would now be generally questionable. However, it also seems defensible to argue that data which is not generally of interest to U.S. intelligence services might enjoy sufficient protection in the U.S. and, as a result, may be transferable.
As a first step, companies should prepare a table with all data transfers and assign each category with a risk based on the probable likelihood of such data being of interest to any national intelligence services. Companies should document this risk assessment and briefly describe the reasons for continuing data transfers.
As a general rule, data exporters transferring data that could be viewed as more sensitive (such as data collected by information society service providers, social networking sites and similar B2C services) should be careful to continue relying on the SCC when the recipient country is, in the CJEU’s view, known to have mass surveillance in place. In particular, for sensitive information, the low-risk solution would be storing the data into the European Union.
Exporters transferring B2B or limited amounts of B2C data, on the contrary, usually do not face risks of increased access by intelligence services. Such data may thus continue to be based on the SCCs but companies should carefully monitor the further developments as it is expected that the European Data Protection Board will eventually decide on the validity of certain data transfers to such states, in particular, the U.S.
Companies should ask themselves the following questions in order to assess the risks associated with the transfer of personal data under the SCC:
The sensitivity assessment depends on the amount and quality of the data. Personal data collected by information society service providers, social networking sites and similar B2C services is deemed to be sensitive.
The quality of the data relates to the complexity of the personal data. Generally, personal data would be considered high-quality data (and thus sensitive data) if it could be used to draw conclusions on individual behavior. On the other hand, B2B data or limited amounts or low-quality (e.g. certain information on a person’s orders in an online shop) of B2C data is unlikely to be viewed in the same way.
The level of surveillance is generally deemed to be higher if a company in the recipient country would be obliged to grant national intelligence agencies access to the data without an accompanying procedure granting sufficient legal protection. One indication for the level of surveillance in the recipient country might be the number of accesses (or access attempts) by a national intelligence agency the data importer experienced within a certain period of time. In most cases, companies would need to rely on the information provided by the contractual partner located in the respective country in order to assess the level of surveillance.
Low level of Surveillance
Low level of Surveillance
High Level of Surveillance
High Level of Surveillance
|Depending on the answers to these two questions, companies can conduct a high-level self-assessment of the risk associated with the transfer of data under the SCC:
Waiting for Guidance - could be like waiting for Godot
Unfortunately, a "wait and see" approach is not really a viable option. Waiting in the hope that the EU quickly develops a successor program (Privacy Shield 2.0), while continuing to rely on its defunct predecessor, would attract an unacceptable amount of risk as Privacy Shield has been invalidated with immediate effect. In light of the objections of the CJEU to U.S. domestic laws and safeguards, Privacy Shield 2.0 may never arrive or we could be we waiting for quite some time.
However, notwithstanding that the judgement does not grant a grace period for companies that relied on the Privacy Shield, it is unlikely that supervisory authorities will immediately initiate enforcement proceedings against companies that relied on the Privacy Shield. It thus seems sensible to carefully consider the relevant options and look out for further guidance from the European Commission and / or the European data protection supervisory authorities.
Companies that transfer personal data outside of Europe must review the respective transfer mechanism, in particular companies that relied on the Privacy Shield. Even though the SCC remain valid, the judgement does not give a free pass to companies relying on the SCC. The CJEU was very clear that also data transfers under the SCC need to be constantly (re-)evaluated and eventually even suspended in order to remain in compliance with data privacy principles.
We expect the European Commission and the European data protection supervisory authorities to publish further guidance. Companies shouldn’t panic but start with the risk assessment and consider alternatives to their current data storage and transfer practices.
Brexit: the elephant in the room
While most conversations around the viability of transfers to countries with surveillance by national intelligence agencies is likely to focus on jurisdictions that have traditionally been major trading partners of the EU28, such as the U.S. and China, it is easy to forget that the same questions may arise with transfers to partners closer to home.
UK surveillance laws, which have recently been given a revamp in the form of the UK Investigatory Powers Act 2016, have consistently faced challenges under EU human rights law. Although these challenges have resulted in reviews of UK surveillance law and amendments to bring it into line with European law, recent threats to repeal the UK's Human Rights Act 1998, which incorporates the European Convention on Human Rights into law in the UK, may mean that an adequacy decision from the European Commission with respect to the UK is far from a foregone conclusion.
That being said, the UK will, for the time being at least, have equivalent (if not identical) data protection standards to the EU. The direct incorporation of the GDPR into UK law through the Data Protection Act 2018 and the snappily named Data Protection, Privacy and Electronic Communications (Amendment Etc.) (EU Exit) Regulations 2019 should provide sufficient comfort for regulators in the EU that data transferred to the UK will not be subject to excessive access from the UK’s intelligence services. Any future divergence, however, particularly concerning any carve-outs for national security, would presumably be closely watched by the European Commission, supervisory authorities, and maybe even Max Schrems.
Further Additional Information for Privacy Geeks:
The CJEU’s decision
Today, July 16, the CJEU found the SCCs 2010/87 (Controller-to-Processor SCCs of 2010) to be valid, although it placed greater onus on the parties to ensure that the terms of those SCCs are being, and can actually be, adhered to.
The Court argued that transfers of personal data to third countries based on SCC must provide a level of protection essentially equivalent to that guaranteed within the EU by the GDPR, taking into consideration the clauses agreed between the transferring parties and the legal system of the third country in question. Examining the SCC 2010/87, the CJEU found the SCC to include effective mechanisms to ensure compliance with the required level of protection and to suspend or prohibit transfers in the event that the clauses are not, or cannot be, complied with. The obligation to review and potentially suspend a transfer is not only on the data exporter, but it is actually on the data importer as well and could potentially lead to fines.
Finally, the Supervisory Authorities are obliged to suspend or prohibit the transfer if they are of the view that an adequate level of protection cannot be provided because the clauses are not being, or cannot be, complied with. Should a Supervisory Authority consider any transfer to a third country such as the U.S. to not be permissible, Art. 64 (2) GDPR would permit to seek an opinion from the European Data Protection Board (EDPB), which can adopt a binding decision pursuant to Art. 65(1)(c) GDPR.
The CJEU invalidated the EU-/U.S. Privacy Shield, thus delivering what feels like a “Safe Harbor 2.0”, just five years after the predecessor to the Privacy Shield, the Safe Harbor Agreement, was nullified. This is bad news for companies that have relied on this transfer mechanism for some four years now.
In essence, the CJEU followed the concerns that Advocate General Henrik Saugmansgaard Øe already stated in his opinion. In the CJEU’s view, U.S. domestic law does not limit mass surveillance activities to what is strictly necessary, nor does the Ombudsperson mechanism under the Privacy Shield program grant sufficient judicial protection or remedies for individuals, meaning that, overall, U.S. companies are unable to provide an essentially equivalent level of data protection to what is required by the GDPR, regardless of their certification under the Privacy Shield scheme.
Click here to read our recent blog post regarding the background of the Schrems 2.0 decision.