Whatever the outcome of Schrems 2.0, the key takeaway is, don’t panic.
Tomorrow, July 16, 2020, the European Court of Justice (CJEU) is expected to rule in the case of Data Protection Commissioner Ireland v Facebook Ireland Limited, Maximillian Schrems, colloquially known as "Schrems 2.0".
The main ingredients haven't changed much for this long-awaited sequel to the decision that invalidated the Safe Harbor regime in 2015: Austrian data protection activist Max Schrems, Facebook Ireland, Ltd, and another commonly used international personal data transfer mechanism on the chopping block for invalidation.
This time around the court is considering the validity of the Standard Contractual Clauses (SCC) adopted by the European Commission, which goes beyond EU-U.S. transfers and could affect most agreements governing data sharing between the EU and the rest of the world. Regardless of the outcome, tomorrow's decision is going to have a profound impact on the way international data transfers are treated for years to come – but the key takeaway is not to panic. In this blog post, we have set out the three potential rulings open to the CJEU and what steps you can take to following such a ruling.
What the decision is about
The CJEU’s ruling will answer questions referred to it for a preliminary ruling in May 2018 by the Irish High Court. The questions may have an impact on the validity of the three sets of SCC adopted by the EU Commission under the former EU Data Protection Directive (two Controller-to-Controller-SCC: Set I adopted in 2001 & Set II adopted in 2004; and one Controller-to-Processor-SCC, adopted in 2010).
SCC can be used to provide appropriate safeguards (cf. Art. 46 GDPR) necessary for the lawful transfer of personal data of individuals in the EU to third countries, in particular to countries that have not been approved as offering an "adequate" level of protection for personal data in the form an adequacy decision by the Commission (Safe Third Country). To illustrate the importance of the SCC in practice, it is worth noting that, of the EU 27's top 40 trading partners, only four (Switzerland, Israel, Japan and Argentina) benefit from unqualified adequacy decisions, while transfers to Canada are limited to the private sector and transfers to the US require registration under the EU-U.S. Privacy Shield program. For US companies, the ability to rely the SCC offers an important alternative or additional option to committing to the EU/U.S. Privacy Shield scheme.
The issue currently before the CJEU has its roots in the leak of classified information around NSA surveillance programs that alleged that the NSA had obtained unrestricted access to mass data stored on servers located in the U.S. All companies involved in the PRISM program appeared to be Safe Harbour-certified, making the Safe Harbour scheme, in words of the EU Commission, “one of the conduits through which access is given to US intelligence authorities to collecting personal data initially processed in the EU”. In Schrems 1.0, Max Schrems, an Austrian data protection activist, filed a complaint against Facebook Ireland, Ltd. with the Irish Data Protection Commission (the "Irish DPC") in respect of its data transfers to its U.S. headquarters. The complaint led to the invalidation of the EU-U.S. Safe Harbor Agreement by the CJEU in 2015. This resulted in thousands of US companies with little choice than to rely on SCC for such data transfers. Following the ruling, Max Schrems resubmitted his complaint against Facebook, questioning the legitimacy of the same transfers that were now based on SCC on the basis that these also incorporate exceptions for cases which enable mass surveillance by the U.S. authorities.
The complaint allowed the Irish DPC an opportunity to examine whether the SCC provide appropriate safeguards required for the lawful transfer of personal data and, in doing so, the Irish DPC hinted that it views the SCC do not provide sufficient protection to EU citizens. As, however, the Irish DPC felt it lacked the competency to suspend the data transfers, the case was brought before the Irish High Court so that it could again refer the case to the CJEU.
The key questions the CJEU will answer in its decision tomorrow are therefore:
What the decision is (actually) not about
Generally, the Schrems case does not require the CJEU to make any remarks on the validity of the Privacy Shield because the scope of the complaint merely touches on the validity of transfers made on the basis of the SCC.
In its questions referred to the CJEU, however, the Irish High Court mentions the Privacy Shield decision and the assessments made in it. Should the CJEU decide to answer this question, it could result in an indirect review of the EU-U.S. Privacy Shield and possibly – should the CJEU take heed of the Advocate General’s concerns (see below) – its invalidation, at worst.
According to EU Justice Commissioner Didier Reynders, the EU Commission is already preparing for such an eventuality. Reynders said the Commission was conducting “preparatory works about the different possibilities that will result from the decision of the court”.
The Advocate General Opinion: uphold SCC, adjust Privacy Shield
The CJEU is assisted by eight Advocates General, whose role is to deliver a written legal "Opinion" on cases brought before the CJEU that sets out the different views and arguments that potentially might apply to the case and reaches a “reasoned submission" that is put before the CJEU. Although the Opinion is not binding on the CJEU, it has an impact on the decision in many cases, and in fact, in most cases the CJEU follows it.
On December 19, 2019, Advocate General (AG) of the CJEU, Henrik Saugmansgaard Øe, delivered his opinion on Schrems 2.0.
The AG concluded that the SCC 2010/87 (Controller-to-Processor) adopted by the Commission are valid. In his view, it must be ensured that the appropriate safeguards are effective in practice and that they provide an appropriate level of data protection through the SCC-parties’ obligations and the supervisory authorities’ powers. Whether or not a third country itself provides an adequate level of data protection itself is irrelevant. Indeed, Art. 46 GDPR exists precisely to justify data transfers to third countries that do not provide an adequate level of data protection. The onus is on the data exporter itself to: i) monitor and evaluate legal developments in the recipient country; and ii) to suspend the transfers if the data importer can no longer comply with the SCC provisions. The AG avoided making a generalized evaluation on the lawfulness of transfers based on SCC but instead favors an individual analysis to be carried out by the data exporter. For instance, sensitive consumer data are much more often the target of data requests of U.S. intelligence agencies than pure B2B datasets.
Hence, the transfer of data based on SCC to the US might in specific circumstances, in the view of the AG, not always be justified through the SCC. However the SCC transfer mechanism itself does provide a lawful method of data transfer.
The AG recommends the CJEU does not rule on the validity of the EU/U.S. Privacy Shield as he views it to be irrelevant for the actual case in question. Nevertheless, the Advocate General went on to express doubts as to the validity of the Privacy Shield mainly due to deficiencies in the ombudsperson mechanism.
The 3 Possible outcomes
There are many different possible outcomes in tomorrow’s ruling; however, three scenarios seem most likely – in any case, don’t panic:
I. Scenario one: SCC are valid but need to be analyzed on a case-by-case basis
Should the CJEU follow the AG’s opinion and declare the SCC valid without further examining the Privacy Shield’s validity, companies can generally continue to use the SCC. Now, probably more than ever, a particular focus should be put on the data exporter’s evaluation of the legal developments in the recipient state. Further, the AG’s opinion made clear that the obligation to review and potentially suspend a transfer is not only on the data exporter, it is actually on the data importer as well and could potentially lead to fines. Companies should thus generally revisit their data transfers, be they external or internal. Companies should prepare a table with all data transfers and assign each category with a risk based on the probable likelihood of such data being of interest to any national intelligence services.
For example, exporters transferring data that could be viewed as more sensitive (such as data collected by information society service providers, social networking sites and similar B2C services) should be careful to continue relying on the SCC when the recipient country is known to have mass surveillance in place. Those service providers should consider switching to an adequacy decision or, where applicable, Binding Corporate Rules (Art. 47 GDPR) as legal basis for their transfers even though the CJEU’s findings may ultimately also have an effect on the validity of the BCRs. Exporters transferring B2B or limited amounts of B2C data, however, usually do not face risks that would prevent them from using the SCC.
II. Scenario two: SCC are invalidated but there are other lawful data transfer mechanism available
A decision invalidating the SCC would have a very negative impact on companies involved in international data transfers as SCC are one of the most important lawful basis for such data transfers. If SCC are invalidated by the CJEU, SCC can no longer be used as a legal basis for data transfers to any non-EU country and data exporters need to switch to other lawful basis such as an adequacy decision (which is unlikely to be available), Binding Corporate Rules (BCRs) or the exceptions listed in Art. 49 GDPR.
In the event that the CJEU invalidates the SCC it is expected that the Commission will react quickly to resolve the difficult situation that companies would find themselves in. The Commission has, for years, been developing new SCC better tailored to the GDPR and in the event that the current SCC are found to be invalid, we anticipate that the Commission will accelerate these efforts should the CJEU require mere changes to the SCC. In addition, even though the CJEU ruling would most likely not grant a grace period, it is unlikely that supervisory authorities would immediately initiate enforcement proceedings against companies who continue to rely on existing SCC for a short period after any ruling pending the approval of a new SCC regime. Companies are well advised to monitor and comply with guidance from EU supervisory authorities and the EU Commission that would be likely to follow such a judgment. Hopefully, new SCC would be issued in due time so that companies could migrate their data transfers to them without the need to immediately cease data transfers; alternatively, companies transferring to the Third Countries may look at country specific alternative, for example U.S. companies may look to rely on the EU-U.S. Privacy Shield.
III. Scenario three: SCC are invalidated and the CJEU makes additional remarks on the validity of EU-US Privacy Shield
Although the AG recommended that the CJEU not opine on the validity of the EU-U.S. Privacy Shield the CJEU may elect to opine on Privacy Shield as it is directly covered by one of the questions referred to it by the Irish High Court.
Should both the SCC and the Privacy Shield be invalidated, international transfers to the U.S. would arguably have to be halted if the exporter cannot rely on any other legal basis, such as BCRs or the exceptions of Art. 49 GDPR. BCRs, however, are not a practically feasible option for many, not least given the time that would be needed for supervisory authorities to review and approve the enormous flood of BCR approval applications that would result from an invalidation of both SCC and the Privacy Shield program. Likewise, exceptions in Art. 49 GDPR are purposefully narrow, and are designed to form exceptions to the general prohibition rather than an adequate legal ground for persistent transfers. This would leave a large portion of companies without any legal basis for transfers to the U.S., forcing them to wait for further developments in the weeks after the judgment.
Whatever the outcome the key takeaway is - Don’t Panic
On July 16, 2020, the wait will be over and companies will have a greater degree of clarity concerning the validity (or otherwise) of the SCC. Regardless of whether the worst-case scenario occurs (SCC are invalidated and the CJEU makes additional remarks on the validity of EU-U.S. Privacy Shield) or the best (SCC are valid but need to be analyzed on a case-by-case basis), it seems highly unlikely that every company that transfers data to the U.S. will find itself the subject of regulatory action overnight. Considering the impact of Schrems 2.0, we would expect the EU Commission and the national supervisory authorities to react quickly to issue further guidance and to adapt SCC as necessary, and not seek to punish those that legitimately relied on data transfer mechanisms that were approved and used for many years.