The CJEU’s decision in Schrems II: Privacy Shield invalidated (and SCCs in jeopardy)

The background – Schrems attacks model clauses after getting Safe Harbor scrapped

We’ve written previously about the background to the case, but, in short, the case was initiated in 2015 by Max Schrems, a data privacy activist who succeeded in getting the previous “safe harbor” transfer mechanism invalidated. Following the success of his safe harbor challenge, he turned his attention to Facebook’s use of model clauses (also known as standard contractual clauses or “SCCs”) to transfer personal data to its US headquarters and made a further complaint to the Irish Data Protection Commission (“DPC”). As part of his complaint, Schrems argued that the US approach to personal data undermined the EU’s high data protection standards, and that personal data should not be exported to the US irrespective of the transfer mechanism.

The Irish DPC also raised concerns about the use of model clauses in general, and the case ended up before the Court of Justice of the European Union (“CJEU”).

In January 2020, the Advocate General of the CJEU released a welcome opinion setting out that model clauses were a valid transfer mechanism but also suggesting that significant responsibility should be put on controllers and supervisory authorities to assess whether the country receiving the data provides adequate protection.

The AG refrained from drawing any conclusions on the general validity of Privacy Shield (an aspect brought into the case by Facebook), but he did express doubts especially around the scope of intelligence services powers in the US.

We hoped that the CJEU would broadly follow the AG’s approach, perhaps making some suggestions regarding SCCs and the Privacy Shield but ultimately leaving the final decisions on next steps to be made by the European Commission (the “EC”), which is in the process of updating SCCs for GPDR and is in constant dialogue with the US FTC regarding Privacy Shield.

The CJEU has, however, taken a different approach.

The CJEU decision

Rather than follow the approach taken in the AG’s opinion, the CJEU has ruled that:

Privacy Shield is no longer a valid mechanism for transfer of personal data between the EU and US and although SCCs remain a valid mechanism for cross-border transfers of personal data, they cannot be relied on by Facebook in this instance to transfer personal data to its US headquarters on the basis that Facebook is subject to US surveillance laws.

This decision will come as a real headache not just to Facebook but to any other organisation that routinely relies on transferring personal data from EU to US (via any transfer mechanism). The only headache Max Schrems will have, however, is if he celebrated too hard last night, after declaring in celebration yesterday this was a ‘100% win’.

So how did the CJEU come to this view?

The judgement is long and complex but broadly the CJEU found that “the requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country”. In other words, because the CIA or FBI or NSA have broad powers to demand that US companies hand over data, and to review data sets held in the US, this is at odds with the concept of Privacy Shield, which allows EU data subjects’ data to retain adequate protection when transferred to the US.

Further, contrary to the EC’s position, the CJEU also found that the complaint mechanism within Privacy Shield (the ombudsman mechanism) did not give any real right of redress for EU data subjects who wanted to complain about the way their data was being processed in the US.

So, the bottom line is that from 16 July 2020, Privacy Shield is no longer a lawful way to transfer personal data to the US from the EU. This is bad news for the 5,300 US companies signed up to Privacy Shield and the many hundreds of thousands of EU companies that have controllers and processors in the US using Privacy Shield.

SCCs do remain a valid mechanism for cross-border transfers of personal data. However, the CJEU suggests that in order to rely on SCCs controllers (and processors) must undertake onerous due diligence to show that the receiving country can guarantee the same protections for EU data subjects. Further, the CJEU also emphasised that supervisory authorities have the authority to audit and review SCCs and stop data transfers where it finds there is no adequate protection afforded by the receiving country.

So where do we go from here?

This raises many questions for controllers and processors. What level of due diligence do they have to do in relation to SCCs? Does it have to be to the same standard as an EC adequacy decision under Article 45 GDPR? What paperwork needs to be put in place? And, ultimately, could a supervisory authority still disagree and strike down the transfers?

This is made more difficult by the CJEU’s reasoning concerning the lack of adequacy in the US. How can a controller or processor reach a different conclusion to the CJEU? Is one reading of this judgment that SCCs for EU to US transfers are as good as dead? We sincerely hope not and urgently await guidance on this point from regulators.

And where does this leave countries with far more questionable security regimes than the US, such as China and Russia, to name but two?

What about other data transfer mechanisms?

Of course, we should not forget that other data transfer mechanisms are still available.

There are, for example, the derogations in Article 49 (e.g. explicit consent from a data subject or the transfer is necessary for the performance of a contract).

Although relying on these derogations is an option, this is by no means straightforward. For a start, these derogations are not designed for bulk and regular transfers of data but rather for “specific situations” and ad hoc transfers. Further, as one specific example, “explicit consent” is a very high bar and will rarely work in a workplace context.

As an alternative, some organisations might look to put in place binding corporate rules (“BCRs”) (either controller BCRs or processor BCRs). However, the fact that few companies have them in place shows just how costly and time consuming they are to implement. Further, the CJEU’s logic must apply to BCRs in the same way as it does to Privacy Shield and SCCs. BCRs do not prevent US (or other country’s) security agencies undertaking the activities that they do, therefore surely BCRs also have the same potential problems as Privacy Shield and SCCs.

What does this mean for the UK and its hope of an adequacy decision post-Brexit?

The EC is already in the process of reviewing the adequacy of the UK’s data protection regime (the UK has granted adequacy to the EU until 2024 for UK to EU transfer).

The concern when considering what could prevent the EC from granting an adequacy decision has always been similar to Schrems’ concern over “mass indiscriminate surveillance”, namely the width of the UK’s Investigatory Powers Act and the question of whether the UK security and police forces can access personal data too easily.

We would hope that the UK’s thorough data protection regime, its well-respected and well-resourced supervisory authority, and its role as a signatory of the Council of Europe’s Convention 108 on data protection would be taken into account. Adherence to this Convention is specifically mentioned in the recitals to the GDPR as impacting on whether a third country is judged adequate.

Also, the UK has a body of over seventy people, headed by the Investigatory Powers Commissioner, whose sole purpose is to oversee use of the Investigatory Powers Act by security agencies. So, whilst there are no guarantees, we hope it is unlikely that the UK would be refused an adequacy decision after its withdrawal from the EU.

Having said that, however, the notion of what is adequate could change as a result of the CJEU’s ruling in the latest Schrems case. The future for personal data flows out of the UK does now potentially look even more uncertain.

What should businesses do next?

Yesterday’s decision could have a seismic impact on international transfers at a time when the world economy needs to get back on track. While Privacy Shield is no more, we can only hope that the EU/US authorities work quickly to find an alternative mechanism. Bearing in mind the underlying key issue, however, it is difficult to see how mutual agreement will be found without substantial changes to US surveillance laws that give EU data subjects the power to complain effectively.

While SCCs still remain, they can only be relied on where the recipient can give assurances that they can be enforced, which for certain international transfers to certain territories will be tricky. Organisations will effectively have to self-determine each time they rely on them which will be a huge administrative hassle and probably beyond the capability of most organisations. Again, we need quick and practical guidance from regulators on how organisations should carry out these “mini-adequacy” assessments.

Of course, organisations can try to rely on the Art 49 derogations or put in place BCRs, but these are fraught with challenges.

Alternatively, businesses might adopt the ICO’s view that if the organisation to whom they are transferring data is caught by the GDPR in any event (by virtue of the GDPR extraterritorial effect as set out in Article 3), such transfer is not a restricted transfer. Although in our view this a pragmatic and welcome interpretation offered by the ICO, this view is not shared by other EU regulators and is likely to be subject to a legal challenge.

Organisations should not panic, however, it is not a reasonable expectation that they will immediately halt all international data transfers (particularly to the US) and, until clear guidance has been issued, it is very difficult to see how any regulator would start actively enforcing this decision. Although some regulators such as the DPC have welcomed the decision, and it is here to stay in some form or another, it is clear that a lot of work needs to be done for practical solutions to be delivered.

So, our immediate advice for organisations who transfer data outside the EEA (and of course specifically to the US) is as follows:

• Don’t panic

• Review existing international data transfers and data transfer mechanisms (hopefully a lot of this was done as part of your GDPR compliance) and identify areas of current non-compliance

• Wait for further guidance from EU/UK regulators and the FTC (including the arrival of the new SCCs from the EC)

• Hope the EC and FTC come together quickly and create Privacy Shield Mark 2 for US transfers

• Where you are relying on SCCs for transfers to jurisdictions outside of the EEA including the US, consider putting together papers as to why you believe those territories offer adequate protection to data subjects so in the unlikely event you do come under challenge, you have the all-important written narrative to show the regulator

• Attend our next In House Data Club which will be in the next 7-10 days where we will be discussing this decision in more detail.