We previously blogged on the publication of the opinion of the Advocate General to the European Court of Justice (CJEU) on the lawfulness of transfers of personal data by Facebook from the EU to the US. The AG's opinion preceded today's landmark judgment from the CJEU which has ruled that:

  • controller-to-processor EU Commission-approved Standard Contractual Clauses (SCCs) for the international transfer of personal data to an organisation in a country outside the EEA are valid, but
  • an alternate mechanism for legalising such transfers to the US through the EU-US Data Privacy Shield is not.

Schrems

The case was brought by privacy campaigner, Max Schrems. Followers of our blogs will remember that Mr Schrems had previously brought a case before the CJEU which caused the downfall of the US Safe Harbor, which was the precursor to the Privacy Shield. This decision – often called Schrems I – challenged Safe Harbor on the basis that personal data was not adequately protected from surveillance by US law enforcement authorities by the Safe Harbor arrangements. The validity of SCCs was not an issue in Schrems I so their validity was not affected by that decision.

Following Schrems I, the EU and US authorities devised a new scheme - the Privacy Shield – that sought to beef up the protection given to personal data transported to participating organisations, thereby addressing the concerns that ultimately led to the downfall of Safe Harbor. Organisations seeking to transfer data to the US generally relied either upon the Privacy Shield (if the receiving organisation participated in the Privacy Shield arrangements) or on the SCCs to legitimise the export of the data.

Schrems II

Today's decision in "Schrems II", dealt with Mr Schrems' challenge to his personal data being transferred to the US through the SCCs. Schrems argued that the SCCs did not provide him with any ability to exercise his rights to respect for private and family life, personal data protection and the right to effective judicial protection, guaranteed under the European Charter of Fundamental Rights.

In its judgment, the CJEU has ruled that SCCs can facilitate a level of protection equivalent to that under GDPR and so the SCCs are, in theory, valid - provided that the data subjects also have enforceable rights and effective legal remedies in relation to their personal data.

Contractual guarantees alone are insufficient – so the SCCs will only be valid where the wider legal landscape of the country where the data is to be exported do not override the protections contained the SCCs and the rights and remedies that are guaranteed by the Charter of Fundamental Rights. 

The CJEU makes clear that the onus on being satisfied that the legal system in the country in question meets those requirements lies on the EU-based controller. To reinforce this protection, data importers must inform controllers if the legal landscape is such that they cannot (or can no longer) meet their contractual obligations under the SCCs, in which case the exporter will be expected to suspend and/or terminate the arrangements for the export of data.

EU-US Privacy Shield

The judgment also considered the question of whether the Privacy Shield is a competent method by which to transfer data, specifically to US-based recipients. The CJEU analysed, again, whether this mechanism was valid in the context of the Charter and GDPR. Very interestingly, the Court declared the Privacy Shield did not afford data subjects their guaranteed rights and protections under GDPR and the Charter. In coming to this conclusion the CJEU noted that US law permits personal data processed by US organisations to be accessed by US law enforcement authorities regardless of the Privacy Shield, and the CJEU was not prepared to accept that appropriate safeguards were in place to ensure that these powers would be used proportionately or that data subjects would have adequate or actionable redress and judicial protection against the US authorities if they weren't.

So, what now?

SCCs are still recognised as valid but it is clear that organisations will need to review their use of them to ensure that they are satisfied that they have carried out appropriate due diligence on both receiving organisations and the laws of the countries where the data is being transferred to ensure that the wider requirements of this judgement are met. Ongoing due diligence will also be required – not just at the outset.

One specific outstanding issue is where the CJEU judgement leaves the use of SCCs in the context of the US, given the CJEU's views on the lack of safeguards offered by US law in the context of Privacy Shield.

The CJEU judgement is detailed. This initial blog post deals with the headlines only. We will provide further comment in due course, not least in the context of how this judgment may impact on data transfers between the EU and UK post 31 December 2020 in the context of the ongoing discussions regarding the future relationship between them. The ICO is also considering the judgment itself and has indicated it will produce guidance shortly. We will comment on that guidance when it becomes available

How can we help?

If your organisation transfers personal data to an organisation based in the US and you are currently relying on the Privacy Shield, we can help you explore the other options available to you to ensure you continue to meet your GDPR obligations. Likewise, if you currently rely upon SCCs to transfer data and are concerned about whether you are meeting the standards required to sustain the valid use of the SCCs then please do not hesitate to contact us for advice.

Contributors