Data Transfers: Are the Standard Contractual Clauses Still Valid?
We all know now that personal data in the European Union is afforded an extremely high standard of protection, and EU leaders are fighting for data transferred outside of the EU to be given this same standard of protection.
A number of mechanisms are in place to protect our personal data and these methods are constantly under scrutiny from the international forum. In this article, we look at the recent challenge of the validity of Standard Contractual Clauses (and by extension the US Privacy Shield), and what the expected decision means for companies who currently use these methods for international data transfers.
International Data Transfers – The Story So Far…
The General Data Protection Regulation (GDPR) allows for data to be transferred countries outside the EU, or “third countries”, if there has been an EU adequacy decision that the country gives personal data the required standard of protection. If a country doesn’t have an adequacy decision however, a data controller can transfer data using other safeguards.
A quick recap- The Safe Harbor Decision (Schrems I)
American businesses used to rely on the so-called Safe Harbor framework. The Safe Harbor privacy principles were developed between 1998 and 2000 and were designed to protect personal data. However in 2013 Max Schrems, an Austrian privacy activist who had concerns about the way Facebook was sharing EU citizens’ data, made a complaint that the Safe Harbor principles did not adequately protect personal data. After a long court case the EU court agreed with Mr Schrems, and in 2015 declared that the Safe Harbor principles should no longer be relied upon- instead, other options should be used.
One of these options, and the most widely used option for international data transfers now, are standard contractual clauses (SCCs). The SCCs are a model set of clauses to be used between controllers and processers which aim to ensure that data is protected in the same way that it would be if it was an EU transfer. The SCCs can be used worldwide, not just in America, and so the decision had international effect in signifying to businesses that this was the most reliable way to protect personal data and justify international data transfers.
There are currently three sets of approved clauses for international businesses, two sets for EU controllers to third country controllers available here and here, and one set for EU controllers to third country processors available here.
Additionally for US businesses, a new option was accepted by the EU Commission to replace the Safe Harbor framework: the somewhat controversial Privacy Shield scheme.
The Privacy Shield Scheme is a self-certifying mechanism that companies in America can use to demonstrate compliance with personal data protection principles. The scheme is overseen by the US Department of Commerce and has around 4,800 active certified organisations.
So, the 2015 Safe Harbor decision set out that the SCCs for international businesses and the Privacy Shield for American businesses are both valid and acceptable ways to protect personal data when it is transferred in to or out of the EU.
However, that decision recently came under scrutiny- with a challenge made by the same Mr Schrems as last time!
The case- Schrems II
The case is complex and branches from the earlier complaint made by Max Schrems which resulted in the decision upholding the validity of SCCs. After the Court’s Schrems I decision that the SCCs are valid, thousands of businesses including Facebook switched to SCCs as a way to legitimise their international transfers of European personal data.
Now Mr Schrems argued that the SCCs used between Facebook Ireland and Facebook Inc when transferring personal data were not consistent with the SCCs that had been set out as acceptable, but that in any case- even if they had been consistent- the SCCs did not afford his personal data adequate protection. This prompted the Irish High Court to refer 11 questions to the Court of Justice of the European Union (CJEU) - among them, asking the validity of SCCs, the issue of EU-US data transfers more generally, and by extension the validity of the Privacy Shield.
Can SCC’s offer protection in countries with less stringent data protection laws?
Mr Schrems alleged that US laws allows for the bulk collection of non-US citizens’ information, without justification and without a way for individual citizens to object. Even with the SCCs in place attempting to protect personal data, American law was allowing for this to take place, thus invalidating the aim of the SCCs. The CJEU had to review the alleged power of the US to carry out mass surveillance of EU citizens’ personal data, without meaningful redress for these citizens.
There was some expectation amongst privacy experts that the CJEU would invalidate the SCCs, given they had not been updated since 2015.
The Decision
Well, for businesses relying on SCCs it was good news! In the AG opinion in Schrems II, it was stated that the SCCs are valid. This opinion is not binding on the CJEU, but it is usually a reliable indication on how the court will decide.
The AG considered that while the decision in 2015 that SCCs offer adequate protection is not binding on all authorities in third countries, this does not in itself render that decision invalid. Where the SCCs are in place, and something happens which breaches or has the potential to breach the clauses, it is up to controllers firstly, and supervisory authorities secondly, to suspend or prohibit that transfer.
This includes in situations where the domestic law of the third country involved in the transfer means that the SCCs cannot be followed.
The GDPR’s aim is to ensure the continuity of a high level of protection, whether data is transferred on the basis of the SCCs or by other guarantees provided by the exporter. EU law will apply to transfers of personal data to a third country where those transfers have anything to do with commercial activity. This includes cases where data will subsequently be processed by public authorities for the purposes of national security. It is up to those who are transferring data to ultimately ensure that the right safeguards are followed.
What does this mean for you?
Firstly, this decision shows that, while the SCCs are valid, companies transferring data outside the EU cannot just sign the agreement containing SCCs and forget about it. The EU has warned that these companies must be sure that the importing organisation can comply with it. This is first and foremost the responsibility of your business: and if you do not follow this responsibility, the relevant supervisory authority will step in.
Secondly, if you are a business using the Privacy Shield, be aware that it does appear that the AG has questioned the standard of data protection provided by the Privacy Shield. For now there has been no change since the current case did not require the CJEU to rule on the lawfulness of the Privacy Shield, however, the AG did express sympathy for Mr Schrems arguments.
Thirdly, despite surprising-to-some decision that SCCs are valid since they have not been updated for four years, this does not mean they will stay the same forever! In a review published in December 2019, the Presidency of the Council of the European Union stated that it felt it was necessary to address the application of tools for international transfers other than adequacy decisions, and that the SCCs have not been updated since they were originally adopted. It has suggested that they should be reviewed and revised to take into account the needs of controllers and processors.
For now, SCCs have been considered by the AG to be a valid way to protect an international data transfer, and it is likely that the CJEU will follow this lead.
If you have any questions about the mechanisms you use to safeguard international data transfers, or any other data-related queries, please don’t hesitate to get in touch!
Article by Lily Morrison @ Gerrish Legal, December 2019