Schrems 2.0: EU-US Privacy Shield invalidated by the Court of Justice

In its long-awaited decision, the Court of Justice of the European Union has invalidated the EU-US Privacy Shield.

The decision, which is a preliminary ruling to the Irish case Data Protection Commissioner Ireland v Facebook Ireland Limited & Maximillian Schrems, known as Schrems II, has come as a shock to businesses and privacy specialists alike. 

The Decision

The Court of Justice of the European Union (CJEU) was called upon to rule on the adequacy of protection provided under both the European Commission’s Standard Contractual Clauses (SCCs) and the EU-US Privacy Shield; both being mechanisms used to ensure that a similar level of data protection is afforded to personal data that is transferred from the European Economic Area (EEA) to territories outside of the EEA. 

The EU-US Privacy Shield, which has only been in existence for four years, is no longer deemed to provide adequate protection in line with the General Data Protection Regulation (2016/679) (GDPR) and as such, can no longer be relied on for personal data transfers from the EEA to the US.

This is following the annulation of its predecessor, the US-EU Safe Harbor principles, by the CJEU five years ago in Schrems I. 

However, the CJEU has stated that use of SCCs for the transfer of personal data to processors and controllers established in third countries who do not currently have an “adequacy decision” from the European Commission remains valid. 

What is the reasoning behind invalidating the Privacy Shield?

The CJEU’s decision is based on concerns surrounding the conflict between US Surveillance Laws and EU Data Protection and Privacy Laws. The CJEU stated that: 

“the requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country”. 

Of course, the EU-US Privacy Shield does have mechanisms to reconcile this conflict, such as the Ombudsman mechanism, however these have been deemed to not be of “essential equivalence” with the protections afforded under the GDPR.  

This decision takes place against a backdrop of increasing fear of national surveillance laws, as seen with the Huawei and China saga. This time however, the concerns are surrounding the US.

Essentially, the wide data capture powers allowed under US legislation such as Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333 contradicts with Europe’s notion of fundamental rights under the EU Charter of Fundamental Rights, the European Convention on Human Rights, and consequently, the General Data Protection Regulation (2016/679).

What about the Standard Contractual Clauses?

For the moment, the European Commission’s SCCs remain valid and the CJEU has not taken an issue with this mechanism. This follows the Advocate General’s opinion delivered in December 2019 where the SCCs were deemed to be a valid mechanism. However, the Court has provided further guidance on the obligations of both data controllers and national data protection authorities when using the SCCs. 

The CJEU has stated that data exporters sending personal data outside of the EEA and data importers have an obligation to analyse these transfers on a case by case basis.

This involves looking at the local laws of the country to which personal data is being transferred, especially national security and surveillance laws, and assessing the likelihood of the transferred personal data being accessed for national security purposes.

This is quite a difficult task and asking third party data processors and controllers to contractually guarantee that the personal data transferred shall not be divulged to national security bodies and public authorities is unreasonable, if not completely unfeasible.

Furthermore, the type of data transferred will also affect the validity of the SCCs. More sensitive personal data or personal data that is more prone to be used for surveillance purposes poses a greater risk of being caught under national surveillance laws. As such, there could be an increase in using European-based data centres, suppliers and subcontractors in order to minimise transfers to third countries such as the US. 

National data protection authorities, such as the ICO in the United Kingdom or the CNIL in France, are also required to play a more active role in controlling the protection enshrined in SCCs. If data protection authorities suspect that an adequate level of protection cannot be guaranteed, they should suspend or prohibit the transfer in question: 

“competent supervisory authorities are required to suspend or prohibit a transfer of personal data to a third country where they take the view, in the light of all the circumstances of that transfer, that the standard data protection clauses are not or cannot be complied with in that country and that the protection of the data transferred that is required by EU law cannot be ensured by other means, where the data exporter established in the EU has not itself suspended or put an end to such a transfer”.

However, as the SCCs are merely a tool to guarantee protection of personal data, and do not contain an assessment of whether such protection will actually be afforded to the data being transferred, we will likely see some changes to this mechanism in the future.

Notably, the current form of SCCs were actually introduced prior to the implementation of the GDPR, and as such, they still refer to old data protection legislation.

Additional mechanisms such as Binding Corporate Rules under Article 47 GDPR or derogations under Article 49 GDPR can also be relied on, depending on if certain requirements are fulfilled.

There is a risk that in the absence of guidance from European entities such as the European Commission or the European Data Protection Board, we could see a more fragmented regime as each national data protection authority may interpret “adequate protection” in different ways. 

What should you do if you currently rely on Privacy Shield certification for personal data transfers between the EEA and the US? 

The decision has created a lot of uncertainty for businesses who transfer personal data.

Currently, if you are a US based data controller or processor who relies on Privacy Shield certification, you will have to review your personal data transfer chains from the EEA and enter into SCCs with your data exporting counterparts whilst we wait for further guidance from European regulators.

Likewise, if you are a business who exports the personal data of citizens of the EU to the US, you will have to review these transfer chains, and enter into SCCs or another approved mechanism to continue sending such data where you previously relied on the Privacy Shield. 

Relying on the SCCs in the interim is the best option – but will not always be the safest – as the reason that the CJEU has invalidated in the Privacy Shield is due to concerns surrounding the strength and primacy of surveillance laws in the United States.

As such, if a US company is relying on the SCCs, the risk posed by US surveillance laws does not disappear, and US companies cannot contractually guarantee that they will not comply with those laws – as they would then be breaking US laws.

Therefore, this remains a tricky area to navigate. For the moment, the main way for this to be resolved is for the US to put in place more stringent privacy laws, and preferably at a federal, not state, level – which could take years.

How does this affect Brexit? 

There remains uncertainty as to how EU-UK personal data transfers will be handled after the end of the UK’s transition period for its withdrawal from the EU on 31 December 2020, as discussed in a previous article.

The UK is yet to be awarded an adequacy decision by the European Commission, if such adequacy decision is awarded at all. Indeed, this assessment for an adequacy award could face problems in light of the UK’s surveillance laws. The UK’s Investigatory Powers Act 2016 has already been subject to European scrutiny and has been amended as a result. However, this Act could now be more thoroughly reviewed when assessing whether an adequacy decision should be awarded to the UK. 

Furthermore, in the absence of an adequacy award, businesses transferring personal data to and from the UK and the EEA will have to rely on the SCCs, along with the heightened level of monitoring that comes along with them. An effect of the CJEU’s decision and Brexit could be that US companies become incentivised to set up base in the UK in order to work around data protection laws. 

Conclusion

Best practice for those conducting EU-US data transfers is to follow the guidance of EU regulatory bodies, national supervisory authorities, and to document all measures taken to ensure that personal data is protected in line with the GDPR.

If you currently rely on the Privacy Shield, you should look at adopting a different measure such as entering into the SCCs.

If you currently rely on the SCCs, for any international transfers, not just to the US – you should review these in line with the guidance provided by the CJEU. 

If you would like to stay up to date with these developments, you can sign up to receive our newsletter by following the instructions at the bottom of our home page here. If you have any questions about your compliance and would like some legal advice, please do not hesitate to contact our data privacy team at Gerrish Legal.  

Article by Komal Shemar @ Gerrish Legal, June 2020 / Cover photo by Toms Rīts on Unsplash

Previous
Previous

The New York SHIELD Act: Data Breaches, Cyber Security and Comparison with the European Approach

Next
Next

France: Google’s €50 million fine upheld!