The Court of Justice for the European Union in Schrems II has upheld the validity of standard contractual clauses (SCC) as a means of transferring personal data between the EU and third countries (i.e. non-EU countries) without additional safeguards, but has declared decision 2016/1250 on the adequacy of protection provided by the EU-US Data Protection Shield (commonly referred to as the "Privacy Shield") to be invalid.
This landmark decision is of universal interest. While the decision will come as a relief to organisations in third countries who rely on SCCs as a means of transferring data between the EU, the judgment stresses that SCCs will only be valid if the rights of data subjects can be upheld in the third country, requiring a thorough undertaking from data protection authorities in third countries to ensure this is the case. For US companies who rely on the now invalid Privacy Shield framework to transfer personal data belonging to EU data subjects, the decision will come as a blow. It is not yet clear what options will be available for these US companies and whether the European Commission will afford a transition period while alternative data transfer arrangements are worked out.
SCCs and Privacy Shield
SCCs (or "model clauses") are a set of clauses, approved by the European Commission by Decision 2010/87/EU, which may be agreed between parties to govern the cross-border transfer of personal data outside of the EEA, in circumstances where the third country does not benefit from an adequacy decision or meet other conditions under which such a data transfer may take place under the GDPR, and where no exception applies to the transfer. SCCs are used by many large international companies to govern the transfer of personal data, as they provide a relatively cost-effective and streamlined mechanism by which to govern data transfers.
Shortly after 'safe harbour' was declared invalid, the European Commission adopted the 'Privacy Shield' decision (2016/1250), which provided an approved alternative data protection framework in the US; US businesses which comply with Privacy Shield may transfer personal data between the US and the EEA without additional safeguards.
Schrems II – Commission Decision 2010/87 relating to standard contractual clauses is valid
The Court held that the GDPR applies to data transfers between the EU and third countries, including the processing of data in that third country by public authorities for purposes of public security and defence, where applicable. In respect of such processing (including by public authorities), the Court held that EU data subjects must be afforded a level of protection "essentially equivalent to that guaranteed within the EU by the GDPR". This meant that relevant supervisory authorities must "suspend or prohibit" the transfer of personal data to a third country where the SCCs cannot be complied with in that country, or where EU law cannot be complied with by other means.
Finally, the court held that the validity of SCCs was not called into question by the fact that SCCs do not bind authorities of the third country to which they apply (due to their contractual nature), since both the data exporter and recipient have an obligation to assess and verify that the obligations and rights enshrined in the SCCs will be met prior to the transfer, meaning that mechanisms existed by which it is possible to prohibit or suspend the transfer of data in the event of a breach of SCCs or where it is not possible to comply with them.
Schrems II – Commission Decision 2016/1250 relating to the Privacy Shield framework is invalid
The Court also declared the Privacy Shield framework invalid. The Court noted that the Privacy Shield decision held that the requirements of US security, public interest and law enforcement had primacy, "thus condoning the interference with the fundamental rights of persons whose data are transferred to that third country". In the view of the Court, the protection of personal data under US laws and the access and use of personal data by public authorities (which take primacy) were not "essentially equivalent" to the protections required under EU law, as the use of personal data for surveillance in the US is not proportional, in so far as it is not "limited to what is strictly necessary". The Court also noted that, although US surveillance programmes set out requirements that US authorities must comply with, there is no means by which data subjects may invoke their rights against US authorities, meaning there is no avenue of redress in the US in the event of a breach.
The decision of the Court to rule on Privacy Shield is significant, and not necessarily expected. The opinion of the Advocate General to the Court of Justice of the European Union on Schrems II, had suggested that a consideration of the validity of Privacy Shield framework was not necessary. Against this backdrop, however, the AG questioned the validity of the Privacy Shield framework as an adequate means of transferring data between the EU and US in light of access to data by US intelligence authorities.
It is not immediately clear what options are available for companies in the US, like Facebook, which fall under US surveillance and which have been declared incompatible with EU data protection laws. The EU may have to concede a transition period for companies relying on Privacy Shield as a means of transferring data while this is resolved. At present, 5378 organisations are listed as signatories to the Privacy Shield framework.
It is not just US companies, however, which will be impacted by today's decision. Public authorities in other third countries with robust surveillance powers will need to assess whether these powers mean that compliance with SCCs is not possible. The UK, in particular, will be seeking an adequacy decision from the European Commission following its exit from the EU and will need to carefully review its surveillance powers to ensure these are compatible with EU data protection laws. Many companies which choose to outsource their processing to US based companies or providers may now look to processors in the EU, in order to avoid transferring personal data to the US where possible.
Against this backdrop, today's declaration upholding the validity of SCCs will come as a huge relief to third countries relying on SCCs as a means of transferring data with the EU without additional safeguards. That said, today's judgment stresses the obligations on data protection authorities to assess their country's law and principles to ensure that they are compatible with EU data protection laws, which is a huge undertaking, and one which may not yield welcome conclusions.