Schrems II Judgement: EU:US Privacy Shield Framework for personal data transfers is invalidated; Standard Contractual Clauses need re-assessment…

• Global

• Privacy, data protection and cybersecurity

17-07-2020

Summary

If your organisation transfers personal data outside of the EU, or those service providers you trust with your personal data do, this is a significant decision which will require prompt action.  On 16^th July 2020, the Court of Justice of the European Union (CJEU) issued its much anticipated judgement¹ in what has become known as the Schrems II case.  Most organisations which transfer personal data outside of the EU rely on data transfer agreements (which adopt the “Standard Contractual Clauses” or “Model Clauses”), or for transfers to the US, the EU:US Privacy Shield Framework to address the requirement for adequate protection of data to the EU standard to be put in place.  The CJEU in Schrems II was asked to review the validity of the Privacy Shield and Standard Contractual Clauses as approved mechanisms to protect the transfer of personal data from the EU under the General Data Protection Regulation.

In short, the CJEU has invalidated the EU:US Privacy Shield Framework as a transfer mechanism for exports of personal data to the US.

However the greater sting from this decision may be the impact on the use of Standard Contractual Clauses.  These remain valid, in principle, as a mechanism and can still be used to transfer personal data outside the EU/UK, but the CJEU judgement adds a significant due diligence burden to this continued use by organisations that want to rely on it, and confirms that individual data protection authorities can effectively revoke reliance on the mechanism and prohibit or restrict transfers if they believe the Standard Contractual Clauses won’t be complied with and the personal data adequately protected. 

That revocation power, combined with commentary in the judgement on US Surveillance laws, and the protections afforded not meeting EU standards, means the ability to use Standard Contractual Clauses as a mechanism for transferring personal data to the US, will need some careful consideration.   The Irish Data Protection Commissioner commenting in response to the judgement “…the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable. This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis.”

This is a radical change to the adoption of Standard Contractual Clauses in practice, which impacts existing as well new transfers which rely on them. Not just for transfers to the US but all other “third countries” which do not have an adequacy decision from the EU Commission.  If you want to continue to apply Standard Contractual Clauses as the solution for existing and new data transfers, these assessments of adequate protection for each particular datastream to each particular country will have to be triggered and recorded.

More detail

The EU General Data Protection Regulation restricts transfers of personal data outside of the EU to countries which are not deemed to have adequate protection unless an exception applies or an alternative approved mechanism adopted. Standard Contractual Clauses and (for transfers to the US) Privacy Shield are the most common mechanisms used to overcome the restriction and protect the personal data transferred.  A decision that affects both – well that is certainly a cause for a sharp intake of breath around the globe.

At one level we have been here before. Privacy Shield’s predecessor, Safe Harbor, was removed as a valid transfer mechanism in 2015 following the Snowden revelations of mass government surveillance and the successful legal action of Max Schrems. Many will recall that Privacy Shield was introduced to replace Safe Harbor after representations from the US government that the privacy rights of European data subjects would be upheld and enforceable in the US and kept in review by an oversight body for national security interference. Privacy Shield has been removed due to what the CJEU views as continuing excessive US state surveillance powers which impact disproportionately on the rights of data subjects, and the US Ombudsman not having sufficient binding authority over the US intelligence services.

The CJEU confirmed that Standard Contractual Clauses remain in principle a valid transfer mechanism for data exports to countries outside Europe, including the US. This good news comes with some serious qualification however.  The CJEU considers that to comply with the requirements of the GDPR there needs to be an assessment of whether the Standard Contractual Clauses will in practice, when considered alongside the laws and practice of the jurisdiction concerned, actually deliver the protection to the required EU standard.  The CJEU was also clear that the supervisory authority in each member state is required to suspend or prohibit data transfers to territories where the authority considers that the Standard Contractual Clauses are not or cannot be complied with there.  The commentary in the judgement which ultimately led to the decision against Privacy Shield could have wider repercussions as a result.  In particular comments that data transfers made by underseas cables are susceptible to access by US surveillance services and that the law and practice in this regard (and lack of redress) does not meet the EU standards of protection required. 

What does this mean

This decision has multiple layers and several direct and indirect impacts as a result. It will clearly however have a direct impact on existing and new transfers of personal data from the EU and UK to the US and other third countries.

Transfers of personal data from within Europe to the US based on Privacy Shield are now technically unlawful under GDPR. Many of the 5,300 Privacy Shield certified organisations are global businesses, providing outsourced services which involve personal data processing to organisations around the world. The decision therefore impacts Privacy Shield certified organisations in the US, together with organisations around the world transferring customer and / or HR data to those organisations for processing.

Transfers outside the EU and UK based on Standard Contractual Clauses can in principle continue, unless a local supervisory authority rules otherwise.  However, there is now a significant due diligence and risk assessment which will need to be undertaken.  Whilst a close eye will need to be kept on decisions from the Irish data protection commissioner, as well as other data protection authorities, the burden is on the organisations relying on this mechanism to now do their own assessment and be able to evidence this for each datastream to each to third country.  The application of surveillance laws, technical & legal solutions to protect the data and other factors may differ from one data stream to another, to the third country concerned and hence the outcome of assessment of adequacy of protection accordingly may be different.

Although the CJEU decision did not mention Binding Corporate Rules specifically, the CJEU decision is made in respect of appropriate safeguards under Article 46 GDPR so it seems likely that transfers under Binding Corporate Rules will also have to be considered in a similar way to assess adequacy of protection in practice in “third countries”.

The decision today from the CJEU will cause a sharp intake of breath around the globe. That Privacy Shield has been struck down, as was its predecessor safe harbour, while significant, this may feel like deja vu for many.  Standard contractual clauses however are the most commonly used mechanism for overcoming the restriction on transfers of personal data outside of the EU.  In part because they were seen as the “sign and go” option.  This decision has fundamentally changed that – requiring those seeking to rely on it to undertake due diligence on the surveillance and other governmental access that might arise, the data protection rules in that country and the legal rights of individuals from the EU for redress amongst other factors.  So in effect conducting a privacy risk assessment of the overall package of adequate protection for each data stream.  Signing a set of template clauses isn’t enough to be compliant with GDPR, but with an appropriate assessment, Standard Contractual Clauses can remain a valid mechanism for compliance with GDPR when transferring personal data.

This will impact all sectors, and the providers of services to them from the technology sector in particular.  It will also affect transfers within groups of companies.  Just at a time when there is a major push in the wake of the pandemic to digitise. 

What should businesses do now

• Review and evaluate the data transfers which take place throughout your supply chains and intragroup so as to understand the country to which it is transferred and the mechanism relied upon. This includes any transfers made by processors to sub-processors. You may have already identified these flows are part of your existing GDPR compliance programme.  The data record is a useful tool for this exercise.
• You will need to note in particular any transfers based on Privacy Shield. Transfers to the US based on Standard Contractual Clauses will need to be identified as will those under Binding Corporate Rules.  The CJEU commentary mentioned above will require these to be closely risk assessed as a priority. 
• This case set a clear focus on transfers to the US, but the issues raised and decision outcome mean that an approach to the due diligence adequacy assessments will need to be thought out for all datastreams going to “third” countries.  This assessment will need to look at factors such as access by public authorities to the data, limits on that access, oversight and judicial remedies, data importer behaviours, its own data protection laws as well as whether technical (e.g. encryption) and other protections might be applied to the data to enhance protection. This assessment will then need to be applied datastream by datastream.
• Consider alternatives to transferring to a third country – we saw quite a bit of this emerging in the wake of the fall of safe harbour and some of the larger scale service providers are already making solutions available in a more localised manner.  Careful consideration will be needed however in respect of surveillance law territorial reach and access to the data.
• The existing EU standard contractual clauses were due to be refreshed so as to better align with the GDPR.  The new clauses were held back pending the outcome of this CJEU case so they could be adjusted.  These new clauses won’t negate the need for the underlying assessment to be conducted, but a watching brief on the emergence of those new clauses will be required, as will a degree of planning around the adoption and rollout. 
• Updating of data protection impact assessments, records of processing, other risk registers, and operational resilience reviews may also be required.
• Some consideration of derogations from the restriction on transfer may prove relevant in particular instances but it is likely to be limited in application.  Consent is one of those derogations but it can be withdrawn and of course is itself subject to limits on its effective application, such as the requirement to be freely given, specific and informed.

It remains to be seen whether the European Commission and / or Supervisory Authorities will allow organisations a grace period to bring themselves into compliance in relation to transfers following the judgement. A limited 6 month grace period from their proactive enforcement scrutiny was allowed after the fall of Safe Harbor in 2015, though we and others will recall that passed in a flash and fewer transfers were impacted in that scenario.   

Supervisory authorities, EU Commission and Governments will clearly be digesting this decision.  With so many looking to the digital economy to drive growth out of recession and recovery there will be a very sharp focus on this.  In the current geo-political and economic climate,  this may sadly become something of a gift to those who might wish to disrupt flows of data to other countries. Many are also looking somewhat dismayed when considering the ongoing debate in relation to transfers of data to the UK in the “Brexit” negotiations with the EU, and the broader chilling effect this may have on determinations of adequacy by the EU Commission.  

1. Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems and intervening parties