Privacy Shield down after Schrems 2 ruling

Posted: July 22, 2020

On 16 July 2020 the Court of Justice of the European Union delivered its judgment in the case of Data Protection Commissioner v Facebook Ireland & Schrems (informally known as the “Schrems 2 case”).[1]  This CJEU judgment saw the demise of the US-EU “Privacy Shield”, which had provided a mechanism to comply with data protection requirements when transferring personal data from the EEA to the USA. Yet the EU standard contractual clauses (SCCs) for transfers of personal data from controllers based in the EU to controllers or processors based outside the EU still remain valid.

Ruling in a nutshell

In what Max Schrems describes as a “win for privacy”, the CJEU held that Privacy Shield did not offer sufficient protection to EU citizens and was therefore, with immediate effect, an invalid lawful basis for the transfer of personal data from the EEA to the USA.

The CJEU further stated that the SCCs would remain valid, but re-emphasised the importance for organisations to carry out comprehensive pre-contractual due diligence and ongoing monitoring of each data importer’s compliance with the legal regime in the destination country. This will probably be a complicated legal exercise, considering how different countries address data protection and the relative secrecy surrounding surveillance and monitoring legislation. Carrying out an assessment such as this for transfers of personal data to the USA now appears problematic, given that the CJEU has invalidated the Privacy Shield on the grounds that US law is incompatible with fundamental EU rights..

Practical recommendations

In the first instance, it will be important for organisations to carry out an internal audit to ascertain what personal data are being transferred outside the EEA, to which territories, and on what basis. In particular, it will be key to flag up higher-risk data transfers that: (a) relied on the Privacy Shield; or (b) rely on the SCCs (especially to US importers). Organisations that relied on the Privacy Shield should look to switch immediately to an alternative method of transfer – such as the SCCs, which may be the most practical option.

Following this exercise, and concentrating firstly on the higher-risk transfers, organisations should look to carry out enhanced due diligence to ascertain whether: (a) the country to which the data are being transferred provides effective judicial remedies for data subjects; and (b) the importer is complying with those regulations.

We expect that, in the near future, there will be further developments in this area, including guidance from the EU Commission and bodies such as the ICO. Organisations should follow these developments closely.

A bit more detail – Privacy Shield invalidated

The Privacy Shield, which replaced the “Safe Harbour” following the 2015 “Schrems 1 case”,  was designed by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the EEA to the US in support of trans-Atlantic trade and commerce.  In June 2020 it was estimated by University College London’s European Institute that some 5,300 organisations relied on this mechanism.[2]

The Privacy Shield became operational on 1 August 2016, after the European Commission issued its formal decision that the Privacy Shield provided adequate protection to allow personal data to be transferred to the United States (which is known as an “adequacy decision”).

The GDPR states that, when the Commission makes an adequacy decision, it must consider the:

“rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred.”

In Schrems 2, the CJEU noted that any limitation on the exercise of rights and freedoms must be provided for by law [174], and that those laws should include the limitations on the rights to access the data [175], along with clear and precise rules governing the scope and application of the measures [176].  The CJEU considered the various US practices set out in section 702 of the Foreign Intelligence Surveillance Act, Executive Order 12333 and the Presidential Policy Directive 28 regarding the ability to access personal data.  The CJEU concluded that those provisions have primacy over the fundamental rights of persons whose data are transferred to the US, as they do not set out the limitations of those rights.

In other words, the CJEU held that the USA could not ensure a level of protection essentially equivalent to that guaranteed, or offer the same protection as that which is granted, under EU law [190].

A bit more detail – SCCs remain valid

In recent years, organisations within the EEA may have simply viewed the SCCs as a “paper exercise” to rubber-stamp transfers to third countries without necessarily having to change what they are doing. As has been made clear unequivocally by the CJEU, however, this will no longer be possible. The CJEU has re-emphasised that, if an organisation wishes to transfer personal data to a third country (where an adequacy decision is not in place), then the GDPR places the responsibility and onus for ensuring appropriate safeguards on that organisation (i.e. the data exporter).  The data exporter is required to warrant, in accordance with the SCCs, that the processing is lawful – this means that the organisation must satisfy itself that the laws and practices of the country are adequate to protect the rights and freedoms of data subjects as set out under the GDPR.  This due diligence exercise must, therefore, be done before any transfers take place, and it will need to be carried out thoroughly and documented in sufficient detail so as to evidence compliance with this obligation.

Nothing is new in this regard; however, the CJEU’s re-emphasising of the existing obligations can be seen as a warning that the European Supervisory Authorities will probably be looking into this area in considerably more detail in the future.

Conclusion

There is still much uncertainty in this area at the moment, and we expect that official guidance and further information will be made available in due course. In the short term, we anticipate that there will in practice be some sort of grace period for organisations to get their house in order – as was the case after Schrems 1.

If you would like to discuss this with us further or require any assistance to help your organisation adapt, please don’t hesitate to contact us.

Eleanor Steyn, Partner and Henry Elkington, Associate, Simkins LLP


[1] Hyperlink to full case at http://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=9714625

[2] https://www.ucl.ac.uk/european-institute/news/2020/jun/eu-us-privacy-shield-brexit-and-future-transatlantic-data-flows