16/07/2020 - The European Court of Justice (CJEU) today published its long-awaited judgement in Case C-311/18, better known as the Schrems II case. In a nutshell, the CJEU invalidated the much debated EU-US Privacy Shield and spoke out about the validity of Standard Contractual Clauses (SCCs). I wrote about the initial hearing and the AG Opinion leading up to this judgement. The judgement published today, however, marks a clear departure from the status quo. Although the direct consequences and concrete effects will no doubt develop over the coming weeks, there are a number of important take-aways which I will set out below.
The Schrems II case essentially dives into the validity of two mechanisms used routinely to safeguard transfers of personal data from the European Economic Area (EEA) to third countries. Such safeguards are required under the General Data Protection Regulation (GDPR) which entered into force over two years ago, but in fact were already required under its predecessor EU Directive 95/46/EC. The case discussed whether such transfers of personal data from the EEA to the United States (US) were in fact adequately safeguarded, even though SCCs were in put in place.
The preliminary questions before the CJEU were directed mostly to the validity of SCCs, but in fact extended well beyond this topic. Practically inseparable from the topic of SCCs in Schrems II, was the question on the validity of transfers of personal data to the US based on the EU-US Privacy Shield. The CJEU today also ruled on this question, thereby ruling on the validity of two main legal mechanisms used to validate transfers of personal data to the US.
The CJEU states that the preliminary questions referred to the CJEU ask, at a general level, what protection must be ensured, under Articles 7, 8 and 47 of the EU Charter of Fundamental Rights, in the context of transfers to the US. In that regard, the CJEU held that its analysis in Schrems II must also take into consideration the consequences arising from the adoption of the Privacy Shield Decision.
In sum, the CJEU invalidated the entire Privacy Shield Decision. Organizations can no longer rely on this mechanism for transfers between the EU and the US. The main concern of the CJEU - similar to the Opinion of the AG and earlier judgments of the CJEU – are US surveillance laws. These laws do not take adequate account of EU fundamental rights, which results in a severe lack of protection of personal data originating from the EU.
The CJEU held specifically that ‘although recital 120 of the Privacy Shield Decision refers to ‘a commitment from the US Government that the relevant component of the US intelligence services is required to correct any violation of the applicable rules detected by the Privacy Shield Ombudsperson, there is nothing in that decision to indicate that that ombudsperson has the power to adopt decisions that are binding on those intelligence services and does not mention any legal safeguards that would accompany that political commitment on which data subjects could rely’.
It is important to point out that the CJEU hereby also goes against the European Commission’s assessment, which essentially acknowledged transfers under the EU-US Privacy Shield to be protected in line with EU data protection standards. This is the second time that the European Commission has to give way to the CJEU’s opinion on this topic, as was previously the case with the invalidation of the Safe Harbour Agreement.
With regard to the SCC Decision, the question before the CJEU is whether SCCs are capable of ensuring an adequate level of protection of the personal data transferred to third countries given that the standard data protection clauses provided for in that decision, strictly speaking, do not bind the supervisory authorities of those third countries.
That is exactly where the US surveillance laws come back into the picture. US authorities are not a party to the SCCs concluded between the organizations who intend to transfer personal data from the EU to the US.
As a result, in a number of situations it could be that the content of SCCs might not constitute a sufficient means of ensuring, in practice, the effective protection of personal data transferred to the third country concerned. The CJEU points out that that is especially the case where the law of that third country (such as the US) allows its public authorities to interfere with the rights of the data subjects to which that data relates.
In that regard, it is important to point out that today’s CJEU judgement on the topic of SCCs is to be read broader than EU to US transfers, as it essentially applies to all EU transfers to third countries. In light of the Schrems II case, however, the focus is on transfers between the EU and the US.
Nonetheless, the CJEU confirms the earlier opinion of the AG by reiterating the difference between an adequacy decision (such as the EU-US Privacy Shield) and SCCs. Even through both are deemed adequate safeguards for third country data transfers under the GDPR, they vary significantly due to the fact that the purpose of an adequacy decision is to find that a third country ensures a level of protection that is largely equivalent to that of the EU, whereas SCCs must ensure such a level of protection by contractual means. This difference is key for understanding why the CJEU subsequently held that SCCs are not invalid in itself. What is important, however, is how these SCCs are implemented in practice and to what extent supervisory authorities play their part.
In short, yes. The main issue is whether the clauses included in the SCCs are properly abided by – both by the parties to the SCCs and authorities who may interfere on the basis of wide powers bestowed upon them through national legislation.
The CJEU reiterates that it is the responsibility of supervisory authorities to suspend or prohibit a transfer of data to a third country pursuant to SCCs, if, in the view of that supervisory authority and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law, cannot be ensured by other means. The CJEU stresses throughout its judgement that supervisory authorities must proactively monitor transfers to third countries and recognize their responsibility towards ensuring the right to privacy and data protection.
But, interestingly, the CJEU also points out that, as a first step, EU organizations and third country recipients of personal data have an obligation to review the law in the respective third country. SCCs can only be used if no conflicting national laws are evident. This puts a wide obligation on organizations to take part in the ‘chain of responsibility’, the consequences of which are currently not yet clear.
It follows from the above that a departure from the status quo, where supervisory authorities do not always actively take a stand with regard to dubious data transfers and where organizations could rely on EU-US Privacy Shield certifications, is evident. The exact extent to which today’s judgement will have an impact on business throughout the EU and beyond, is difficult to grasp.
What is certain is that organizations will need to explore options alternative to the EU-US Privacy Shield. The use of SCCs is now subject to stricter rules as well. Especially transfer to the US are likely to involve serious risks if based on SCCs, due to the validity of those SCCs in light of the CJEU’s findings today.
Other options do exist, such as derogations under Article 49 GDPR. For example, through the use of explicit consent to the transfer. But these derogations do not always offer the same degree of certainty for businesses and include many conditions. Nonetheless, today’s CJEU judgement seems to be a step in the right direction in terms of the protection of personal data. For businesses, it will require even more careful consideration to avoid illegal data transfers to third countries.