Following a decision from the Court of Justice of the European Union (the “CJEU”) today, it has now been confirmed that Commission Decision 2016/1250, also known as the EU-U.S. Privacy Shield Framework, is invalid as a mechanism for transferring personal data from the E.U. to the U.S. Conversely, the Court of Justice considers Commission Decision (2010/87/EU) on standard contractual clauses (“SCCs”) for the transfer of personal data to processors established in third countries to be valid.
In December 2019, the opinion of Advocate General Saugmandsgaard Øe in relation to the preliminary ruling was published: in short, his opinion was that the CJEU should declare the SCCs valid whilst heavily criticising Privacy Shield (further information on the opinion can be accessed here). The CJEU has therefore, in the main, followed the Advocate General’s opinion.
Background to decision
The dispute has its origins in the proceedings initiated by Maximillian Schrems, an Austrian privacy activist. Schrems first lodged a complaint with the Irish data protection authority in relation to Facebook Ireland transferring personal data of E.U. users to Facebook Inc. in the U.S. Specifically, Schrems alleged that the transfer mechanisms used do not ensure an adequate level of protection for E.U. data subjects, as U.S. legislation does not explicitly limit interference with an individual’s right to protection of personal data in the same way as E.U. data protection law. A key concern was that E.U. personal data might be at risk of being accessed and processed by the U.S. government once transferred, in a manner incompatible with privacy rights guaranteed in the E.U. under the Charter of Fundamental Rights.
Following the original complaint, the Irish data protection authority brought proceedings against Facebook in the Irish High Court. A preliminary ruling was referred to the Court of Justice whereby it was asked 11 questions on whether the use of the SCCs and Privacy Shield offer sufficient safeguards as regards the protection of citizens’ freedoms and fundamental rights. A preliminary ruling is a decision of the CJEU on the interpretation of E.U. law given in response to a request from a court or tribunal of an E.U. Member State, in this instance, the High Court of Ireland. A judgement on a preliminary ruling is a final determination of E.U. law, with no scope for appeal, and is binding in all courts and tribunals across the E.U.
Privacy Shield is a mechanism used by many organisations to comply with data protection requirements when transferring personal data from the E.U. to the U.S., known as the EU-U.S. Privacy Shield Framework. With respect to the U.K. and before the decision of the CJEU, it was confirmed that after 31 December 2020 (i.e., the end of the Brexit transition period), Privacy Shield would still apply to transfers from the U.K., subject to additional steps being undertaken by the relevant organisations. We await confirmation from the U.K.’s data protection regulator as to whether Privacy Shield will also be invalidated as a mechanism for transferring personal data from the U.K. to the U.S.
There is also a separate Swiss-U.S. Privacy Shield Framework which relates to transferring personal data from Switzerland to the U.S. but note that this framework has not been declared invalid by the CJEU.
The GDPR states that transfers of personal data to countries outside the E.U. (which for these purposes includes three non-Member States, Iceland, Liechtenstein and Norway) are unlawful unless the transfer is to an organisation in a country which has received an adequacy decision from the European Commission, such as the adequacy decision for the U.S. in the form of Privacy Shield, or is subject to a specific transfer mechanism that is permitted by the GDPR, such as the SCCs. Privacy Shield enabled U.S. based organisations to self-certify and register with the Department of Commerce thereby publically committing to comply with the framework’s requirements. Participating organisations are further required re-certify on an annual basis.
Many U.S. based organisations are Privacy Shield certified (full list can be seen here) and such organisations rely heavily on Privacy Shield to lawfully receive personal data from organisations in the E.U., including global tech giants. This decision to declare Privacy Shield invalid will therefore come as a significant blow.
The key reasons cited by the CJEU for declaring Privacy Shield invalid are the following:
- the limitations on the protection of personal data arising from the domestic law of the U.S. on the access and use by U.S. public authorities of such data transferred from the E.U. to the U.S. are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under E.U. law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary; and
- the Ombudsperson mechanism provided in Privacy Shield does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by E.U. law, such as to ensure both the independence of the Ombudsperson provided for by that mechanism and the existence of rules empowering the Ombudsperson to adopt decisions that are binding on the U.S. intelligence services.
In summary, the CJEU determined the Privacy Shield did not adequately protect the personal data of E.U. citizens.
Standard Contractual Clauses
The SCCs, sometimes known as the “model clauses”, are a mechanism used by organisations seeking to lawfully transfer personal data from a country in the E.U. to a country outside the E.U. (which is not subject to an adequacy decision of the European Commission). Article 46 of the GDPR recognises the SCCs as a valid mechanism for transferring personal data outside the E.U. The SCCs operate as a contractual agreement and therefore must be entered into by the data exporter (based in the E.U.) and the data importer (based in the third country) to be effective. They impose contractual obligations on both the data exporter and the data importer, and include rights for those individuals whose personal data is being transferred.
There are currently two versions of the SCCs: the first regulates the transfer of personal data been a controller and a processor; and the second regulates the transfer of personal data between two controllers. Only the first version forms the basis for the decision by the CJEU meaning the version of the SCCs used between two controllers has not been opined on.
As noted above, the CJEU has declared the SCCs valid on the basis they provide sufficient protection for E.U. personal data, and therefore organisations currently relying on the SCCs to transfer personal data to a country outside the E.U. can continue to do so. That said, the CJEU’s decision was caveated by the opinion that E.U. organisations relying on the SCCs to transfer personal data have an obligation to take a proactive role in evaluating, prior to any transfer, whether there is in fact an “adequate level of protection” for personal data in the importing jurisdiction. The CJEU noted that the exporting organisation could implement additional safeguards to ensure this level of protection but the form of such safeguards is not yet known. The CJEU further noted that the non-E.U. importing organisations must inform the data exporters in the E.U. of any inability to comply with the SCCs. When non-E.U. data importers are unable to comply with the SCCs, and there are no additional safeguards in place that would ensure an “adequate level of protection”, the E.U. data exporter is required to suspend the transfer of data and/or to terminate the contract.
It’s worth noting that, with respect to the U.K. post-transition period, it was confirmed before today’s decision that organisations in the U.K. could still use the SCCs as a method for transferring personal data to countries outside the E.U. and the U.K. The decision from the CJEU will likely apply to the U.K.’s use of the SCCs post-transition period but we await confirmation.
So what does this all mean?
For those organisations relying on Privacy Shield to transfer personal data from the E.U. to the U.S., this is no longer a valid means of doing so. Such organisations should immediately review their data flows to identify data transfers made under the Privacy Shield and consider implementing an alternative mechanism for transferring the personal data. The most appropriate solution for those previously relying on Privacy Shield will likely mean implementing the SCCs (subject to the below).
For those organisations relying on the SCCs to transfer personal data outside the E.U., an analysis should be undertaken as to whether there is an “adequate level of protection” for personal data in the importing jurisdiction. This will likely require further input from regulators but organisations should start the review process now.
Any and all data flows are impacted by this decision, be they with customers, suppliers, or intra-group, and include employee data transfers: a comprehensive data flow analysis should be undertaken by those organisations which rely on Privacy Shield and the SCCs.
It is not clear yet what approach data protection regulators in the E.U. and the U.K. will take with respect to enforcing this decision from the CJEU but organisations relying on Privacy Shield should start to take action immediately. We will continue to monitor and report on the decision from the CJEU and the impact it will have globally.