The Results Are in: Privacy Shield Has Been Declared Invalid but the SCCs Remain Valid
In December 2019, the opinion of Advocate General Saugmandsgaard Øe in relation to the preliminary ruling was published: in short, his opinion was that the CJEU should declare the SCCs valid whilst heavily criticising Privacy Shield (further information on the opinion can be accessed
Background to decision
The dispute has its origins in the proceedings initiated by Maximillian Schrems, an Austrian privacy activist. Schrems first lodged a complaint with the Irish data protection authority in relation to Facebook Ireland transferring personal data of E.U. users to Facebook Inc. in the U.S. Specifically, Schrems alleged that the transfer mechanisms used do not ensure an adequate level of protection for E.U. data subjects, as U.S. legislation does not explicitly limit interference with an individual’s right to protection of personal data in the same way as E.U. data protection law. A key concern was that E.U. personal data might be at risk of being accessed and processed by the U.S. government once transferred, in a manner incompatible with privacy rights guaranteed in the E.U. under the Charter of Fundamental Rights.
Following the original complaint, the Irish data protection authority brought proceedings against Facebook in the Irish High Court. A
There is also a separate Swiss-U.S. Privacy Shield Framework which relates to transferring personal data from Switzerland to the U.S. but note that this framework has not been declared invalid by the CJEU.
The GDPR states that transfers of personal data to countries outside the E.U. (which for these purposes includes three non-Member States, Iceland, Liechtenstein and Norway) are unlawful unless the transfer is to an organisation in a country which has received an adequacy decision from the European Commission, such as the adequacy decision for the U.S. in the form of Privacy Shield, or is subject to a specific transfer mechanism that is permitted by the GDPR, such as the SCCs. Privacy Shield enabled U.S. based organisations to self-certify and register with the Department of Commerce thereby publically committing to comply with the framework’s requirements. Participating organisations are further required re-certify on an annual basis.
Many U.S. based organisations are Privacy Shield certified (full list can be seen
The key reasons cited by the CJEU for declaring Privacy Shield invalid are the following:
the limitations on the protection of personal data arising from the domestic law of the U.S. on the access and use by U.S. public authorities of such data transferred from the E.U. to the U.S. are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under E.U. law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary; and
the Ombudsperson mechanism provided in Privacy Shield does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by E.U. law, such as to ensure both the independence of the Ombudsperson provided for by that mechanism and the existence of rules empowering the Ombudsperson to adopt decisions that are binding on the U.S. intelligence services.
In summary, the CJEU determined the Privacy Shield did not adequately protect the personal data of E.U. citizens.
Standard Contractual Clauses
The SCCs, sometimes known as the “model clauses”, are a mechanism used by organisations seeking to lawfully transfer personal data from a country in the E.U. to a country outside the E.U. (which is not subject to an adequacy decision of the European Commission). Article 46 of the GDPR recognises the SCCs as a valid mechanism for transferring personal data outside the E.U. The SCCs operate as a contractual agreement and therefore must be entered into by the data exporter (based in the E.U.) and the data importer (based in the third country) to be effective. They impose contractual obligations on both the data exporter and the data importer, and include rights for those individuals whose personal data is being transferred.
There are currently two versions of the SCCs: the first regulates the transfer of personal data been a controller and a processor; and the second regulates the transfer of personal data between two controllers. Only the first version forms the basis for the decision by the CJEU meaning the version of the SCCs used between two controllers has not been opined on.
As noted above, the CJEU has declared the SCCs valid on the basis they provide sufficient protection for E.U. personal data, and therefore organisations currently relying on the SCCs to transfer personal data to a country outside the E.U. can continue to do so. That said, the CJEU’s decision was caveated by the opinion that E.U. organisations relying on the SCCs to transfer personal data have an obligation to take a proactive role in evaluating, prior to any transfer, whether there is in fact an “adequate level of protection” for personal data in the importing jurisdiction. The CJEU noted that the exporting organisation could implement additional safeguards to ensure this level of protection but the form of such safeguards is not yet known. The CJEU further noted that the non-E.U. importing organisations must inform the data exporters in the E.U. of any inability to comply with the SCCs. When non-E.U. data importers are unable to comply with the SCCs, and there are no additional safeguards in place that would ensure an “adequate level of protection”, the E.U. data exporter is required to suspend the transfer of data and/or to terminate the contract.
It’s worth noting that, with respect to the U.K. post-transition period, it was confirmed before today’s decision that organisations in the U.K. could still use the SCCs as a method for transferring personal data to countries outside the E.U. and the U.K. The decision from the CJEU will likely apply to the U.K.’s use of the SCCs post-transition period but we await confirmation.
So what does this all mean?
For those organisations relying on Privacy Shield to transfer personal data from the E.U. to the U.S., this is no longer a valid means of doing so. Such organisations should immediately review their data flows to identify data transfers made under the Privacy Shield and consider implementing an alternative mechanism for transferring the personal data. The most appropriate solution for those previously relying on Privacy Shield will likely mean implementing the SCCs (subject to the below).
For those organisations relying on the SCCs to transfer personal data outside the E.U., an analysis should be undertaken as to whether there is an “adequate level of protection” for personal data in the importing jurisdiction. This will likely require further input from regulators but organisations should start the review process now.
Any and all data flows are impacted by this decision, be they with customers, suppliers, or intra-group, and include employee data transfers: a comprehensive data flow analysis should be undertaken by those organisations which rely on Privacy Shield and the SCCs.
It is not clear yet what approach data protection regulators in the E.U. and the U.K. will take with respect to enforcing this decision from the CJEU but organisations relying on Privacy Shield should start to take action immediately. We will continue to monitor and report on the decision from the CJEU and the impact it will have globally.