A recent decision immediately impacts transfers of data from the European Union to the United States and may also have implications for Australian organisations wishing to transfer personal data from the EU to Australia. We discuss the case and its implications.
The EU-US Privacy Shield Framework can no longer be relied on to evidence compliance with the GDPR, following the landmark judgement of the Court of Justice of the European Union in Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd and Maximilian Schrems.
A case-by-case assessment of Standard Contractual Clauses approved by the European Commission must be undertaken to ensure personal data flowing from the EU to countries outside of the EU is adequately protected.
This ruling affects Australian organisations' ability to show GDPR equivalence even where Standard Contractual Clauses are used. Organisations should immediately re-assess their data flows from the EU to countries outside of the EU.
We live in a more connected world than ever. Even though many of us might not be travelling, our data still makes its way around the world at the hands of the many organisations to which we entrust it. The General Data Protection Regulation (GDPR) imposes stringent obligations on organisations that process data related to individuals in the European Union (EU), and requires an equivalent level of data protection when transferring personal data outside of the EU.
On 16 July 2020, the Court of Justice of the European Union (CJEU) handed down a judgment in relation to the legality of the EU-US Privacy Shield Framework and the Standard Contractual Clauses in international transfers of personal data in Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd and Maximilian Schrems (Schrems II).
What was the decision about?
This decision arose from the complaint of an Austrian lawyer and 'privacy rights activist', Mr Schrems, against Facebook Ireland. Mr Schrems' complaint was that Facebook Ireland should be prohibited from transferring his personal data to the US (as was the practice of Facebook Ireland, having its servers located in the US), on the basis that US data laws and practices do not adequately protect his personal data. Mr Schrems was concerned, in particular, about US surveillance laws such as the Foreign Intelligence Surveillance Act, and requested the Irish Data Protection Commissioner to order the suspension or prohibition of Facebook's transfer arrangement.
Facebook Ireland relied on the EU-US Privacy Shield, claiming it evidenced an adequate level of protection of personal data by the US and the lawfulness of the transfer to the US.
Mechanisms to comply with the GDPR
At a fundamental level, the GDPR requires data controllers or processors outside of the EU to show that EU personal data will be subject to a level of data protection that meets the requirements of the GDPR. In the past, safeguards that organisations have chosen to rely on have included:
- the standard contractual clauses (SCCs) approved by the European Commission, which are clauses intended to contractually impose data protection requirements on a transferee that meet relevant GDPR standards; or
- self-certification to the EU-US Privacy Shield Framework (where data is transferred to the US), being a legal mechanism certified by the European Commission as being adequate to enable data transfers to the US under EU law (the Privacy Shield).
Why was the Privacy Shield invalidated?
In its decision, the Commission re-examined whether the Privacy Shield complies with GDPR requirements; being a level of protection of fundamental rights essentially equivalent to that guaranteed under EU law. The CJEU found that interference arising from US surveillance programs did not ensure an equivalent degree of protection, as:
- the surveillance programs did not grant data subjects actionable rights before the courts against US authorities; and
- there were inadequate remedies available to data subjects to access their personal data or obtain the rectification or erasure of such data.
Consequently, the CJEU found that the Privacy Shield is not able to ensure a level of protection equivalent to that under the GDPR, and thus could no longer be relied upon.
Changes to SCCs
In reaching its decision, the CJEU also considered the validity of SCCs. While it did not invalidate their use, the CJEU has now imposed further requirements when relying upon them. Data controllers and processors must now also undertake a case-by-case assessment as to whether they have provided appropriate safeguards, rights and remedies to data subjects by:
- considering the terms of the SCCs themselves; and
- examining the legislation of the recipient country, including the country's national security laws and public authorities' access to personal data.
In making its decision, the CJEU noted that the effects of this decision would not create a 'legal vacuum' and may be broadly applied to the conditions under which transfers of personal data from the EU to countries outside of it (including Australia) take place. Businesses should take the following steps in light of Schrems II:
- conduct data mapping for all flows of personal data from the EU;
- where there is an EU-US data flow, urgently consider whether the Privacy Shield is relied on and, if so, implement other safeguards (such as appropriate SCCs);
- conduct a case-by-case assessment of all data flows relying on the SCCs and consider whether adequate protection is offered (having regard to the privacy and surveillance laws and practices of those jurisdictions);
- consider your organisation's need to undertake due diligence on its partners and providers (this may take the form of a questionnaire or survey); and
- consider implementing additional safeguard for existing EU data flows (such as the encryption of data or other technological controls).
The obligation to undertake a case-by-case assessment of all data flows relying upon SCCs may be complex and burdensome for organisations, as the Schrems II decision does not offer any definitive framework for conducting such an assessment.