In a game-changing decision in Data Protection Commissioner v. Facebook Ireland Limited, Max Schrems (C-311/18, the Schrems II Case), the Court of Justice of the European Union (CJEU) declared the Commission Implementing Decision 2016/1250 (the Privacy Shield Decision) invalid as it fails to protect people’s rights to privacy, data protection and access to remedy. On the other hand, the CJEU declared that examination of Decision 2010/87 on Standard Contractual Clauses (SCCs Decision) in the light of the Charter of Fundamental Rights (the Charter) has disclosed nothing to affect the validity of that decision, however questions their validity in the USA and other third countries. The impact on businesses operating in a global market cannot be underestimated.
As already discussed in our earlier ezine over the opinion of the Advocate-General in this case, the present decision has a long history (Schrems I, in which the Safe Harbour principles where declared invalid and the decision of the Irish DPC declaring the complaint of Schrems invalid, was annulled). In a nutshell it concerns a clash of two very different legal regimes related to people’s personal data: on the one hand, far reaching US surveillance law and, on the other hand, European data protection legislation. As we all know, the Schrems II decision would play an important role in determining the possibility/validity of using further the Standard Contractual Clauses, probably the most used safeguard mechanism for international transfers of personal data under the General Data Protection Regulation (GDPR). However, the decision has exceeded those expectations.
Schrems II Case – Key takeaways
First of all, the CJEU clears out the field of application of EU law, and in particular the GDPR, as regards to the transfer of personal data for commercial purposes by an economic operator established in a Member State to another economic operator established in a third country regardless of the fact whether, at the time of that transfer or thereafter, that data may be processed by the authorities of the respective third country for the purposes of public security, defence and State security.
The CJEU emphasises that when transferring personal data from the EU to countries outside the European Economic Area (EEA) appropriate safeguards, enforceable rights and effective legal remedies must be put in place resulting of a level of protection given to the data subjects which is considered equivalent to the GDPR.
As regards to SCCs, the CJEU considers them as effective mechanisms to protect EU citizens whose personal data are to be transferred outside the EU and therefore acknowledges their validity. However, a case-by-case analysis will be necessary, as the validity of the SCCs will depend on whether the data importer in the respective third country is able to comply with the SCCs in practice or whether the legal system of the third country prevents this. In case the SCCs are not or cannot be complied with in a certain third country and the protection of the data transferred that is required by EU law cannot be ensured by other means, it is up to the data exporters in the first place as well as the supervisory authorities in the second place to suspend or ultimately prohibit a transfer of personal data.
Furthermore, as regards to the Privacy Shield Decision, the CJEU states that the requirements of US national security, public interest and law enforcement are conflicting with the fundamental rights provided for in the Charter of persons whose data are transferred to that third country. The far-reaching US surveillance laws would not be limited by any principles of proportionality and do not indicate any limitations on the power they confer to implement the surveillance programs, nor the existence of guarantees for potentially targeted non-US persons. Even though the US authorities must comply when implementing these programs, the provisions do not grant data subjects actionable rights before the courts against the US authorities. The CJEU mentions that the Privacy Shield does not provide data subjects with legal protection comparable to that provided by EU law. More specific, the mechanism of the Ombudsperson referred to in the Privacy Shield Decision does not provide data subjects with appropriate safeguards vis-à-vis the US authorities. As a result, the CJEU declared the Privacy Shield Decision invalid.
The importance of this issue cannot be underestimated.
Both the SCCs and the Privacy Shield were at stake, as a result of which various organisations have intervened, including representatives of the EU Parliament, the EU Commission, the European Data Protection Board, several EU Member states (including Belgium), the US government and the Electronic Privacy Information Center, as well as a number of industry lobby groups.
The declaration of invalidity of the Privacy Shield has a major impact on companies all over the world. Organisations can no longer rely on the Privacy Shield to transfer data to the US.
Moreover, organisations need to re-evaluate their data transfers to third countries if based on SCCs. It will require further examination whether the SCCs are still a sufficient safeguard for transfers to data importers. For instance, in the US, it is hard to see how the concerns the CJEU raised as regards to the Privacy Shield would not apply when the SCCs are at issue.
In such a case, what would be the solution to transfer data outside the EEA to a country that does not benefit of an adequacy decision? Binding corporate rules or exemptions provided by Article 49 of the GDPR might be part of the solution.