As we noted in our alert on 16 July 2020, the decision of the Court of Justice of the European Union (CJEU) in the case of Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (Schrems II)[1] has serious implications for the transfer of personal data from the European Economic Area (EEA) to the United States. It invalidated the decision of the European Commission that established the EU-US Privacy Shield (the Privacy Shield Decision)[2], meaning that companies in the EEA must find another way to transfer personal data to the United States in compliance with the General Data Protection Regulation (GDPR). While the CJEU invalidated the Privacy Shield Decision, on its face, it also expressly retained the validity of the Standard Contractual Clauses (SCCs) as a compliant transfer mechanism. Digging deeper into the rationale behind the Schrems II decision, however, leaves a very clouded future for the use of SCCs as a justification for transfer of personal data from the EEA to the United States. In particular, the basis upon which the Privacy Shield Decision was invalidated that the US Government has significant access to personal data once it arrives in the United States with little redress for EU residents would seem to apply equally to the SCCs when adopted by US-based companies. So, while the SCCs have survived for now, that survival may be short-lived; awaiting the next legal challenge.

What did the CJEU say about the validity of the SCCs?

The CJEU stated that the decision of the European Commission that approves the use of the SCCs (the SCCs Decision)[3] is valid. The CJEU found the SCCs Decision to be valid because the SCCs require the data exporter (the entity in the EEA transferring the data) to stop the transfer if the data importer (the recipient of the data outside of the EEA) cannot comply with the terms of the SCCs or with the GDPR.

What this effectively means is that there is nothing wrong with the SCCs Decision, or the SCCs themselves in the abstract. What the Schrems II decision does not mean is that every transfer of personal data out of the EEA will be compliant with the requirements of the GDPR if the transfer is effected pursuant to SCCs. If the recipient is located in a jurisdiction that has laws that interfere with the recipient's obligations under the SCCs, the transfer is not compliant and should be stopped.

Potential issues with data transfers to the United States

The reason the CJEU invalidated the Privacy Shield was the acceptance in the Privacy Shield Decision that the interests of US national security, public interest, and law enforcement are to take priority over data protection obligations imposed by the Privacy Shield. In particular, the CJEU singled out the surveillance programs that take place pursuant to Executive Order 12333, Presidential Policy Directive 28, and section 702 of the Foreign Intelligence Surveillance Act. These are mass surveillance operations that, according to the CJEU, result in the bulk interception of personal data as it is transferred across the Atlantic. The existence of these surveillance operations means that the United States does not, in the opinion of the CJEU, provide a level of protection of personal data equivalent to that provided by European law as required by the GDPR.

What are the obligations on data importers and data exporters?

This leads to the question of the obligations on data importers and data exporters. As explained in the Schrems II decision, the SCCs require both parties to consider if there are any laws in the recipient jurisdiction that would prevent the data importer from complying with the SCCs. At least in the case of the United States, the answer after Schrems II seems to be that there may very well be a significant obstacle to compliance with SCCs involving a US-based company, i.e., the United States' mass surveillance laws. In the event that the US surveillance laws are impediments to full compliance with the SCCs of a US-based company, the CJEU has suggested that it may be necessary for the parties to consider supplementary contractual measures to ensure compliance with the SCCs. Unhelpfully, the CJEU did not provide any guidance on what these additional safeguards might look like. However, even these measures may not be enough in the eyes of some data exporters and privacy advocates to overcome the issues related to US surveillance laws as outlined by the CJEU in the Schrems II decision. Ultimately, if the parties do not believe that the SCCs can be complied with because of local laws in the importer's country, the CJEU has instructed data exporters to cease all data transfers, and/or terminate the SCCs. As a result, even though the Schrems II decision expressly upheld the validity of SCCs as a general matter, their practical application with respect to US-based companies now seems very much in question.

What are the obligations on Data Protection Authorities (DPAs)?

The CJEU's judgment makes it clear that there is a positive obligation on DPAs to consider the ability for data importers in particular jurisdictions to comply with the SCCs. If DPAs find that the law of a particular jurisdiction does not permit compliance with the SCCs, the DPA is under an obligation to order that data transfers to that jurisdiction cease.

One can see that this might cause a potential conflict across the European Union as DPAs take different views about transfers to individual jurisdictions. For this reason, the CJEU expressly contemplates[4] that DPAs might refer matters to the European Data Protection Board, which can adopt a decision that will bind all of the DPAs.

Already, we have seen DPAs across the European Union coming out with cautious statements about the Schrems II decision[5]; indicating only so far that they were studying the implication of the ruling. In short, there is more to come in this chapter of the fallout from the CJEU's decision.

Practical next steps

The obvious business reality of many companies is that the transfers of personal data from the EEA to the United States cannot simply cease. However, data exporters in the EEA should consider taking additional steps to bolster their compliance with the GDPR:

1. Understand to which entities in the United States the personal data will be transferred. That includes understanding sub-processing and storage arrangements.

2. Ensure the data importer in the United States understands that it needs to notify the data exporter of laws and other obligations that would prevent the data importer from complying with the SCCs, including being subject to any specific US-based surveillance or legal monitoring (e.g., a compliance monitorship).

3. Consider whether there are any practical or contractual safeguards that could be added to the SCCs to attempt to safeguard the personal data.

4. Consider whether there are any alternatives to a transfer to the United States, for example, keeping the data in the EEA or transferring it to another country that is the recipient of an adequacy decision from the European Commission.

What if the SCCs are invalidated?

If there is a further challenge to the validity of the SCCs, in particular as regards transfers of personal data to the United States, and they do not survive that challenge, what happens next? It is difficult to say. The GDPR permits other approved transfer mechanisms, such as binding corporate rules, approved codes of conduct and approved certifications.[6] But these come with their own difficulties:

1. Binding corporate rules apply within groups of companies they do not typically apply to transfers outside of the corporate group;

2. All three mechanisms need to be approved by a relevant DPA or certification body a process which takes some time; and

3. The issue of the United States' surveillance programmes remains, and will cause as many difficulties for the operation of these mechanisms as they do for the Privacy Shield and the SCCs.

Article 49 provides some derogations from the general principle that data transfers out of the EEA are not permitted but these are not likely to legitimise general, business as usual data transfers:

1. As these are derogations, they should be interpreted strictly and they should be used as an exception rather than a general licence to transfer personal data out of the EEA without an appropriate safeguarding mechanism;

2. They apply to specified situations, which may not always be present (for example, transfers necessary for the conduct of litigation); and

3. Although it is possible to transfer personal data out of the EEA with the explicit consent of the data subject, practically speaking it will be very difficult to obtain consent from each relevant individual in such a way as to comply with the GDPR's consent requirements.

It is likely to take some time for the full consequences of the Schrems II decision to unfold. During that time, data controllers should evaluate how they are transferring data from the European Union to the United States, and consider whether the method for doing so ought to be changed or ended entirely.