Privacy Shield invalid: what next for international data transfers?
The case stemmed from a complaint by the Austrian privacy activist Max Schrems that personal data sent by Facebook from the European Economic Area to the US was not adequately protected.
On 16 July 2020, the Court of Justice of the European Union (CJEU) published its highly anticipated decision in Data Protection Commissioner v Facebook Ireland Limited & Maximillian Schrems (Case C-311/18), in which the CJEU considered the legality of Facebook’s transfers of personal data to the United States.
In a judgment with far-reaching implications for transfers of personal data, the CJEU declared the Privacy Shield decision invalid. It decided that the Standard Contractual Clauses (SCCs) were valid, but only on the basis that they require both the parties to the SCCs and the competent supervisory authority to assess the recipient’s ability to comply with the SCCs. Any such assessment must take into account the recipient’s obligations under its national law.
Decision
The CJEU decided the following:
- The SCCs are valid because they allow transfers of personal data to be suspended or prohibited if the recipient cannot comply with the SCCs or provide protection equivalent to that offered by EU law.
However, the CJEU emphasised the importance of the existing duties under the SCCs on the recipient and the exporter of personal data to assess the level of protection available in the recipient’s country. In particular, the SCCs already contain an obligation for the recipient to inform the data exporter if it cannot comply with the SCCs, in which case the exporter must suspend or end data transfers to the recipient.
Supervisory authorities must also suspend or prohibit transfers to third countries where the SCCs are not, or cannot be, complied with in that third country and where the data cannot be protected by other means.
- The Privacy Shield is invalid because it prioritises US national security requirements over the fundamental rights of respect for private and family life, personal data protection and the right to effective judicial protection. US domestic law does not grant protections equivalent to EU law and does not give data subjects actionable rights against the US authorities. The Privacy Shield Ombudsperson mechanism does not guarantee that there will be an independent or binding decision in relation to the US intelligence services.
What happens next?
The validity of the SCCs is to be welcomed. However, the decision raises issues for all organisations that rely on the Privacy Shield and SCCs, particularly for those transferring personal data to recipients in the United States. The immediate practical implications are as follows:
- Those participating in the Privacy Shield, or transferring data to US partners in reliance on the Privacy Shield, should immediately use an alternative safeguard, as the Privacy Shield has been declared invalid with immediate effect. We await news of whether there will be an informal enforcement moratorium while any replacement regime is considered, as occurred after the Safe Harbor Agreement was invalidated. The derogations in Article 49 of the GDPR will at least ensure that essential data exports to the US and elsewhere may continue, but longer-term solutions will be required.
- Anyone relying on the SCCs to make or receive international transfers of personal data must verify whether the recipient can protect the data to a standard that is essentially equivalent to the protections given by EU law. This assessment must take into account the national law applicable to the recipient and any additional safeguards that the parties can put in place, and it should be documented. Recipients who are concerned that their national law means they cannot comply with their SCCs obligations should inform the affected exporters immediately. These obligations already exist under the SCCs but it has now become far more important for the parties to verify that they are actually carried out.
- “Equivalence assessments” for exports of personal data to the US under the SCCs may be problematic. The invalidation of the Privacy Shield, on the grounds that US law is incompatible with EU fundamental rights, indicates that a US data importer may not be able to protect personal data in accordance with its obligations under the SCCs. There may be particular issues if the recipient is an “electronic communication service provider”, such as Facebook. This is because these companies are subject to particular US law requirements to share the personal data of overseas individuals with the US public authorities for surveillance purposes.
- “Additional safeguards” may become more important to ensure that SCCs are effective. The CJEU judgment emphasised the fact that parties carrying out equivalence assessments may take into account any additional measures the parties can put in place to enhance the protections for transferred personal data. Parties to SCCs should consider whether any such measures, such as contractual or security protections, could be used.
- Supervisory authorities are also likely to become involved in pronouncing on the lawfulness of transfers to countries including the US, as their duty to do so has now been confirmed. It is not yet clear what action the Irish DPC will take in relation to Facebook Inc., but it seems likely that the DPC will now assess whether Facebook can in reality comply with its SCC obligations.
- Although the SCCs have been found to be valid, they are nevertheless being updated. The Commission has confirmed that it is still working on updates, as the SCCs are yet to be updated for the coming into force of the GDPR. The updates will take the CJEU ruling into account but it is still unclear what else to expect.
- Binding Corporate Rules (BCRs) are as yet unaffected. Organisations may in future move to use BCRs if they appear to be a more stable form of data transfer.
- Service providers are more likely to offer European data centres. To the extent that they do not already, service providers may see the judgment as an opportunity to offer hosting and storage solutions for personal data to ensure that it is only accessible from within the EU. This will minimise the need for data transfer safeguards.
- For UK organisations, if there is no UK adequacy decision by the end of 2020 then Europeans will need to find alternative safeguards to transfer personal data to the UK. The key role that US national surveillance laws played in invalidating the Privacy Shield mechanism raises doubts as to the UK’s chances of an adequacy decision in time for the end of the transition period, bearing in mind its own surveillance practices. European data exporters to the UK may also be reluctant to conclude that the UK offers “essentially equivalent” protections to EU law if they are using SCCs as their transfer safeguard.
There are therefore several key issues still to be resolved, particularly in relation to the lawfulness of transfers of personal data to the United States. The key question for all exporters who rely on the SCCs remains exactly what they must do in order to meet their obligation to assess the recipient’s ability to comply. It is clear that verification of data importers’ practices and national law obligations will become a key part of exporting personal data in the future.
Background to CJEU decision
The case stemmed from a complaint by the Austrian privacy activist Max Schrems that personal data sent by Facebook from the European Economic Area to the US was not adequately protected. The key issue was whether the standard contractual clauses are a valid safeguard for the transfer of personal data from the EEA to the US, taking into account US government surveillance practices. The validity of the Privacy Shield mechanism for US data transfers was also called into question.
US Surveillance. Disclosures made by former CIA employee Edward Snowden in 2013 revealed that the US government undertakes blanket processing of personal data for surveillance. Electronic communication service providers (including Facebook) are required by US law to allow the US government to access the personal data of European users on a mass scale for intelligence purposes.
Transfer requirements. Under the General Data Protection Regulation (GDPR), a data export from the EEA to a third country (the US in this case) is only lawful if the exporting entity puts in place appropriate safeguards for the exported data. Two key safeguards for the export of personal data to the US are Standard Contractual Clauses (SCCs), which must be entered into between the exporter and importer and the Privacy Shield mechanism (which replaced the EU/US Safe Harbor mechanism facilitating EU-US data transfers).
Schrems’ complaint. The Snowden leaks demonstrated to Schrems that personal data could at the very least be “made available” to US government authorities under provisions such as the PRISM programme. He doubted whether exported personal data could be adequately protected in the US, if it may be vulnerable to US government surveillance. His concern was that, even if the recipient signs up to SCCs, or to a mechanism such as Safe Harbor, this would not provide protection if the US government may access the exported data in a manner that is incompatible with those safeguards.
Safe Harbor proceedings (Schrems I). In 2013, Schrems filed a complaint against Facebook with the Irish Data Protection Commissioner (DPC), claiming that the European Commission’s Safe Harbor decision did not provide sufficient protection for data subjects whose personal data was being exported. He argued that the DPC should suspend transfers to the US and that in any event the Safe Harbor decision was invalid.
At first, the DPC rejected the complaint, which Schrems successfully had reviewed, and the Irish High Court referred questions on the validity of the Safe Harbor decision to the CJEU. The CJEU ruled in 2015 that mass surveillance by public authorities, and the lack of legal redress available for non-US individuals, violated European fundamental rights and struck down the Safe Harbor decision. Safe Harbor was replaced with the Privacy Shield mechanism in 2016.
Suspension of transfers under SCCs. After the CJEU’s decision in Schrems I, Facebook stated that it was instead relying on the Standard Contractual Clauses (“SCCs”) to transfer personal data to the US. The SCCs in question were between Facebook Ireland Ltd and Facebook Inc., under which the non-EU company agreed to respect Europeans’ privacy rights.
Schrems therefore reformulated his complaint to the DPC to state that Facebook’s reliance on the SCCs did not provide adequate protection for his transferred personal data, or sufficiently safeguard his rights, as a result of US public authorities’ surveillance activities. He requested that the DPC rely on Article 4 of the SCCs to order Facebook to suspend data transfers to the US. The DPC questioned the validity of the SCCs themselves where a third country’s laws are in conflict with their provisions and considered that it could not rule on the complaint without the CJEU first having examined the validity of the European Commission’s decision approving the SCCs. The DPC therefore referred the matter to the Irish High Court, which referred eleven questions to the CJEU. The questions touch on the validity of both the Privacy Shield and the SCCs as a mechanism for the international transfers of personal data from the EU. Both mechanisms were called into question since if the SCCs were invalid due to US government surveillance, then arguably the same concerns would apply to the Privacy Shield.
A-G opinion. In December 2019, the CJEU’s Advocate General (A-G) published a non-binding opinion, which ultimately found the SCCs to be valid. The A-G stated that it is for supervisory authorities to order the suspension of data transfers where the national law applicable to the importer is not compatible with EU fundamental rights. The A-G’s Opinion criticised the Privacy Shield decision due to the lack of US legal remedies for data subjects in the EU and the wide-reaching US surveillance powers, but it did not explicitly rule on the Privacy Shield’s validity. Whilst it is common for the CJEU to follow the Advocate General’s opinion, there was no requirement for the CJEU to do so.
CJEU Judgment of 16 July 2020 (Schrems II)
The judgment was largely consistent with the A-G’s Opinion. The CJEU found that:
- The SCCs are valid. This is because they contain effective mechanisms to ensure compliance with EU law given that they allow for transfers of personal data to be suspended or prohibited if the recipient cannot comply with them. Although the SCCs only bind the parties to the contract and not third country public authorities, transfers can still be prevented or suspended without the co-operation of those public authorities.
Data subjects whose data is being exported must be given protections that are “essentially equivalent” to those within the EU. The assessment of that equivalence should take into account any contract between the exporter and importer, plus the legal system in the importer’s country, in particular in relation to public authorities’ access to the transferred data. Any additional safeguards that the parties can put in place should also feature in such assessment.
The key question is who is responsible for assessing whether personal data will be properly protected in the third country, and how the assessment must be carried out. The CJEU states that responsibility for carrying out that assessment falls on the parties who will be making a transfer in reliance on the SCCs; and also on the competent supervisory authority.
The SCCs themselves require both the data exporter and the recipient to verify the level of protection for the data in the third country before they make any transfer. The recipient must also inform the data exporter if it cannot comply with the SCCs, in which case the exporter must suspend data transfers to, or terminate the SCCs with, the recipient.
However, supervisory authorities are also under a duty to suspend or prohibit a transfer of personal data to a third country without an adequacy decision where they take the view, in light of all the circumstances of that transfer, that the SCCs are not, or cannot be, complied with in that third country and that the data cannot be protected by other means.
- The Privacy Shield is invalid. This is based on the fact that the Privacy Shield decision gives priority to the requirements of US national security, public interest and law enforcement over the fundamental rights of respect for private and family life, personal data protection and the right to effective judicial protection. US domestic law does not grant protections to EU data subjects that are essentially equivalent to those required under EU law, as US surveillance programmes go beyond what is strictly necessary to achieve national security aims and they do not provide sufficient guarantees for affected non-US persons. In particular, data subjects do not have actionable rights against the US authorities before the courts and the Privacy Shield Ombudsperson mechanism guarantees neither the independence of the Ombudsperson, nor a decision that is binding on the US intelligence services.
The CJEU’s ruling also made it clear that the GDPR applies to transfers even where some of the transferred data may be processed by public authorities for purposes beyond the scope of EU law (i.e. defence and state security).