On 16 July 2020, the Court of Justice of the European Union (CJEU) issued a judgment in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18, “Schrems II”) ruling that the Privacy Shield Framework decision for data transfer between the EU and US (the “Privacy Shield”) is invalid, reducing the available options for the sharing of personal data between the two regions.12 The CJEU also clarified that stringent checks are, and, potentially “additional measures” may be required before companies may rely on Standard Contractual Clauses to justify international data transfers.
GDPR complicates internal investigations
The transfer of data between countries is essential in the conduct of international internal investigations. It is often a necessary part of a document review process and vital to cooperation with foreign regulators and law enforcement agencies.
The transfer of data from countries within the European Economic Area (EEA) to third countries is made more difficult by restrictions within the EU General Data Protection Regulation (GDPR). The GDPR broadly prohibits the transfer of personal data to so-called “third countries”, subject to certain exceptions. One such exception is where the European Commission has made an ‘adequacy decision’, which is a finding that the receiving country has in place adequate protection for the rights and freedoms relating to individuals’ personal data, equivalent to those available within the EU.
Privacy Shield offers inadequate protection
Prior to Schrems II, the US was the subject of a partial adequacy decision. Because the US was deemed not to provide protections equivalent to those available in the EU, the US Department of Commerce and the European Commission devised the Privacy Shield as a set of principles designed to ensure equivalent protection was provided by companies that self-certified their adherence to these principles. These companies could be placed on the Privacy Shield list and could receive data without having to take additional measures.
The judgment in Schrems II invalidated the Privacy Shield and rules that it can no longer be relied upon to enable the transfer of personal data from the EEA to the US.
One of the rationales behind the decision is that adherence to the Privacy Shield principles may be limited by the need to meet national security, public interest, or law enforcement requirements (Schrems II, para 164). The availability of this derogation, the limits of which are not defined, and the concomitant ability of the US government to access transferred data under US surveillance laws without adequate means of redress for affected individuals, means that, in the CJEU’s view, the Privacy Shield did not ensure equivalent protection to that available in the EU (Schrems II, paras 180 and 199).
Court warns against complacent use of Standard Contractual Clauses
With the Privacy Shield off the table, companies must ensure a legal basis for all international data transfers by relying on one of the other exceptions to the general rule against international transfers of personal data. Most commonly, companies seek to rely on Standard Contractual Clauses (“SCCs”). SCCs permit international transfers of personal data where the sender and recipient have entered into a contract adopting model clauses drafted by the European Commission that provide individuals with directly enforceable rights against the parties to the contract.
The validity of SCCs was also considered in the Schrems II judgment. While confirming that SCCs generally remain a valid mechanism for data transfer (Schrems II, para 149), the CJEU warned that there are circumstances in which the SCCs might not constitute a sufficient means of protecting the right to data privacy, in particular where the law of the recipient country “allows its public authorities to interfere with the rights of the data subjects to which that data relates” (Schrems II, para 126).
The burden is on the entities involved in the data transfer to ensure that the protections afforded in the receiving country, taken together with the SCCs, provide adequate safeguards for the protection of the right to privacy. As the CJEU makes clear, this may require the transferring entities to provide additional safeguards on top of the SCCs (Schrems II, para 132); use of the SCCs should never be assumed to be sufficient to legitimize an international data transfer.
It is not clear (yet) what kinds of additional measures would be sufficient to overcome these concerns, and, in reality, this may prove an impossible and impractical task. Whilst adequacy decisions provide a level of certainty as to which jurisdictions do meet the protection threshold, in the absence of ‘inadequacy decisions’, it will be extremely difficult for companies to say with confidence which jurisdictions do not. Accordingly, when using SCCs to justify a data transfer, it is advisable to seek legal advice as to whether any additional safeguards might be required and what they might be.
The CJEU mentions that Article 49 GDPR remains available in certain situations (Schrems II, para 202), but the European data protection authorities have already indicated that they will continue to take a strict view on the interpretation of Article 49, as expressed in their Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, as published on 25 May 2018.
Conclusion: caveat transferor
This decision should encourage data exporters to review the legal basis currently used for transfers outside the EEA to ensure they remain compliant. If transfers have been based on Privacy Shield, a different legal basis has to be identified and implemented. Transfers based on SCCs also have to be re-examined.
Ultimately, many data exporters and importers will face a risk balancing exercise and will have to walk an increasingly fine line between compliance with their obligations under GDPR and their need to export data outside the EEA to conduct their business or to comply with requests from foreign regulators and law enforcement.
Of longer-term concern is the effect of Schrems II on the transfer of data from the EEA to the UK after the end of the Brexit transition period on 31 December 2020; UK surveillance laws may face similar criticism to that levelled at the US, making a European Commission adequacy decision more unlikely and potentially casting doubt over the use of SCCs in these circumstances.