Schrems II – Landmark judgment impacts EU-US transfer of personal data
The Court of Justice of the EU (CJEU) has today (16 July, 2020) handed down its decision in the much awaited Schrems II case (Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems). This landmark judgment will profoundly impact the transfer of personal data between the EU and the USA due to the fact that the judgment sets aside the EU-US Privacy Shield and casts doubt on the use of the standard contract clauses (SCCs) to effect transfers of personal data from the EU to the USA.
Under the current system, personal data may be transferred (exported) to a non-EU jurisdiction if that non-EU jurisdiction had been found, by the European Commission, to provide a level of protection which was adequate (ie approximate to the level of protection which the EU affords to individuals in relation to their personal data).
In the absence of an adequacy decision, where a US transferee has signed up to the EU-US Privacy Shield, that was understood to provide adequate protections for data subjects. Today’s decision invalidates that mechanism.
The decision leaves open the possibility that transfers may be made in cases where certain exemptions apply, such as agreeing to SCCs by the EU transferor and the non-EU transferee. The SCCs are standard form clauses which the parties to an agreement sign up to. They cannot be varied if they are to be effective, and they take on the binding nature of contractual obligations between the parties, which each of the counterparties may then enforce against the other in the event of a breach. Importantly they provide rights which are enforceable by the data subject.
What this means for the SCCs and EU-US Data Transfers
The CJEU stated that the SCCs were a valid means of transferring personal data from the EU to a country which did not have a finding of adequacy. It did however blast out a rather large note of caution by stating that they would not be an effective means of transferring personal data if there were not effective mechanisms in that non-EU country that made it possible, in practice, to ensure compliance with the level of protection required by EU law and if it were impossible to adhere to the SCCs. In the case of the USA, the CJEU was of the view that the federal security agencies and the “requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred…The limitations on the protection of personal data arising from the domestic law of the United States… are not circumscribed in a way that satisfies requirements.” Contractual terms agreed between the parties cannot circumscribe the powers of the US authorities which led to the invalidation of the Privacy Shield.
It is significant that the Court has determined that supervisory authorities are required to suspend or prohibit transfers to a third country in reliance on the SCCs where the clauses cannot be complied with and the appropriate level of protection cannot be assured by other means.
What about the EU-US Privacy Shield?
The CJEU looked at this framework in the light of the requirements arising from the GDPR, read in the context of the provisions of the Charter of the Fundamental Rights of the European Union and, in particular, Article 8 of the Charter (which guarantees respect for private and family life, personal data protection and the right to effective judicial protection). In that regard, the CJEU noted that the Privacy Shield framework enshrines the position (as had been the case with the Safe Harbor mechanism which preceded it) that the requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to the USA. The CJEU found that the limitations on the protection of personal data under domestic US law in relation to its access by the various national security agencies was not restricted in a manner and to the extent to which EU law would require so as to create circumstances which were essentially equivalent to those required under EU law. To cut to the chase, the CJEU found that the Privacy Shield Framework did not provide sufficient protection from surveillance by the US authorities nor did US law establish limits on the power of US surveillance programs or provide data subjects with actionable rights before the courts against the US authorities.
What does this mean for Brexit?
Well, it is not looking particularly positive at this stage. The European Data Protection Board has already voiced concerns over existing UK privacy laws, there is widespread concern (both within the UK and abroad) over the extensive powers of the UK’s security agencies to access personal data, and the Schrems II decision creates the basis for a potential further obstacle for the UK obtaining an adequacy decision once it leaves the bloc. Time will tell, but the decision heightens concern that the UK will leave the EU on 1 January 2021 without a finding that it is a country which provides a level of protection for personal data equivalent to that of the EU.
This briefing is for guidance purposes only. RadcliffesLeBrasseur LLP accepts no responsibility or liability whatsoever for any action taken or not taken in relation to this note and recommends that appropriate legal advice be taken having regard to a client's own particular circumstances.