EU-US Privacy Shield invalidated; SCCs upheld with extended obligations of ex ante assessment
July 2020 – On 16 July, the CJEU delivered its landmark ruling in the Schrems II case (Case C‑311/18) concerning data transfers into third countries pursuant to Standard Contractual Clauses (“SCCs”) and the EU-US Privacy Shield.
In the judgment, CJEU invalidated the EU-US Privacy Shield due to concerns of public authority surveillance. While the current SCCs were preserved, the court laid down its interpretation of the mechanism, extending assessment obligations for data controllers and processors.
Background of the case
In 2013, Austrian privacy activist Maximillian Schrems filed a complaint against Facebook Ireland after it transferred his personal data to Facebook Inc.’s servers located in the United States. In the subsequent proceedings, the CJEU invalidated the Commission’s Safe Harbour Decision – the adequacy decision for the United States at that time. Following the judgment, Mr Schrems reformulated his complaint contesting data transfers into the United States based on SCCs. In its latest judgment, the CJEU considered the validity of SCCs, as well as the EU-US Privacy Shield established via Commission Implementing Decision (EU) 2016/1250 after the proceedings in this case had been initiated, but which closely relates to the issue considered.
EU-US Privacy Shield
The court examined the validity of the EU-US Privacy Shield in light of surveillance activities carried out by US public authorities. According to the court, the current form of the Privacy Shield is incompatible with the GDPR and the Charter of Fundamental Rights of the European Union as it allows self-certified United States organisations receiving personal data from the EU to disregard the underlying principles of data protection, such as the proportionality principle, without effective limitation. The relevant US domestic law on public authority surveillance conflicts, in particular, with the principle of proportionality and cannot provide adequate protection for EU data subjects. Furthermore, the Ombudsperson mechanism within the Privacy Shield does not provide EU data subjects with any cause of action before the US courts and is therefore incompatible with the right to an effective remedy.
The decision has immediate effect, as the CJEU refused to maintain the effectiveness of the invalidated Privacy Shield Decision for a limited transition period, since the GDPR already provides for data transfer mechanisms in the absence of the adequacy decision in Article 46.
In the absence of the Privacy Shield, the United States no longer represents a country with a level of data protection adequate to that of the EU. This will have significant implications for ongoing data transfers to the United States, which must now be based on other safeguards such as SCCs or binding corporate rules. To account for the change, businesses, which have until now relied on the EU-US Privacy Shield, should review their policies and agreements as soon as possible and implement alternative measures.
Standard Contractual Clauses
The CJEU upheld the Standard Contractual Clauses introduced by Commission Decision 2010/87/EU, concluding that they provide for effective mechanisms ensuring compliance of data transfers with the GDPR. However, it also emphasized the merely contractual nature of SCCs, due to which further supplementary measures may be necessary, where the recipient is unable to comply with the SCCs for reasons of domestic law.
With regard to SCCs, the court expressed in particular the following considerations, which may have significant impact on data transfers into third countries by EU data controllers:
- In the absence of an adequacy decision, it is the obligation of the controller or processor pursuant to Article 46 of the GDPR to verify, prior to any transfer, whether an adequate level of data protection can be achieved in the third country and to provide an appropriate safeguard to compensate for any lack of data protection in the respective country.
- The level of protection offered to EU data subjects throughout a data transfer must be essentially equivalent to that which is guaranteed under the GDPR;
- The assessment required to determine whether the level of data protection in a third country is adequate must take into consideration not only the contractual clauses agreed upon but also the relevant aspects of the legal system of that third country as these may influence the ability of the data recipient to comply with the SCCs. A non-exhaustive list of the relevant factors is set forth in Article 45 of the GDPR concerning the adequacy assessment carried out by the Commission.
- Where SCCs cannot ensure an equivalent level of data protection, the controller or processor must implement additional safeguards.
- Where an adequate level of protection cannot be guaranteed through SCCs and/or additional safeguards, the controller or processor must suspend or terminate the transfer of personal data to the third country concerned. Such a termination of data transfer may also be ordered by a DPA, which may also examine the sufficiency of the implemented safeguards to ensure adequate protection.
Following the decision, data controllers and processors will need to review their existing policies to ensure adequacy when transferring data to third countries. The above conclusions will have a significant impact on the use of SCSs by data controllers.
For further information, please contact Zdeněk Kučera, Counsel & Co-head of firm-wide TMT practice, at , or Štepánka Havlíková, Junior Associate, at .