In its second landmark decision in five years concerning EU and US data protection relations, the European Court of Justice (“CJEU”) yesterday struck a fatal blow to the Privacy Shield, effectively ending the mechanism’s utility as a means of securely transferring data from the EU to the US.
Before diving further into the case, the Schrems II ruling means that:
any EU organisation that relies on the Privacy Shield for transferring the personal data of EU-based individuals to the US will no longer be able to lawfully do so; and
organisations will instead need to rely on other means of transferring personal data, such as the EU’s Standard Contractual Clauses (“SCCs”) or Binding Corporate Rules (“BCRs”) (which are explained further in the “What now?” section below).
However, caution is encouraged. Unless a jurisdiction you wish to transfer personal data to is considered “adequate” by the EU Commission (a full list of adequate countries is here ), the EU SCCs and BCRs should not be considered fail-safe options in and of themselves. Strict consideration and due diligence is still vitally important when it comes to considering how you structure your organisation or select your service providers to ensure the level of data protection and security is not compromised.
What is/was the Privacy Shield?
The Privacy Shield is (or was) an EU-approved mechanism, which replaced the Safe Harbour scheme in 2015, for securely transferring data to the US.
Article 45 of the EU’s General Data Protection Regulation (“GDPR”) states that:
“the transfer of personal data to a third country…may take place where the [EU] Commission has decided that the third country…in question ensures an adequate level of protection.”
A decision of adequacy therefore has the effect of signalling that the third country to which it applies offers the same protection as an EU member state and therefore no additional protections or authorisations are needed when transferring personal data.
The US was never given complete adequacy status but, until this ruling, the EU and the US had a form of agreement between them where any transfers of personal data would be guaranteed to a specified standard (albeit on a company by company basis, rather than to the US in its entirety).
Why was the Privacy Shield in the dock?
Max Schrems, an Austrian lawyer and prolific data privacy campaigner, is no stranger to the CJEU. Data protection observers may recall that he was the man responsible for bringing the claim which struck down Privacy Shield’s predecessor Safe Harbour in 2015. The Privacy Shield was hastily erected in its place but this too has now fallen to Schrems’ sword.
The thrust of Schrems II was centred around Facebook’s use of EU personal data. Facebook sends data of EU individuals (including both content and metadata) from its EU based entities to its US based entity under the Privacy Shield scheme. Schrems argued that as Facebook is subject to various surveillance and security measures implemented by US authorities, EU personal data could be accessed covertly by such authorities.
Whilst US citizens have the right to object to processing of this sort under the US Constitution, no such recourse is available to EU citizens. The whole point of the GDPR was to increase accountability for organisations and enhance the rights EU individuals have over their data, as well as to maintain the long-standing data protection principles of transparency and proportionality.
Schrems therefore argued that the non-existing, or at least severely compromised, limitations, safeguards and judicial remedies offered by the US data protection regime, renders the Privacy Shield as not fit for purpose. The CJEU agreed.
With the Lloyd v Google judgment due later in the year, and the potential for class action lawsuits in the future, the coming months could prove migraine-inducing for organisations where data protection is concerned.
The first task should be to review any contracts and data sharing arrangements that rely on the Privacy Shield to transfer personal data to the US. Organisations should then decide which of the two main alternatives are more suitable – EU SCCs or BCRs:
SCCs – also known as model clauses, these are a set of standard terms approved by the EU Commission and must not be amended (aside from some factual processing details). SCCs can be executed as standalone agreements or appended/incorporated into each applicable contract and impose certain data protection and security obligations on organisations based outside the EEA. As an example, it requires recipients to notify the data exporting entity if anything arises that might prevent compliance with the GDPR. Note that the type of SCCs varies depending on whether the exporting and recipient entities are both controllers or whether the transfer of personal data is from an EU controller to a recipient that is a non-EU processor.
BCRs – these are applicable to intra-group cross-border transfers of personal data. An organisation must submit a legally binding, bespoke set of policies detailing its data protection practices, protocols and safeguards to the relevant data protection authority in the EU for approval. Once approved, the organisation will be able to transfer personal data intra-group without executing SCCs for every transfer.
As the Privacy Shield is no longer viable, we recommend that you seek advice on which of these options is the most suitable for your organisation’s needs. As already noted, these transfer mechanisms do not negate an organisation’s overarching data protection obligations to conduct appropriate due diligence on an overseas recipient to ensure adequate protection and security.
And for the UK?
Now that the UK is no longer part of the EU, what does the Information Commissioner’s Office (“ICO”) (the UK’s data protection regulator) make of all this? So far, the UK has not deviated from the EU’s data protection regime, with the wholesale incorporation of the GDPR into the Data Protection Act 2018. It is therefore likely that the ICO will follow the EU’s lead here too but we expect further guidance imminently, and in the meantime, UK companies should not enter into agreements which rely on the Privacy Shield for transferring personal data.
Data Protection Commissioner v Facebook Ireland and Max Schrems (Case C-311/18; 16 July 2020)