ECJ Invalidates Privacy Shield in Schrems II: What Now For Transatlantic Data Transfers?

• The European Court of Justice (“ECJ”) has today invalidated the EU-US Privacy Shield, meaning that companies can no longer rely on this mechanism for transferring personal data from the EU to the US.
• Companies transferring data to the US relying on the Privacy Shield (including transfers to a number of the big tech IT service providers registered with the scheme) will now need to scramble to put in place a lawful alternative.
• In contrast, the ECJ has upheld the Standard Contractual Clauses (“SCCs”) as a valid mechanism to transfer personal data to third countries but subject to a fairly significant sting in the tail.
• Importantly, the ECJ has pointed out that both data exporter companies and regulators must ensure that there are mechanisms to suspend or prohibit transfers to third countries where there is a conflict between the SCCs and the laws of that third country.
• In practice, this appears to mean that companies need to undertake a level of due diligence prior to any transfer of personal data to a third country where the SCCs are being used, and that recipients of that data have an obligation to tell the exporter where their local laws (for example because of surveillance powers in their jurisdiction) mean that they cannot comply fully with the SCCs.
• Given the ECJ’s comments on the adequacy of the US regime, it remains to be seen how businesses can undertake such due diligence to reach a conclusion that data is sufficiently protected when being sent to the US, even using the SCCs.

Background

For those who have been following Schrems II, it has been a long journey to get here.

The case has its origins in a complaint made by Mr Schrems a number of years ago, raising concerns about the level of protection afforded to his personal data by Facebook, who were at the time relying on the old US Safe Harbor regime to transfer personal data from Facebook Ireland to the US. That initial complaint resulted in the Safe Harbor being invalidated by the ECJ and Facebook moving to rely instead on the SCCs to legitimise their international transfers. Mr Schrems complained again, this time on the basis that Facebook’s use of the SCCs did not afford appropriate protection to his personal data because of the surveillance powers of US authorities.

In November 2019, the ECJ heard oral submissions relating to the validity of the SCCs (and, by extension, the EU-US Privacy Shield). Just before Christmas last year, the Advocate General of the Court then published his non-binding recommendation that the SCCs remain a valid mechanism to legitimise the transfer of personal data to third countries – and companies around the EU were able to breathe an small sigh of relief. For a detailed analysis of the AG’s opinion, see here.

Today the ECJ has laid down its own judgment on the case, and with it the most significant ruling in data protection for a number of years.

Privacy Shield: No longer a valid transfer mechanism

In a slightly surprising turn of events, the ECJ has today declared the EU-US Privacy Shield invalid like the US Safe Harbor regime before it. Whilst the AG did note in his Opinion that Privacy Shield may not provide an adequate level of protection, interestingly, the AG did not consider that the validity of Privacy Shield was directly within the scope of the questions referred from the Irish High Court in this instance.  It is therefore noteworthy that the ECJ has taken the step not only to question the validity of Privacy Shield but to invalidate it.

The ECJ’s reasons for invalidating the Privacy Shield included:

• The Privacy Shield decision found that the requirements of US national security, public interest and law enforcement have primacy, and therefore condoned interference with the fundamental rights of persons whose data are transferred to that third country.
• The conditions and limitations built in to the Privacy Shield regime are not sufficient to limit the surveillance powers to what is strictly necessary, as required in order to provide protection to data subjects that is essentially equivalent to the GDPR.
• Finally, whilst Privacy Shield provided for the Ombudsperson mechanism, this mechanism “does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law” both because the Ombudsperson is not sufficiently independent and owing to the fact that the Ombudsperson is not empowered to adopt decisions which are binding on the US intelligence services.

Practically, this decision could have significant implications for many companies. Notably, most of the “big tech” providers are currently registered with Privacy Shield meaning that many European businesses will now need to scramble to put an alternative transfer mechanism in place – and do so quickly. Which brings us neatly to the SCCs…

The SCC’s: Still valid but with a sting in the tail

Whilst companies can breathe a sigh of relief that the SCCs were not likewise invalidated, the judgment comes with a fairly significant sting in the tail and does not give data transfers subject to the SCCs a clean bill of health.

• The ECJ has held that the SCCs are still a valid mechanism for transferring personal data to a third country despite the fact that they do not bind the authorities of the relevant third country.
• However, the validity of the SCCs is conditional upon whether there are effective mechanisms which ensure compliance with the level of protection required by the EU. In this respect, the ECJ notes that the SCCs contain an obligation on the data exporter and the recipient of data to verify, prior to any transfer, whether the laws of the third country will effectively prevent the recipient from complying with the SCCs.  The recipient is also obliged to inform the data exporter where this is the case.
• Where adequate protection is not possible, the data exporter should suspend transfers or terminate the SCCs. The ECJ also provides that supervisory authorities have an obligation to suspend or prohibit transfers where they take the view that the data to be transferred to a third country will not have the level of protection which is required by EU law, and where the data exporter has not themselves suspended the transfer.

Where does this leave us?

In handing down its judgment, the ECJ seems keen to point out that use of the SCCs should not be viewed by organisations as simply a paper exercise. The court wants exporters, importers and regulators alike to take responsibility for assessing adequate protections in third countries rather than simply relying on the contracts.

For transfers to the US in particular, this seems to raise a significant challenge given the comments of the ECJ with respect to the lack of adequacy of protections in place. It therefore remains to be seen how businesses can undertake the required due diligence to reach a conclusion that data is sufficiently protected when being sent to the US, even using the SCCs.

In addition, it will be interesting to see if the oversight by supervisory authorities will lead to further interactions between supervisory authorities and exporting controllers. It seems almost inevitable that Mr Schrems will now expect either Facebook itself or the Irish Data Protection Commissioner to suspend the transfer of data from Ireland to the US in reliance of the SCCs but it is not clear what alternative mechanism could be put in place if one of both of those parties agrees that the US regime means that SCCs cannot lawfully be relied upon.

We will publish a more comprehensive analysis following a full review of the judgement.