Data Protection Update – The end of the road for the Privacy Shield and a bright light shone on Standard Contractual Clauses

27th July 2020

Sarah Williamson

27 July 2020

On 16 July 2020, the CJEU handed down its much awaited judgment in the so called “Schrems II” case (Data Protection Commissioner v Facebook Ireland and Max Schrems (Case C-311/18)) invalidating the Privacy Shield as a mechanism for lawfully transferring personal data from the EU to the US but upholding the validity of the European Commission approved Standard Contractual Clauses (SCCs). However, whilst the SCCs remain valid, the CJEU has placed them under more scrutiny.

In light of the CJEU’s comments regarding US surveillance laws and practices, there is now much uncertainty as to whether the SCCs can be used as a mechanism for the transfer of personal data to the US. The judgment also makes it clear that SCCs are not simply a paper exercise and they require the parties to carry out an assessment on a case-by-case basis of the level of protection for personal data in the destination country. They will not always therefore, provide a lawful mechanism for the transfer of data.

Key Takeaways:

The CJEU invalidated the decision on the adequacy of the protection of the EU-US Data Protection Shield (Privacy Shield) with immediate effect. The CJEU looked at the protections offered under the GDPR and the level of protection required in respect of a transfer of personal data for commercial purposes by an entity from an EU member state to another entity based in a third country. In this respect, the CJEU stated that the level of protection must be equivalent to that guaranteed within the EU by the GDPR read in light of the provisions of the Charter of Fundamental Rights. The CJEU concluded that it is not possible to ensure compliance with the level of protection required by EU law given the absence of limitations on the surveillance powers of US intelligence authorities and the absence of any actionable rights for data subjects before the courts against such authorities. The CJEU held that the Privacy Shield’s Ombudsman is not sufficiently independent and cannot adopt decisions that bind US intelligence services.

The CJEU upheld the validity of the Standard Contractual Clauses. However, validity is not automatic and needs to be assessed on a case-by-case basis. In upholding the validity of SCCs, the CJEU highlighted the existing obligations of:
- the exporter and the recipient to verify the adequacy of the level of protection afforded to personal data in the destination country. This is an ongoing requirement of the parties;
- the recipient to notify the data exporter of any inability to comply with the SCCs; and
- the exporter to suspend the transfer of data or terminate the contract when it is so notified.

The CJEU also highlighted the obligation of data protection regulators to monitor compliance with the SCCs and to suspend or prohibit a transfer of personal data when the level of protection of personal data cannot be guaranteed.

Impact of the Judgment

Given the complexities of this judgment, it is difficult at this stage to state with any uncertainty how this will play out, the approach that data protection regulators will take and how organisations undertake an adequacy assessment of another country. It is going to take a while for the regulators to consider the implications and provide any detailed comment. Their role in policing the use of SCCs, whilst not new, has now been specifically called out by the CJEU which only adds to their ever growing “to do list”.

What is certain is that the Privacy Shield can no longer be used. As tempting as it may be though, immediately rushing to sign SCCs as an alternative transfer mechanism may not be the solution to the problem. The obligations in the SCCs need careful review and consideration for all data transfers which rely on them.

Since the judgment, a number of EU data protection regulators have issued a statement. Some, like the ICO, have simply stated that for now that they are considering the judgment and its impact. Others, along with the European Data Protection Board, have highlighted the need for an adequacy assessment prior to the use of SCCs. The Berlin Commissioner has gone even further though and requested that controllers stop transfers to the US.

Steps to Take

In the UK, the ICO has stated that organisations relying on the Privacy Shield should continue to do so until further guidance is issued. There are, however, some steps that organisations can, and should start to, take now:

Identify all agreements and arrangements which rely on the Privacy Shield or SCCs for the transfer of personal data from the EU.
Consider the necessity of such transfers and whether the data can be kept within the EU/UK.
Consider whether the data might be accessed and used by intelligence authorities or other public authorities. Bear in mind that the recipient might not itself be an organisation that is subject to surveillance laws, but its data might be held by such an organisation.
Review the existing security measures and safeguards in place with the recipient.
Consider whether any additional security measures and safeguards can be implemented to afford greater protection for personal data.
Watch out for further guidance from the European Data Protection Board, the European Commission, the ICO and other EU data protection regulators.

The European Commission is already looking at the modernisation of the SCCs and may well include further measures to take into account this judgment although contractual provisions alone are not the answer here. As long as US surveillance laws exist in their current form and take primacy over EU data protection laws, there is an issue. This problem is not going to be fixed by a piece of paper alone.

As for Brexit and how this judgment might affect the UK’s ability to get an adequacy decision from the European Commission when the powers of its intelligence agencies come under scrutiny, much remains to be seen. Organisations should already be thinking about EU-UK data transfers and the mechanism that they are going to use after 31 December 2020 as an adequacy decision is by no means guaranteed or coming quickly.

Read about how Lee & Thompson can help with all aspects of your data privacy on our dedicated Data Privacy page.

Cookie	Duration	Description
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-non-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Non Necessary".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat	1 minute	This cookie is installed by Google Analytics to throttle the request rate to limit the collection of data on high traffic sites.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information about how visitors use our website and to help in creating an analytics report showing the website's activities. The data collected by the cookie include the number of visitors, where they have come from, and the pages they have visited, all in an anonymous form.