Data Protection Update – The end of the road for the Privacy Shield and a bright light shone on Standard Contractual Clauses
27th July 2020
27 July 2020
On 16 July 2020, the CJEU handed down its much awaited judgment in the so called “Schrems II” case (Data Protection Commissioner v Facebook Ireland and Max Schrems (Case C-311/18)) invalidating the Privacy Shield as a mechanism for lawfully transferring personal data from the EU to the US but upholding the validity of the European Commission approved Standard Contractual Clauses (SCCs). However, whilst the SCCs remain valid, the CJEU has placed them under more scrutiny.
In light of the CJEU’s comments regarding US surveillance laws and practices, there is now much uncertainty as to whether the SCCs can be used as a mechanism for the transfer of personal data to the US. The judgment also makes it clear that SCCs are not simply a paper exercise and they require the parties to carry out an assessment on a case-by-case basis of the level of protection for personal data in the destination country. They will not always therefore, provide a lawful mechanism for the transfer of data.
- The CJEU invalidated the decision on the adequacy of the protection of the EU-US Data Protection Shield (Privacy Shield) with immediate effect. The CJEU looked at the protections offered under the GDPR and the level of protection required in respect of a transfer of personal data for commercial purposes by an entity from an EU member state to another entity based in a third country. In this respect, the CJEU stated that the level of protection must be equivalent to that guaranteed within the EU by the GDPR read in light of the provisions of the Charter of Fundamental Rights. The CJEU concluded that it is not possible to ensure compliance with the level of protection required by EU law given the absence of limitations on the surveillance powers of US intelligence authorities and the absence of any actionable rights for data subjects before the courts against such authorities. The CJEU held that the Privacy Shield’s Ombudsman is not sufficiently independent and cannot adopt decisions that bind US intelligence services.
- The CJEU upheld the validity of the Standard Contractual Clauses. However, validity is not automatic and needs to be assessed on a case-by-case basis. In upholding the validity of SCCs, the CJEU highlighted the existing obligations of:
- the exporter and the recipient to verify the adequacy of the level of protection afforded to personal data in the destination country. This is an ongoing requirement of the parties;
- the recipient to notify the data exporter of any inability to comply with the SCCs; and
- the exporter to suspend the transfer of data or terminate the contract when it is so notified.
- The CJEU also highlighted the obligation of data protection regulators to monitor compliance with the SCCs and to suspend or prohibit a transfer of personal data when the level of protection of personal data cannot be guaranteed.
Impact of the Judgment
Given the complexities of this judgment, it is difficult at this stage to state with any uncertainty how this will play out, the approach that data protection regulators will take and how organisations undertake an adequacy assessment of another country. It is going to take a while for the regulators to consider the implications and provide any detailed comment. Their role in policing the use of SCCs, whilst not new, has now been specifically called out by the CJEU which only adds to their ever growing “to do list”.
What is certain is that the Privacy Shield can no longer be used. As tempting as it may be though, immediately rushing to sign SCCs as an alternative transfer mechanism may not be the solution to the problem. The obligations in the SCCs need careful review and consideration for all data transfers which rely on them.
Since the judgment, a number of EU data protection regulators have issued a statement. Some, like the ICO, have simply stated that for now that they are considering the judgment and its impact. Others, along with the European Data Protection Board, have highlighted the need for an adequacy assessment prior to the use of SCCs. The Berlin Commissioner has gone even further though and requested that controllers stop transfers to the US.
Steps to Take
In the UK, the ICO has stated that organisations relying on the Privacy Shield should continue to do so until further guidance is issued. There are, however, some steps that organisations can, and should start to, take now:
- Identify all agreements and arrangements which rely on the Privacy Shield or SCCs for the transfer of personal data from the EU.
- Consider the necessity of such transfers and whether the data can be kept within the EU/UK.
- Consider whether the data might be accessed and used by intelligence authorities or other public authorities. Bear in mind that the recipient might not itself be an organisation that is subject to surveillance laws, but its data might be held by such an organisation.
- Review the existing security measures and safeguards in place with the recipient.
- Consider whether any additional security measures and safeguards can be implemented to afford greater protection for personal data.
- Watch out for further guidance from the European Data Protection Board, the European Commission, the ICO and other EU data protection regulators.
The European Commission is already looking at the modernisation of the SCCs and may well include further measures to take into account this judgment although contractual provisions alone are not the answer here. As long as US surveillance laws exist in their current form and take primacy over EU data protection laws, there is an issue. This problem is not going to be fixed by a piece of paper alone.
As for Brexit and how this judgment might affect the UK’s ability to get an adequacy decision from the European Commission when the powers of its intelligence agencies come under scrutiny, much remains to be seen. Organisations should already be thinking about EU-UK data transfers and the mechanism that they are going to use after 31 December 2020 as an adequacy decision is by no means guaranteed or coming quickly.
Read about how Lee & Thompson can help with all aspects of your data privacy on our dedicated Data Privacy page.