The CJEU has today issued its much anticipated judgement in Ireland & Schrems (Case C-311/18) (Schrems II). There were two key issues for the CJEU to opine on:
1. Transferring data under the EU’s Standard Contractual Clauses; and
2. Transferring data from the EU to the US by relying on the US Privacy Shield to provide appropriate safeguards.
Standard Contractual Clauses
The Standard Contractual Clauses (“SCCs”, also known as the “Model Clauses”) remain effective in principle, although this validity will depend on whether it is possible, in practice, for the data importer to ensure compliance with the level of protection required by EU law.
This means that transfers of personal data made under the SCCs should be suspended or prohibited by the EU data exporter in the event that the individual’s data protection rights are not protected to an “essentially equivalent” standard outside the EU as they would be under GDPR.
Consequently, we are likely to see more focus on importers of the data of EU citizens (in particular those based in the US - but this ruling applies to all third countries without an adequacy decision) to prove to the EU-based data exporter that the processing will not conflict with the GDPR.
EU-US Privacy Shield
The CJEU has declared the Privacy Shield invalid. The ruling is not a great surprise, following views in some quarters that the Privacy Shield was effectively the Safe Harbour agreement under another name.
The court concluded that the Privacy Shield did not provide a level of protection of personal data in the US “essentially equivalent” to that under the GPPR and EU law, due to the intrusive nature of surveillance programmes undertaken by the US government and intelligence agencies, which are not limited to information that is “strictly necessary” and are therefore viewed as disproportionate under GDPR.
Further, the court noted the limited ability of non-US citizens to challenge the US government processing their data in this manner. The Privacy Shield Ombudsman (which was set up by the European Commission in response to criticism that EU individuals lacked access to an effective remedy under US law regarding processing of their data) still did not provide data subjects with adequate access to justice, as its decisions were not binding on US intelligence services and its impartiality was deemed to be questionable.
Austrian privacy advocate Max Schrems, who brought the case against Facebook and the Irish supervisory authority, noted that this puts the US on the same footing as any other third country, and hopes that this decision will encourage US corporations to advocate for stronger privacy rights for foreign citizens.
The clarified role of data protection supervisory authorities
The CJEU has also put pressure on Member State supervisory authorities to enforce the clarified obligations under the SCCs – it noted that authorities actually already have the powers to do so under the existing SCCs and should be using these powers. Unless there is a valid adequacy decision from the European Commission (and only 12 jurisdictions worldwide have received such a decision so far), where the EU data exporter has not itself ended non-compliant transfers, the relevant national supervisory authority (being the ICO in the UK) is responsible for suspending or prohibiting a transfer of personal data to a third country where that it takes the view that the SCCs are not or cannot be complied with in that country.
There is now an increased possibility of the ICO and other supervisory authorities undertaking enforcement actions against organisations to prevent transfers that are taking place under SCCs as well as the now invalid Privacy Shield.
For now, the attitude of the ICO seems to be supportive of businesses, after it issued a brief press statement saying that the ICO “stands ready to support UK organisations and will be working with UK Government and international agencies to ensure that global data flows may continue and that people’s personal data is protected.”
For businesses relying on the EU-US privacy shield to transfer data of EU citizens to the US, this judgement will come as a setback. These businesses will need to review their flows of data and enter into arrangements incorporating the SCCs with their US data importer.
For organisations who already rely on SCCs (or intend to now start relying on the SCCs) in order to transfer data to third countries (including the US), now is a good time to review these and ensure that they are practicably enforceable in that third country.
If this judgement has affected your data sharing arrangements, our Data Protection team is ready to help. For more information please contact David Varney.
This article was written by David Varney and Andrew Wilson.