The eagerly anticipated (see Monday’s blogpost) judgment is out – and the European Court has declared (summary here), in a case commonly referred to as Schrems II, that standard contractual clauses (SCCs) for the transfer of personal data to processors established in third countries remain valid but that the EU-U.S. Privacy Shield (Privacy Shield) is invalid.
In its judgment(summary available here) the Court of Justice of the European Union (CJEU) found:
- Commission Decision 2010/87 on standard contractual clauses (SCCs) for the transfer of personal data to processors established in third countries remains valid; and
- Commission Decision 2016/1250 on the adequacy of the protection provided by the EU-U.S. Privacy Shield (Privacy Shield) is invalid.
For SCCs, the CJEU found that the validity of this transfer mechanism is not called into question but that, when assessing of the level of protection of personal data in a third country under the SCCs, “any access by the public authorities of that third country to the data transferred [and] the relevant aspects of the legal system of that third country” must also be considered. It remains to be seen whether this statement will lead to a more stringent application of the SCC provisions in practice (i.e. data protection authorities might scrutinise more closely that SCC provisions are not only agreed but also implemented in practice). Notably, the CJEU held that “competent supervisory authorities are required to suspend or prohibit a transfer of data to a third country pursuant to standard data protection clauses adopted by the Commission, if, in the view of that supervisory authority and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law cannot be ensured by other means.”
The Commission is currently updating its SCCs in light of the GDPR and to provide for all transfer scenarios. Given that the SCCs have not been invalidated by Schrems II, we should expect the new SCCs sooner rather than later – European Commission Justice Commissioner Didier Reynders has reportedly hinted that we could see them as early as August.
In the first Schrems decision, delivered in October 2015, the CJEU ruled that the ‘Safe Harbor’ framework, which provided a legal basis for transfers of personal data from the EU to companies established in the U.S., was invalid. As around 4000 companies in both the EU and U.S. relied on the Safe Harbor framework, this decision had huge implications for business. It took until July 2016 for the EU and U.S. to agree on an alternative framework, the Privacy Shield. This has been the subject of intense scrutiny, particularly following the entry into application of the GDPR in May 2018, and an annual review process, to ensure EU citizens’ personal data is sufficiently protected. Over 5000 organisations are currently self-certified to this mechanism, which is more than the Safe Harbor mechanism had in its thirteen years of operation.
While Advocate General Saugmandsgaard Øe had advised the CJEU that the proceedings did not “require the Court to rule on the validity of the ‘Privacy Shield’ decision”, the CJEU has decided to declare this data transfer mechanism invalid. In doing so, the CJEU argued that “limitations on the protection of personal data arising from the domestic law of the U.S. on the access and use by U.S. public authorities of such data transferred from the EU to that third country […] are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.” The CJEU also found that the Ombudsperson mechanism required by the Privacy Shield “does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law.”
The EU and U.S. will now have to renegotiate the EU-U.S. data transfer framework. Given the current geopolitical tensions, including regarding data protection, this process could be more difficult than it was for the Privacy Shield. That being said, ahead of the judgment, U.S. Department of Commerce Deputy Assistant Secretary Jim Sullivan, who has been directly involved in the EU-U.S. Privacy Shield annual review process said, “The U.S. and Europe have a shared interest in protecting individual privacy and ensuring the continuity of data transfers critical to the $7.1 trillion transatlantic economic relationship […] [Our] Privacy Shield Team stands ready to work with our EU partners—just as we have before, during, and after all three successful joint annual reviews of the EU-U.S. Privacy Shield Framework since 2017.”
