The Schrems II judgment - a new reality for transfers to third countries
On 16 July 2020, the Court of Justice of the European Union (the "CJEU") delivered its judgment in the Schrems II case concerning the transfer of personal data from the European Union to the United States.
The CJEU finds that the Privacy Shield is invalid. It will therefore immediately cease being used as basis for transfers from the European Union to the United States.
Further, the CJEU finds that the European Commission's standard contractual clauses ("SCCs") can still generally be used as transfer basis in connection with transfers from EU member states to third countries. However, the data exporter must ensure - for each transfer - that the protection obtained is "essentially equivalent" to the level of protection in the European Union. For instance, national legislation in the importing country must not impose obligations on the data importer, eg with respect to disclosure of information to the authorities in the importing country which goes beyond what is considered an objective, necessary and proportional intervention in rights etc according to a European standard, and in the importing country "effective judicial remedies" must be available to persons whose personal data are being processed by the authorities.
The case started in 2013 when Max Schrems - following Edward Snowden's disclosure of US mass surveillance - lodged a complaint with the Irish Data Protection Commissioner about Facebook Ireland's transfer of his personal data to Facebook Inc. in the United States. The transfer was based on the then Safe Harbor programme which meant that US companies comprised by the programme were considered to be situated in a "safe third country".
The background for the complaint was that Mr Schrems believed that due to the United States' legislation on national security etc the US companies participating in the Safe Harbor programme could not ensure an adequate level of protection for personal data, as required by European data protection legislation.
The Irish courts referred the matter to the CJEU, which declared the Safe Harbor programme invalid in October 2015. In the judgment, the CJEU determined at the same time that the level of protection of personal data in a "safe third country" must be "essentially equivalent" to the level of protection of personal data in the European Union.
In 2016, the Safe Harbor programme was replaced by the corresponding Privacy Shield programme which, in the opinion of the European Commission, corrected the deficiencies of the Safe Harbor programme, for instance by virtue of stronger surveillance and enforcement mechanisms, including an independent Privacy Shield Ombudsperson.
In continuation of the CJEU's judgment, Max Schrems rephrased his original complaint to the Irish Data Protection Commissioner as Facebook - now on the basis of modified SCCs - continued to transfer personal data to the United States. Mr Schrems did not believe that the modified SCCs afforded him protection similar to that of the European Union, in particular due to the mentioned lenient US legislation on the authorities' access to collect personal data.
When considering the new complaint, the Irish Data Protection Commissioner found that there was a serious and more systematic problem with SCCs and therefore brought the case before the Irish High Court in order that questions could be referred to the CJEU for a preliminary ruling.
1) The Privacy Shield programme is invalid and can no longer be used as transfer basis.
The CJEU establishes that the Privacy Shield programme is not compatible with GDPR, Article 45, compared with the EU Charter of Fundamental Rights (the "Charter"), Articles 7, 8 and 47 on privacy, data protection and access to effective judicial remedies. This invalidates the European Commission's assessment that the United States provide adequate protection of the personal data that are transferred from the European Union to certified US companies under the Privacy Shield programme.
The invalidation is due to the United States' legislation on national security etc which the CJEU does not find to comply with the requirement of proportionality as set out in Article 52 of the Charter. The CJEU establishes that interventions in the fundamental rights can only take place pursuant to a clear and precise statutory authority, and that any limitation or intervention in the fundamental rights can only be justified if it is strictly necessary. Furthermore, no effective judicial remedies are available to the persons concerned.
2) SCCs are still generally applicable as transfer basis to countries outside the EU/EEA, see GDPR, Article 46.
The CJEU finds that SCCs must provide a level of protection that is "essentially equivalent" to that of the European Union. It confirms that this standard not only applies to the assessment of safe third countries under GDPR, Article 45, but also to the other instruments in GDPR, Article 46, including SCCs (and binding Corporate Rules).
In addition, the CJEU finds that nothing prevents that the SCCs may provide the required level of protection. However, this requires a specific, overall assessment of all circumstances of the transfer, not least - but not restricted to - whether the authorities in the importing country are able to access the transferred personal data or demand that such personal data be surrendered. The reason for this focus on the authorities in the importing countries is that SCCs do not bind the authorities in the importing country.
It is therefore a requirement that the data exporter - prior to the commencement of each transfer - makes a specific assessment as to whether the transferred personal data are subject to government access and, if so, whether such government access
- is provided for by law
- is restricted to what is necessary and proportionate, for instance in consideration of national security and law enforcement
- is subject to control to the effect that the persons concerned have effective judicial remedies with respect to government access
The requirement applies to both pending and future transfers of personal data on the basis of SCCs (and Binding Corporate Rules).
Finally, the CJEU's judgment confirms that the national data protection supervisory authority is entitled and obliged to intervene by issuing orders/injunctions if a data exporter carries out a transfer based on SCCs which does not provide a level of protection which is "essentially equivalent".
The judgment has immediate effect, both in terms of the invalidity of the Privacy Shield and with respect to the requirement for an "essentially equivalent" level of protection in connection with transfers based on SCCs.
The CJEU's judgment largely follows the opinion of Advocate-General Henrik Øe. In its previous rulings, the CJEU has provided for very strong protection of the fundamental rights on privacy (Article 7) and protection of personal data (Article 8). The judgment in Schrems II is a natural extension of the previous rulings and is not surprising.
The judgment confirms the Danish interpretation of the rules. The Danish Ministry of Justice's Report 1565 on GDPR [in Danish] includes on page 635 ff a description of the requirements described by the CJEU in the Schrems II judgment. The requirements were also set out in the Danish Data Protection Agency's first version of the guidance on third-country transfers under the GDPR but was, for other reasons, deleted from the second version.
The judgement may seem very "unappreciative " of the manner in which personal data move around the world, not least through cloud-based IT solutions. However, the judgment should probably be regarded as another example of business models developing faster than the questions arising are presented to supervising authorities and courts. When the rules do "catch up with" realities, business models may have to be reversed a little.
What do I do as a data exporter?
The judgment has major practical consequences but first the European data protection agencies must provide their interpretations of the judgment. While awaiting the reactions of the supervisory authorities, you should already now
- Determine all third-country transfers made by the organisation. In that connection you should pay attention to cloud services, which often use data centres in the European Union and data centres outside the European Union. Remember that "read-only" access from a third country with respect to data in data centres in the European Union also constitutes a transfer to a third country. Remember to identify all stages in the supply chain
- Determine the transfer basis for the transfers to third countries - ie Privacy Shield, SCC, Binding Corporate Rules or the specific situations in Article 49
- Read an example of the SCCs applied, see para 2
In particular as far as the United States are concerned, there must be expected to come a more general announcement as to whether SSCs can be used as basis for future transfers, including the (enforced) replacement of the Privacy Shield programme, for instance in relation to specific sectors.
As far as other countries are concerned, a solution, at least in terms of cloud services, will probably be that the provider of the cloud service change the supply model to the effect that it includes fewer third countries. Finally, there will probably be some countries to which data as a rule cannot be transferred in the future.
Remember generally that transfers to third countries are also subject to the principle of accountability in GDPR, Article 5.2. As a data exporter you have a (proactive) "burden of proof" for the transfer being subject to an adequate level of protection, and this must be substantiated prior to the transfer. A new assessment has to be made every time changes occur with respect to supply structures etc, for instance when using a new data processor in a cloud structure.
Plesner will be monitoring the supervisory authorities' announcements and we will be hosting webinars at Plesner LegalHub.
We will also be able to assist you in procuring assessments from local attorneys of the rules on government access, if you, for instance, have a subsidiary in the relevant country.