SCHREMS II judgment: privacy shield invalidated and SCCs scrutinised
In a surprising and arguably bold judgment, the Court of Justice of the European Union (CJEU) yesterday invalidated the EU-US Privacy Shield ("Privacy Shield") mechanism, which many businesses rely on to transfer personal data from the EU to the United States.
The court did however state that the Standard Contractual Clauses ("SCCs") remain valid, although they also came under scrutiny. We examine here the implications of the judgment and set out what organisations need to do next.
The GDPR contains a prohibition on organisations transferring personal data outside the EU (or, more accurately, the European Economic Area – including the UK, and this will remain the case post-Brexit), unless appropriate safeguards are in place or a derogation applies or where the transfer is to a jurisdiction that has been officially declared by the Commission to be adequate. A transfer is defined broadly and would include, for example, an individual in the US accessing/viewing data on an organisation’s group level CRM platform, where such data originated in the UK. No general finding of adequacy has ever been made in relation to the US, but instead (partly as a compromise given the importance of EU/US data flows), the Privacy Shield framework was approved in 2016 as a method of providing adequate protection for US data flows.
The Privacy Shield provided a replacement for the US Safe Harbor framework which was declared invalid in 2015 by the CJEU in a case initiated by the privacy activist Max Schrems (in a case now widely known as Schrems I). The CJEU at the time, ruled that: US intelligence services were able to gain access to personal data to an extent that was beyond what was necessary and proportionate for the protection of national security; that non-US persons did not have a right to seek legal remedies in the US for misuse of their data; and finally that data protection authorities were not prevented from examining claims from individuals that their data has not been properly protected. As a result, the decision of the European Commission which had found that the US Safe Harbor provided adequate protection for personal data transferred from the EU to Safe Harbor member companies in the US, was invalid.
The SCCs on the other hand are a contractual solution, i.e. the data exporter and the data importer sign an agreement that confers third party rights on the individuals whose data is transferred. The SCCs may not be amended (if they are, they are no longer considered valid under the GDPR). There are two sets of model clauses, one for controller to controller transfers and one for controller to processor transfers.
What did the court say?
The CJEU examined the validity of both the Privacy Shield and the SCCs. The purpose of the assessment was to determine whether either transfer mechanism afforded EU citizens, whose personal data was transferred to the United States, a level of data privacy essentially equivalent (i.e. sufficiently high) to that offered under EU law.
The CJEU found that Privacy Shield did not afford this level of protection and, as such, declared it invalid. The SCCs were declared to be valid although the obligation, on both supervisory authorities and the organisations that rely on the SCCs, to verify the level of protection offered to data transferred pursuant to them was reinforced.
The CJEU’s key criticism of Privacy Shield related to the access state authorities may have to EU citizen data once it had been transferred. The court recognised that if data was transferred to a third country, it may end up being used/accessed by the state (i.e. this was a reality that needed to be accepted), but this had to be subject to an acceptable level of protection. In the case of Privacy Shield, the protection afforded was not sufficient, fundamentally because the regime did not grant EU citizens actionable rights before the courts against the US authorities. Moreover, certain US state surveillance programmes continued to allow for too sweeping a level of unfettered access.
In the case of the SCCs, they could potentially afford a sufficient level of protection (notwithstanding the fact that they are essentially a contract between the exporter and importer and, as such, not binding on any third party – including state authorities), and, as such, remained valid. However, the court noted that the SCCs impose an obligation on data exporters and importers to verify the level of protection offered in a third country and identify whether the data importer was legally able to comply with the SCCs.
This judgment came as something of a surprise and its impact should not be underestimated. The invalidation of Privacy Shield was unexpected because many commentators considered this to be the sideshow compared to the court’s findings on the SCCs. Both the European Commission and the Advocate General (in its preliminary judgment in December 2019) had recently looked at the Privacy Shield and found it to have problems, but to be fundamentally sound.
The invalidation of a mechanism relied upon by a huge number of businesses (including many SMEs) obviously creates an issue for those businesses (as well as wider geopolitical ripples between the EU and US). There is the immediate issue of repapering US data flows with the SCCs, or other available transfer mechanisms, as well as a lingering question over what the wider impact on cross border data transfers may be.
Whilst the CJEU found that the SCCs could potentially provide for sufficient protection against state access to data (subject to the parties being able to verify the level of protection offered in a third country), it is notable that the SCCs’ default protection in this regard is also fairly weak. Taking the controller to processor SCCs as an example, the protection essentially comprises the data importer being required to promptly notify the data exporter of any legally binding request for disclosure of the personal data by a law enforcement authority, unless otherwise prohibited from doing so (clause 5(d)(i)) of the SCCs).
Just because local law may permit a data importer to take this basic step, this protection could hardly be deemed essentially equivalent to EU law. As such, a big question mark remains over what other protections the parties need to be able to point to and, moreover, how they go about doing so, i.e. what level of verification would be enough? The CJEU said (at paragraph 133 of the judgment) that the model clauses “may require, depending on the prevailing position in a particular third country, the adoption of supplementary measures”. Taking the example of transfers to the US, in combination with the invalidation of the Privacy Shield, this points to the fact that organisations may not be able to rely on SCCs in isolation, but will be required to supplement the guarantees contained therein with additional contractual provisions and proper due diligence. We await further guidance from relevant supervisory authorities.
Moreover, given that supervisory authorities were also tasked with verifying the level of protection offered we may see divergent analyses on a country-by-country basis (although the European Data Protection Board (EDPB) should have a role in preventing this).
Next steps for business
In short, if an organisation is currently relying on Privacy Shield as a transfer mechanism to legitimise the transfer of personal data from the EU to the United States, they will shortly need to find an alternative transfer mechanism.
Whilst there is no need for a knee jerk reaction as we would expect a short moratorium on regulatory action (as we saw when Safe Harbor was declared invalid), it is inevitable that an alternative mechanism will be required very shortly. The UK privacy regulator, the ICO, has currently released the following statement: “If you are currently using Privacy Shield please continue to do so until new guidance becomes available. Please do not start to use Privacy Shield during this period.”
With this in mind, the following steps should be considered:
- UK and EU businesses should undertake a due diligence exercise to identify all current data flows that rely on Privacy Shield (including, for example, supplier and service agreements). Existing data-mapping records may assist.
- Relevant data flows that rely on Privacy Shield should be assessed on the basis of risk and on the likelihood that the data importer will take measures to address potential disruption in an acceptable way (i.e. there is little point in seeking to amend your contract with your US based hyper-scale cloud service provider, just wait to see what they say).
- For those material data flows (or agreements) that require action, a strategy should be put in place, most likely considering the use of SCCs or another transfer mechanism (in which case, further assurance and change management clauses should be considered), although data localisation may also be an option
- The most likely candidate for an alternative transfer mechanism is the SCCs and, as such, many businesses should consider putting these in place. However, if and when implementing the SCCs, more than mere lip-service will be required with respect to the exporter and importer verifying that the importer is not prevented under local law from complying with the SCCs. Exporters may consider requesting additional warranties and assurances or undertaking some level of due diligence on the data importer. Might it be appropriate to exercise applicable audit rights?
If SCCs are currently relied upon, it is worth noting that the transfers undertaken on the basis of such SCCs have suddenly become a little more risky. Data exporters particularly should consider whether additional assurances or due diligence may be required to pre-empt claims that the level of protection offered under the relevant SCCs has been properly verified.
What does this judgment mean for Brexit?
Since the Brexit referendum in June 2016 the implications on personal data transfers between the UK and the EU post-Brexit have been debated and considered (although not yet resolved). Following the Schrems II case the UK will now have to turn its attention to transfers of personal data from the UK to the US to consider whether it will follow the EU jurisprudence and invalidate the use of Privacy Shield.
The UK is governed by the Data Protection Act 2018 which implements an applied version of the GDPR and from the 1st January 2021 the UK can, and may, diverge from the EU GDPR. In order to secure an agreement with the US, the UK could consider continuing to recognise the Privacy Shield (or a version thereof) as a valid transfer mechanism for UK-US transfers to minimise the impact on UK businesses. However, this would be a conscious divergence away from the new EU jurisprudence following the Schrems II judgement, which would have to be carefully considered in the context of current UK-EU relations.
This judgment may also have implications for UK-EU data transfers. From January the UK will be a third country without an adequacy decision for the purposes of the GDPR. If the Commission followed the approach of the CJEU, it may be seen that Europe will not entertain compromising its citizens’ privacy rights in the interests of international trade. This may impact the likelihood of the UK achieving adequacy and should it fail to do so, the SCCs are not quite the formality they once were.
The Schrems II decision makes it clear that personal data must not be transferred from the EU to a third country (without a valid European Commission adequacy decision) unless the individual is afforded an equivalent level of data protection taking into account the contractual clauses but also any national laws in the receiving third country which may circumvent the protection of the contractual clauses. With this in mind, the UK will have to carefully consider whether to follow the EU’s ‘privacy first’ approach or diverge away and risk disrupting data flows between the EU and the UK post Brexit.
For further information, please contact Jonathan McDonald or your usual Charles Russell Speechlys contact.