• news-banner

    Expert Insights

SCHREMS II judgment: privacy shield invalidated and SCCs scrutinised

In a surprising and arguably bold judgment, the Court of Justice of the European Union (CJEU) yesterday invalidated the EU-US Privacy Shield ("Privacy Shield") mechanism, which many businesses rely on to transfer personal data from the EU to the United States.

The court did however state that the Standard Contractual Clauses ("SCCs") remain valid, although they also came under scrutiny. We examine here the implications of the judgment and set out what organisations need to do next.

Background

The GDPR contains a prohibition on organisations transferring personal data outside the EU (or, more accurately, the European Economic Area – including the UK, and this will remain the case post-Brexit), unless appropriate safeguards are in place or a derogation applies or where the transfer is to a jurisdiction that has been officially declared by the Commission to be adequate. A transfer is defined broadly and would include, for example, an individual in the US accessing/viewing data on an organisation’s group level CRM platform, where such data originated in the UK. No general finding of adequacy has ever been made in relation to the US, but instead (partly as a compromise given the importance of EU/US data flows), the Privacy Shield framework was approved in 2016 as a method of providing adequate protection for US data flows.

The Privacy Shield provided a replacement for the US Safe Harbor framework which was declared invalid in 2015 by the CJEU in a case initiated by the privacy activist Max Schrems (in a case now widely known as Schrems I). The CJEU at the time, ruled that: US intelligence services were able to gain access to personal data to an extent that was beyond what was necessary and proportionate for the protection of national security; that non-US persons did not have a right to seek legal remedies in the US for misuse of their data; and finally that data protection authorities were not prevented from examining claims from individuals that their data has not been properly protected. As a result, the decision of the European Commission which had found that the US Safe Harbor provided adequate protection for personal data transferred from the EU to Safe Harbor member companies in the US, was invalid.

On 2 February 2016, the European Commission announced a new framework to replace Safe Harbor: the Privacy Shield. Between the end of 2017 and middle of 2019, the European Commission conducted three annual reviews on the functioning of the Privacy Shield, each time confirming that the US continued to provide an adequate level of protection for personal data transferred under it. However the findings yesterday from the CJEU has confirmed that the Privacy Shield cannot guarantee an equivalent level of protection to that guaranteed by the GDPR and has therefore declared that the Privacy Shield is invalid. 
Industry bodies have been quick to urge EU and US policymakers to begin negotiating a successor agreement to Privacy Shield that addresses the concerns raised by the CJEU’s ruling.

The SCCs on the other hand are a contractual solution, i.e. the data exporter and the data importer sign an agreement that confers third party rights on the individuals whose data is transferred. The SCCs may not be amended (if they are, they are no longer considered valid under the GDPR). There are two sets of model clauses, one for controller to controller transfers and one for controller to processor transfers.
In this case, now widely known as Schrems II, Max Schrems had questioned the validity of both transfer mechanisms.

What did the court say?

The CJEU examined the validity of both the Privacy Shield and the SCCs. The purpose of the assessment was to determine whether either transfer mechanism afforded EU citizens, whose personal data was transferred to the United States, a level of data privacy essentially equivalent (i.e. sufficiently high) to that offered under EU law.

The CJEU found that Privacy Shield did not afford this level of protection and, as such, declared it invalid. The SCCs were declared to be valid although the obligation, on both supervisory authorities and the organisations that rely on the SCCs, to verify the level of protection offered to data transferred pursuant to them was reinforced.

The CJEU’s key criticism of Privacy Shield related to the access state authorities may have to EU citizen data once it had been transferred. The court recognised that if data was transferred to a third country, it may end up being used/accessed by the state (i.e. this was a reality that needed to be accepted), but this had to be subject to an acceptable level of protection. In the case of Privacy Shield, the protection afforded was not sufficient, fundamentally because the regime did not grant EU citizens actionable rights before the courts against the US authorities. Moreover, certain US state surveillance programmes continued to allow for too sweeping a level of unfettered access.

In the case of the SCCs, they could potentially afford a sufficient level of protection (notwithstanding the fact that they are essentially a contract between the exporter and importer and, as such, not binding on any third party – including state authorities), and, as such, remained valid. However, the court noted that the SCCs impose an obligation on data exporters and importers to verify the level of protection offered in a third country and identify whether the data importer was legally able to comply with the SCCs.

Analysis

This judgment came as something of a surprise and its impact should not be underestimated. The invalidation of Privacy Shield was unexpected because many commentators considered this to be the sideshow compared to the court’s findings on the SCCs. Both the European Commission and the Advocate General (in its preliminary judgment in December 2019) had recently looked at the Privacy Shield and found it to have problems, but to be fundamentally sound.


The invalidation of a mechanism relied upon by a huge number of businesses (including many SMEs) obviously creates an issue for those businesses (as well as wider geopolitical ripples between the EU and US). There is the immediate issue of repapering US data flows with the SCCs, or other available transfer mechanisms, as well as a lingering question over what the wider impact on cross border data transfers may be.

Whilst the CJEU found that the SCCs could potentially provide for sufficient protection against state access to data (subject to the parties being able to verify the level of protection offered in a third country), it is notable that the SCCs’ default protection in this regard is also fairly weak. Taking the controller to processor SCCs as an example, the protection essentially comprises the data importer being required to promptly notify the data exporter of any legally binding request for disclosure of the personal data by a law enforcement authority, unless otherwise prohibited from doing so (clause 5(d)(i)) of the SCCs).

Just because local law may permit a data importer to take this basic step, this protection could hardly be deemed essentially equivalent to EU law. As such, a big question mark remains over what other protections the parties need to be able to point to and, moreover, how they go about doing so, i.e. what level of verification would be enough? The CJEU said (at paragraph 133 of the judgment) that the model clauses “may require, depending on the prevailing position in a particular third country, the adoption of supplementary measures”. Taking the example of transfers to the US, in combination with the invalidation of the Privacy Shield, this points to the fact that organisations may not be able to rely on SCCs in isolation, but will be required to supplement the guarantees contained therein with additional contractual provisions and proper due diligence. We await further guidance from relevant supervisory authorities.

Moreover, given that supervisory authorities were also tasked with verifying the level of protection offered we may see divergent analyses on a country-by-country basis (although the European Data Protection Board (EDPB) should have a role in preventing this).

Next steps for business

In short, if an organisation is currently relying on Privacy Shield as a transfer mechanism to legitimise the transfer of personal data from the EU to the United States, they will shortly need to find an alternative transfer mechanism.

Whilst there is no need for a knee jerk reaction as we would expect a short moratorium on regulatory action (as we saw when Safe Harbor was declared invalid), it is inevitable that an alternative mechanism will be required very shortly. The UK privacy regulator, the ICO, has currently released the following statement: “If you are currently using Privacy Shield please continue to do so until new guidance becomes available. Please do not start to use Privacy Shield during this period.”

With this in mind, the following steps should be considered:

  • UK and EU businesses should undertake a due diligence exercise to identify all current data flows that rely on Privacy Shield (including, for example, supplier and service agreements). Existing data-mapping records may assist.
  • Relevant data flows that rely on Privacy Shield should be assessed on the basis of risk and on the likelihood that the data importer will take measures to address potential disruption in an acceptable way (i.e. there is little point in seeking to amend your contract with your US based hyper-scale cloud service provider, just wait to see what they say).
  • For those material data flows (or agreements) that require action, a strategy should be put in place, most likely considering the use of SCCs or another transfer mechanism (in which case, further assurance and change management clauses should be considered), although data localisation may also be an option
  • The most likely candidate for an alternative transfer mechanism is the SCCs and, as such, many businesses should consider putting these in place. However, if and when implementing the SCCs, more than mere lip-service will be required with respect to the exporter and importer verifying that the importer is not prevented under local law from complying with the SCCs. Exporters may consider requesting additional warranties and assurances or undertaking some level of due diligence on the data importer. Might it be appropriate to exercise applicable audit rights?

If SCCs are currently relied upon, it is worth noting that the transfers undertaken on the basis of such SCCs have suddenly become a little more risky. Data exporters particularly should consider whether additional assurances or due diligence may be required to pre-empt claims that the level of protection offered under the relevant SCCs has been properly verified.

What does this judgment mean for Brexit?

Since the Brexit referendum in June 2016 the implications on personal data transfers between the UK and the EU post-Brexit have been debated and considered (although not yet resolved). Following the Schrems II case the UK will now have to turn its attention to transfers of personal data from the UK to the US to consider whether it will follow the EU jurisprudence and invalidate the use of Privacy Shield.
The UK is governed by the Data Protection Act 2018 which implements an applied version of the GDPR and from the 1st January 2021 the UK can, and may, diverge from the EU GDPR. In order to secure an agreement with the US, the UK could consider continuing to recognise the Privacy Shield (or a version thereof) as a valid transfer mechanism for UK-US transfers to minimise the impact on UK businesses. However, this would be a conscious divergence away from the new EU jurisprudence following the Schrems II judgement, which would have to be carefully considered in the context of current UK-EU relations.

This judgment may also have implications for UK-EU data transfers. From January the UK will be a third country without an adequacy decision for the purposes of the GDPR. If the Commission followed the approach of the CJEU, it may be seen that Europe will not entertain compromising its citizens’ privacy rights in the interests of international trade. This may impact the likelihood of the UK achieving adequacy and should it fail to do so, the SCCs are not quite the formality they once were.

The Schrems II decision makes it clear that personal data must not be transferred from the EU to a third country (without a valid European Commission adequacy decision) unless the individual is afforded an equivalent level of data protection taking into account the contractual clauses but also any national laws in the receiving third country which may circumvent the protection of the contractual clauses. With this in mind, the UK will have to carefully consider whether to follow the EU’s ‘privacy first’ approach or diverge away and risk disrupting data flows between the EU and the UK post Brexit.


For further information, please contact Jonathan McDonald or your usual Charles Russell Speechlys contact.

Our thinking

  • Women in Leadership: Planning for the future

    Sarah Wigington

    Events

  • Charles Russell Speechlys Paris significantly strengthens litigation practice with notable team hire led by Frédéric Dereux

    Frédéric Dereux

    News

  • Trade Credit Insurance – Protection, Economic Instability and Increased Demand

    Mary Barrett

    Insights

  • Consumer Duty - FCA warns that some firms are “lagging behind”

    Richard Ellis

    Insights

  • UK Government AI Regulation Response & Roadmap – Is the Government behind the wheel?

    Mark Bailey

    Insights

  • Remote Hearings – factors to consider

    Richard Kiddell

    Insights

  • Richard Davies writes for City AM on the lessons that the Premier League can learn from the Super Bowl and NFL

    Richard Davies

    In the Press

  • The ongoing fight against fakes

    Charlotte Duly

    Quick Reads

  • Abu Dhabi’s New Arbitral Centre Unveils its Rules

    Dalal Alhouti

    Quick Reads

  • Fortune quotes Richard Davies on sponsorship deals and the strength of brand/supporter loyalty in football

    Richard Davies

    In the Press

  • Legal tips and trends for Creative Design Agencies in 2024

    Rebecca Steer

    Insights

  • Charles Russell Speechlys advises Downing LLP on the successful refinancing of its loan facility with Kao Data

    News

  • New Regulations for the UAE’s Media Sector in 2024

    Mark Hill

    Quick Reads

  • Megan Paul writes for The Grocer on why green energy can be a 'money saver' for retailers rather than a 'money spender'

    Megan Paul

    In the Press

  • Greenwashing: The Story So Far

    Caroline Greenwell

    Insights

  • Under the Influence: Legal Considerations for Social Media Influencer Partnerships in the UAE

    Mark Hill

    Quick Reads

  • Reuters quotes Megan Paul on supply chain considerations coming out of tensions in the Red Sea

    Megan Paul

    In the Press

  • EU AI Act – Will it become a law for all the world?

    Nick White

    Quick Reads

  • Indemnity Costs in Derivative Claims – Briefing Note

    John Sykes

    Insights

  • Trading insolvently or trading out of difficulty? Are we being naughty or did we have the best intentions? Part 3

    Claudine Morgan

    Insights

  • Ctrl + GCC: The Rise of e-Sports in the Gulf

    Mark Hill

    Quick Reads

  • Digital Markets, Competition and Consumers Bill: Will new consumer protection rules restrict access to Gift Aid?

    Verity Heath

    Quick Reads

  • Radical reforms to fight economic crime: what should businesses do now?

    Rhys Novak

    Insights

  • Arbitration Rules – How Different Are They?

    Mazin Al Mardhi

    Insights

  • Caroline Swain writes for Startups Magazine on 'Green Claims'

    Caroline Swain

    In the Press

  • Caroline Swain writes for Fashion Capital on the EU’s new legal framework on textiles

    Caroline Swain

    In the Press

  • The End of the SAG-AFTRA Strike & What it Means for the Middle East

    Mark Hill

    Quick Reads

  • Tech Monitor quotes Gareth Mills on the CMA restricting Meta from using certain customer data

    Gareth Mills

    In the Press

  • UAE Strengthens its Position as Leading Destination for A.I.

    Mark Hill

    Quick Reads

  • Dubai Court of Cassation Extends Arbitration Agreement Across Subsequent Contracts

    Peter Smith

    Quick Reads

  • UAE Polishes Federal Arbitration Law

    Peter Smith

    Quick Reads

  • Drone deliveries: Be Prepared

    Emma Humphreys

    Quick Reads

  • Product compliance and Brexit - UK Government concedes to CE markings indefinite recognition

    Jamie Cartwright

    Quick Reads

  • Has the Orpéa plan impaired shareholder's consent? - Le plan de sauvegarde d'Orpéa n'a-t-il pas vicié le consentement des actionnaires historiques ?

    Dimitri-André Sonier

    Quick Reads

  • Will the downturn in the Paris region property market lead property companies to turn to ad hoc proceedings, as they did in the 1990s?

    Dimitri-André Sonier

    Quick Reads

  • Les défaillances en France proches de leur niveau de 2019 - French insolvencies close to 2019 levels

    Dimitri-André Sonier

    Quick Reads

  • Casino Group: An agreement with investors and debt holders is expected at the end of July

    Dimitri-André Sonier

    Quick Reads

  • DIAC Issues First Annual Report

    Georgia Fullarton

    Quick Reads

  • One year on: "Influencer Culture: lights, camera, inaction" remains astonishingly accurate

    Caroline Swain

    Quick Reads

  • Saudi Center for Commercial Arbitration publishes new Arbitration Rules

    Peter Smith

    Quick Reads

Back to top