Will the EU Standard Contractual Clauses survive legal challenge?

Since the fall of the Safe Harbor regime in October 2015, we have seen a rise in the popularity of the EU Standard Contractual Clauses (the SCCs). It has become standard practice for major US-based service providers to enclose a Data Processing Agreement, including the SCCs, in their service agreement packs for new clients.

Due to the requirements of the Data Protection Directive (the Directive) (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data), in order for a transfer of personal data outside of the European Economic Area (EEA) to be lawful, the EEA-based data exporter may either: (a) enter into the SCCs with the data importer; (b) rely on a finding by the European Commission (the Commission) that the country of destination provides adequate protection for personal data (a Finding of Adequacy) (As of 31 October 2016, there are 12 valid adequacy decisions by the Commission. In addition, individual EU member states may issue their own findings of adequacy in relation to third countries); or (c) rely on one of the exemptions, which are of very limited application. For completeness, the Binding Corporate Rules are another transfer mechanism but are generally limited to intra-group transfers of personal data.

Whilst the SCCs are based on a contract, a Finding of Adequacy is based on a decision of the Commission. The EU-US Privacy Shield (the Privacy Shield) is based on such decision of the Commission and comes with a set of rules that apply to US-based data importers. Whilst the SCCs may be used in relation to any country and any sector, the Privacy Shield is limited to EU-US transfers and excludes data transfers of banks, insurers and telecoms companies. The Privacy Shield has been in force since 1 August 2016 and hundreds of organisations have now self-certified. The two regimes, the SCCs and the Privacy Shield, are not directly comparable and arguably the SCCs are the only global data transfer solution for external data transfers.

The SCCs, however, are now under threat and they are being challenged by the same arguments that brought down Safe Harbor. Many businesses are looking for alternatives and considering whether the Privacy Shield may ensure compliance of their EU-US data flows with the Directive. To add to the uncertainty, an application for annulment of the Privacy Shield has been lodged with the Court of Justice of the European Union (the CJEU) on 16 September 2016 (Digital Rights Ireland v Commission Case T-670/16).

Background

By way of background, the Safe Harbor regime became effective in July 2000. Criticism of the regime dates back to 2002, but it was not until Max Schrems’ complaint to the Irish Data Protection Commissioner (the DPC) in June 2013 against Facebook, which led to its fall. Facebook was transferring Max Schrems’ personal data to the US using Safe Harbor. Max Schrems complained that US enforcement agencies were bypassing the regime and were engaged in bulk collection of EU citizens’ personal data. This was allowed by, among other legislation, the U.S.A. P.A.T.R.I.O.T. Act (“Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001”) (the Patriot Act) and became better known after the Edward Snowden revelations. The DPC dismissed the claim as frivolous and vexatious and Max Schrems appealed in October 2013 to the Irish High Court. In June 2014, the High Court referred the case to the CJEU. A hearing by the CJEU followed on 24 March 2015. The Advocate General’s opinion issued in September 2015 led to the CJEU’s damning judgment on 6 October 2015.

However, the invalidity of Safe Harbor did not stop Facebook from transferring data to the US, which they continued to do so under the SCCs. Following the CJEU judgement, Max Schrems amended his complaint to challenge the SCCs on 20 October 2015. The DPC’s preliminary decision on 24 May 2016 stated that the case was well founded and the DPC commenced a proceeding in the Irish High Court on 31 May 2016.

This case has attracted a lot of attention and the US government’s request to be joined as a party was granted on 19 July 2016. It comes as no surprise that Facebook’s counsel has called the complaint extraordinary and misconceived. Meanwhile, Helen Dixon for the DPC wants the Irish High Court to escalate the matter to the CJEU, which has the authority to make a decision in this case. The Irish High Court has booked a slot for the hearing in February 2017 when it will decide whether it accepts the complaint and whether a referral to the CJEU should be made.

The legal challenge for the SCCs

The European Charter of Fundamental Rights (Charter) gives individuals certain rights, such as the right to:

respect for private life and family life, home and communications (Article 7);
the protection of personal data (Article 8); and
effective remedy for violation of Charter rights (Article 47).
Safe Harbor was deemed to be invalid due to significant over-reach of indiscriminate state surveillance practices in the US without appropriate and verifiable safeguards and without giving EU citizens an effective right to be heard. Such practices were inconsistent with Articles 7, 8 and 47 of the Charter and the US was held not to have adequately protected the personal data of EU citizens. The same arguments are the basis of the complaint against the SCCs.

The SCCs allow EU citizens to pursue breaches of the SCCs by a non-EEA data importer against the data exporter and, if no progress is made, then directly against the data importer. The data importer has to cooperate in good faith with the data exporter, the EU citizen and EU authorities. Whilst the SCCs provide for these remedies, they do not apply to persons authorised or required by law or regulation to have access to the personal data, such as US state authorities. In other words, the SCCs do not provide a remedy for any use of the personal data by the state for surveillance. This issue is at the heart of the complaint against the SCCs.

What can we expect next?

Whilst Safe Harbor and its successor, the Privacy Shield, are based on a Finding of Adequacy in respect of the US, the SCCs are in essence a contract. If the SCCs are entered into by the parties they will, according to the Commission, guarantee adequate safeguards for EU citizens personal data in the country to which the personal data is being transferred, in accordance with the Directive.

It is unclear if this will make a difference in dealing with the legal challenge to the SCCs. However, the intensive political process involved in the preparation of the Privacy Shield, as described below, could provide a steer as to the future of the SCCs.

Although not directly linked to the Privacy Shield, the USA Freedom Act was passed on 2 June 2015. It was not brought about by the fact that the Patriot Act was due to expire. The Act amended the Foreign Intelligence Surveillance Act of 1978 and it is claimed that it placed real restrictions and oversight on the National Security Agency’s surveillance powers. However, it was criticised for not addressing section 702 of the FISA Amendments Act, which the government uses for PRISM and upstream mass surveillance, and Executive Order 12333 relied on by the NSA for surveillance of non-Americans.
The Judicial Redress Act 2015 was passed in February 2016. This Act allows individuals from certain designated non-US countries to bring civil claims under the Privacy Act of 1974 against certain U.S. government agencies seeking to redress unlawful disclosures of records transferred to the US for the purposes of crime prevention and prosecution.
Reassurances were given by the US Government to the EU that national security surveillance is subject to clear limitations, safeguards and oversight mechanisms. Bulk collection of data would only be used under specific preconditions and would be as targeted as possible.
An Ombudsperson independent from the US intelligence services was established within the Department of State, and provides redress to EU citizens in relation to surveillance.
The Privacy Shield allows EU citizens to challenge the processing of their personal data by using the following mechanisms:
Each Privacy Shield organisation (PSO) must put in place an easy-to-access complaints route for EU citizens and respond to each complaint within 45 days.
Alternatively, the complainant may invoke the Alternative Dispute Resolution process, which must be clearly accessible from the PSO’s privacy policy.
Alternatively, individuals may complain to their national EU Data Protection Authorities, who will work with the Federal Trade Commission to ensure that complaints are investigated and resolved.
Arbitration will provide redress as a last resort.
The Annual Joint Review will serve to monitor the functioning of the Privacy Shield, including the access to data for surveillance purposes. The review will be carried out by the Commission and the U.S. Department of Commerce together with US and EU national intelligence experts. The Article 29 Working Party will also be involved in the review.
The U.S. Department of Commerce will conduct regular updates and reviews of PSOs, to ensure that companies follow the rules to which they submitted themselves.
The topic of surveillance is not an issue exclusive to the US. The US has been in focus because of the Snowden revelations but there is little doubt that other countries engage in similar excessive surveillance practices. Persuaded by the importance of the EU-US trade, the US went on to remedy this by passing new legislation and creating new supervisory bodies, as set out above. However, it is unlikely that we could expect the same from other countries. So will the SCCs be capable of surviving as a standalone contractual solution or will legislative or executive action by third country governments be required in order to preserve Charter rights of EU citizens?

Whilst we cannot predict what the Irish High Court and the CJEU will decide, it is not unreasonable to expect that the SCCs will be struck down. However, given the importance of the SCCs for trade, the Commission might shortly after judgment release a new version of the SCCs which will address the shortcomings identified in the judgment. In remedying the shortcomings, the Commission might be inspired by some of the concepts established by the Privacy Shield and other steps taken in the US). Would this, however, push the bar for compliance too high for other countries? We will have to wait and see.

Depending on what the courts decide, we might see some or a mixture of the following changes to the SCCs:

more detailed contractual provisions about EU citizens’ rights and recourse mechanisms;
the right for EU citizens to enforce breaches directly against a non-EEA data importer;
submission of the non-EEA data importer to the jurisdiction of EU Data Protection Authorities;
mandatory notification of the SCCs to a EU authority, such as the Commission, and a public register of non-EEA data importers;
mandatory use of encryption for personal data transferred outside of the EEA; and/or
a list of countries which are deemed by the Commission as not providing adequate protection due to excessive surveillance.
Depending on how far the matter is pushed, we might see more bilateral treaties governing the safeguarding of EU citizens’ personal data in third countries. Ultimately, the close link between the transfers of personal data and trade will ensure that issues are resolved quickly. In the future, could this close link perhaps also bring about a change to the perception of human rights in countries which have had a poor track record in this area?

What to do in the meantime?

Unless the process is expedited, we are unlikely to see the end of the legal challenge to the SCCs for at least another 12 months. If the experience with Safe Harbor is anything to go by, it may take 9 – 12 months from when the reference is made by the Irish High Court (expected in February 2017) before the CJEU makes a decision. This would push the decision into late 2017 or early 2018.

If history is repeated, organisations relying on the SCCs will after the judgment not have to stop data transfers from one day to another. After the fall of Safe Harbor, at least four months have passed before there have been any reports of enforcement action by German authorities against organisations which still relied on Safe Harbor for EU-US data transfers. However, given the global reach and importance of the SCCs, it would not come as a surprise if regulators acted quicker this time.

Whether your organisation needs to take any action in the meantime will depend on the particular circumstances. The Privacy Shield may be the right option if your organisation is headquartered in the US with significant presence in the EEA, or vice versa, or if your organisation is a US-based service provider with target audiences in the EEA. It may be that your clients require your organisation to be Privacy Shield certified.

The Privacy Shield is probably more reliable than the SCCs for EU-US data flows for the time being. Having said that, the Article 29 Working Party will be scrutinising the Privacy Shield in its first Annual Joint Review and it may be subject to significant changes in due course. In addition, as mentioned above, a privacy group has initiated an action in the CJEU for the annulment of the Privacy Shield (Digital Rights Ireland v Commission Case T-670/16). So, whether you rely on the Privacy Shield or the SCCs, your organisation may have to revise its policies and procedures at the end of 2017 or early 2018.

The Privacy Shield could also mean more regulatory scrutiny as it will bring your organisation within the investigatory and enforcement powers of the Federal Trade Commission, the Department of Transportation or another US statutory body, as well as the EU regulators, such as in relation to HR data.

Nevertheless, in these uncertain times, we have seen a number of businesses opting for a dual model, where their EU-US data flows are covered by both the SCCs as well as the Privacy Shield. In addition, some of our clients have in place the Binding Corporate Rules for intra-group data transfers.

However, if your organisation’s EU-US data flows are not significant and you are not pressed by the reasons set out above, then you should perhaps continue to use the SCCs and pencil late 2017 in your calendar for further updates. When the change comes, you may have to undertake a major review of your privacy compliance framework.

Conclusion

The Irish High Court is likely to make a reference to the CJEU in relation to the legal challenge to the SCCs and, if this happens, we would expect a judgment from the CJEU in late 2017 or early 2018. We are hopeful that the judgment will allow for the SCCs to be amended to include more safeguards and remedies for EU citizens and to continue operating as a standalone contractual solution for global transfers of personal data outside of the EEA.

However, the reality of surveillance by enforcement agencies and the intensive political process involved in the preparation of the Privacy Shield casts a significant shadow of doubt over the SCCs. Excessive surveillance by state authorities is not something that can easily be controlled by contractual remedies. Technical measures such as encryption, if made mandatory for all data flows under the SCCs, could potentially assist to keep the personal data of EU citizens safe, but we have seen these fail in the past (Encryption did not prevent the FBI from accessing an iPhone in March 2016 following the San Bernardino shooting in the US despite resistance from Apple and privacy groups).

The Privacy Shield may be a good way of reinforcing compliance of your organisation’s EU-US data flows, but it may also be subject to significant changes over the next 12 months. More importantly, it will not assist your organisation in relation to data flows to any other countries.

It will be very interesting to see how the human rights issues raised in the legal challenge to the SCCs will be ultimately resolved, and whether this will involve any requirement for legislative or executive action by countries or not.

Despite this complex issue, organisations should not panic. This is not the first and probably not the last time that personal data transfers have been challenged, and given the importance of data flows for trade, a solution is bound to be found rather quickly.