Schrems II Confirms Validity of EU Standard Contractual Clauses, Invalidates EU–U.S. Privacy Shield
The Situation: The Court of Justice of the European Union ("CJEU") has ruled that international data flows under the European Union's comprehensive data protection regime, the GDPR, can continue to be based on EU Standard Contractual Clauses if properly monitored, while the EU–U.S. Privacy Shield has been declared invalid.
The Issues: The future of international data flows and use of data transfer mechanisms, in particular between the European Union and the United States, has been called into question.
Looking Ahead: EU Data Protection Authorities are expected take a closer look at companies exporting personal data outside the European Union/European Economic Area ("EU/EEA"). As it is currently unclear whether a grace period for enforcement will be granted, companies that were relying on the EU–U.S. Privacy Shield for data transfers to the United States should swiftly implement suitable alternative safeguard mechanisms.
Background and Issue
On July 16, 2020, the CJEU confirmed the validity of the EU Standard Contractual Clauses for the transfer of personal data to processors outside the EU/EEA ("SCCs") in Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (called "Schrems II"), while invalidating the EU–U.S. Privacy Shield.
The Schrems II case originated from the 2015 CJEU decision in Case C-362/14 Maximilian Schrems v Data Protection Commissioner ("Schrems I"), which invalidated the EU–U.S. Data Protection Safe Harbor decision from 2000 ("Safe Harbor") for the international transfer of personal data (see our previous Alert, "EU–U.S. Data Protection Safe Harbor: Not Safe Anymore").
In Schrems II, the Irish Data Protection Commission argued that the SCCs did not constitute an adequate level of protection of personal data, as they lacked safeguards against U.S. government surveillance and therefore violate Articles 7, 8, and 47 of the EU Charter of Fundamental Rights ("Charter").
Following the invalidation of the Safe Harbor in Schrems I, Ireland's High Court referred a preliminary ruling to the CJEU on October 3, 2017. The CJEU was asked to rule on the validity of another international data transfer mechanism, i.e., the SCCs provided by the EU Commission's Decision 2010/87/EU.
The CJEU was requested, inter alia, to determine whether U.S. legislation ensures adequate protection of personal data of EU citizens, and whether using SCCs offered sufficient safeguards as to the protection of their freedoms and fundamental rights.
CJEU Followed Advocate General's Opinion
Following the Advocate General's view in his Opinion of December 19, 2019, the CJEU confirmed that the Commission's Decision 2010/87/EU is valid and that the EU SCCs provide appropriate safeguards for international transfers of personal data. This decision was regarded as being compatible with the Charter since data controllers and supervisory authorities are obliged to suspend or prohibit data transfers in cases of conflict between the obligations arising under the SCCs and those imposed by the law of the third country.
To ensure compliance with the level of protection required by EU law, the CJEU stressed that data controllers established in the European Union need to consider not only the international data transfer agreements based on the SCCs agreed between them and the data importer established in the third country, but also—prior to any transfer—the relevant aspects of the data importer's legal system, in particular any access by public authorities to the data transferred. If an essentially equivalent level of protection cannot be guaranteed, data controllers are required to terminate such data transfers and also, if necessary, the contract with the data processor in the third country.
However, the CJEU held the view that another data transfer mechanism, the EU–U.S. Privacy Shield, does not include satisfactory limitations in order to ensure the protection of EU personal data from access and use by U.S. public authorities on the basis of U.S. domestic law. The newly introduced Ombudsperson mechanism in particular does not provide substantially equivalent guarantees to those required by EU law, as the CJEU questioned its independence and observed a lack of authority to make binding decisions on U.S. intelligence services. The CJEU therefore invalidated the EU–U.S. Privacy Shield Decision, which can no longer be relied upon for EU–U.S. data transfers with immediate effect.
Lucie Fournier, an associate in the Brussels Office, and Christopher Schmidt, a law clerk in the Frankfurt Office, assisted in the preparation of this Commentary.
Three Key Takeaways
- Companies that until now have relied on the EU–U.S. Privacy Shield for data transfers from the European Union to the United States should implement alternative safeguards (e.g., SCCs, Binding Corporate Rules within their group). Until then, they may—in individual cases—rely on the narrow derogations set out in Article 49 GDPR after carefully assessing the necessity of their international data flows.
- Although companies can continue to use the EU Standard Contractual Clauses as a safeguard for transferring personal data to processors outside the EU/EEA, they will have to follow the level of data protection provided in the third country and, where conflicts with the provisions of the Clauses arise, to suspend data exports. Monitoring the relevant aspects of the legal system of the third countries concerned should therefore be integrated into corporate compliance programs.
- Meanwhile, the EU Commission confirmed working on alternative instruments for international transfers of personal data, including by reviewing the existing SCCs. The further development of new safeguards as announced by the EU Commission should be closely followed.