Schrems II: Privacy Shield invalidated and Standard Contractual Clauses under scrutiny

Background and timeline of the Schrems II case

The current judgment has its roots in 2013, when Maximillian Schrems originally brought a complaint before the Irish Data Protection Commissioner (DPC) claiming that personal data transfers under the EU-US Safe Harbor were unsafe. That led to the invalidation of Safe Harbor and a few months later the Privacy Shield was born.

Of course, many companies continued to use, or around the time may have switched to using, the SCCs approved by European Commission Decision 2010/87/EU (SCCs) as a legal basis for their cross-border data transfers. However, Schrems' ongoing complaint led the Irish Data Protection Commission to question the validity of SCCs.

In May 2018, the Irish High Court referred several questions regarding the validity of SCCs and the Privacy Shield to the CJEU (Case No. C-311/18), focusing on whether data transfers under SCCs and the Privacy Shield violated Articles 7, 8, 47, and 52 of the EU Charter of Fundamental Rights (Charter).

On 19 December 2019, the CJEU's Advocate General (AG) issued a (non-binding) formal Opinion advising the CJEU to rule that SCCs as they stand are valid but need to work in practice in order to result in "essential equivalence" with EU law. With regard to the Privacy Shield, the AG voiced certain doubts regarding the adequate level of data protection provided in the US, particularly considering the activities in question by law enforcement and intelligence agencies.

Decision of the CJEU

In its landmark judgment in Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Schrems II) released on 16 July 2020, the CJEU found that SCCs were valid in principle but declared the Privacy Shield invalid.

Verifying the validity of SCCs

In examining the validity of SCCs, the Court first pointed out that such validity would not be called into question by the mere fact that the standard data protection clauses are not directly binding on the authorities of the third country to which data may be transferred. Instead, their validity will stem from the effective mechanisms that enable, in practice, compliance with the level of data protection required under EU law.

Crucially, the CJEU highlighted the existing obligation incumbent on both data exporter and importer to verify, prior to effectively carrying out a transfer, whether the expected level of protection is attained in the third country concerned, and that the recipient will need to inform the data exporter of any impeding factor that would prevent it from complying with the clauses. Should that be the case, the data exporter would be obliged to suspend the transfer and/or terminate the contract with the data importer. Failing that, the competent supervisory authority is required to intervene.

Privacy Shield invalidated

The CJEU then moved to examine the validity of the Privacy Shield in light of the requirements set forth in the GDPR. The Court determined that domestic US laws regulating access and use by US authorities of personal data imported from the EU into the US are not circumscribed in a way to provide protections “essentially equivalent” to those required under EU law. In this regard, the CJEU pointed out the lack of limitation on the power conferred to the implementation of certain US government surveillance programs, and also of sufficient guarantees for non-US persons that might be potentially targeted.

In practice, the shortcoming observed by the CJEU translates into a lack of actionable data subject rights before the courts against US authorities. In this respect, the CJEU also held that the Ombudsperson mechanism contemplated by the Privacy Shield does not actually provide data subjects with any cause of action before a body that offers guarantees substantially equivalent to those required under EU law, such as to ensure the independence of the Ombudsperson and the existence of rules empowering the Ombudsperson to adopt decisions binding on US intelligence services.

What companies should do now

Companies should take appropriate and decisive steps to confirm that data transfers under their responsibility comply with the GDPR and the judgment of the CJEU. In particular:

• Switch from Privacy Shield to alternative safeguards: Where only the Privacy Shield was used to legitimize the transfer, companies should take steps now to ensure coverage under another safeguard.
• Verify level of protection of international data flows: Once the relevant personal data flows are identified, companies should assess the safeguards they apply to data transfers, including a nuanced analysis of the local laws in the recipient country. In this respect, for data transfers to the US, it will be especially relevant to which extent the data recipient is subject to Section 702 FISA and E.O. 12333.
• Assist EU customers: Service providers with data processing operations in the US and elsewhere should consider how best they can facilitate the task placed on their European customers to verify the adequacy of the level of protection for their data.
• Look out for statements from DPAs: It is likely that European data protection authorities and the European Data Protection Board (EDPB) will publish statements on the legality of data transfers to certain countries on basis of SCCs, having a particular focus on data transfers into the US.
• Monitor activities on updated SCCs: Despite the fact that the CJEU declared SCCs to be valid, it is possible that the European Commission will issue a new set of updated SCCs in order to address the risks identified by the CJEU with regard to activities of law enforcement and intelligence agencies in the US.

Possible alternative safeguards

In order to future-proof global data flows in light of the dynamic legal and political environment, companies should consider applying the following alternative measures:

• Additional safeguards (SCCs plus): The CJEU points out that controller and processors should provide additional safeguards to those offered by SCCs in order to ensure adequate protection of the personal data and data subject rights in the third country. Accordingly, companies could consider adding language to SCCs that address remaining concerns, in particular the handling of government requests for access to personal data.
• Approved "Ad Hoc Clauses": As an alternative long-term measure, companies may also consider applying for approval of their own standard data protection clauses.
• Binding Corporate Rules (BCRs): Given the specific protections included within BCRs to address the issue of data disclosures to government agencies and the high degree of scrutiny undertaken prior to their approval, BCRs will likely emerge as a most solid mechanism available to legitimize global data transfers.

Authored by Eduardo Ustaran, Bret Cohen, Harriet Pearson, Henrik Hanssen, Laur Badin, and Julian Flamant.