Anyone that shops online, uses social media, or even sends an email has most likely had their personal data sent around the world. Data, including your personal details, is transferred over the global network without regard for national borders. Countries have attempted to regulate these data flows in the interests of their citizens, national security, and their own economies.
The EU has a high standard of personal data protection and requires this to be upheld abroad, causing a dissonance with other countries in regard to data transfer. This was most recently demonstrated in the judgement of the Court of Justice of the European Union (CJEU) in what has become known as the Schrems II case.
What follows is meant to highlight some of the findings and implications of this judgement. Given the impact of this decision and its ramifications, the full effects will crystallise in the months to come.
On 16 July 2020, the CJEU issued a long-awaited decision in the case Facebook Ireland v Schrems (C-311/18), also known as the Schrems II case. It dealt with the transfer of personal data from the EU to US companies and the conditions thereof. In this decision, the CJEU invalidated the EU-US Privacy Shield (Privacy Shield) and confirmed the validity of the Standard Contractual Clauses (SCCs).
Under EU law, the personal data of EU subjects (any information relating to an identified or identifiable natural person) transferred to a non-EU country or international organisation has to enjoy a level of protection adequate to that of the EU.
As set out in the General Data Protection Regulation (GDPR), there are several ways for companies to transfer the personal data of EU data subjects to non-EU countries, such as:
- Adequacy decisions by the European Commission
The European Commission (EC) may decide that a non-EU country ensures an adequate level of protection for personal data. Such decisions are based on an evaluation by the EC regarding the rule of law, legal regulations on fundamental rights and freedoms, data protection regulations, and other aspects in the non-EU country in question. The EC would also evaluate the functioning of the data protection authorities in the non-EU country and the enforcement and compliance of data protection rules, as well as its international commitments. Based on these evaluations and relevant approvals, the EC issues an adequacy decision allowing for personal data to flow from the EU to the non-EU country without any further safeguards. As of now, the EC has issued 13 adequacy decisions.
- Standard Contractual Clauses
In the event there is no EC adequacy decision for the transfer of personal data to a non-EU country, the data controller/exporter (EU company) and the data processor/importer (non-EU company) may still transfer personal data internationally. However, such a transfer must still ensure the adequate level of data protection in the non-EU country prior to the transfer itself. This is currently done through a contractual agreement between the data controller and the data processor through Standard Contractual Clauses (SCCs) established by EC Decision 2010/87/EU.
- Other methods
The data controller and data processor may also use other methods to ensure an adequate level of data protection for personal data transferred to non-EU countries, such as the Binding Corporate Rules (for multinational groups), through derogations (such as explicit and informed consent from the data subject), or by other means as defined by the GDPR.
The EC adequacy decisions related to the USA and the SCCs are at the heart of the Schrems II case, as well as the earlier Schrems I case.
Schrems I case
In 2013, in the immediate aftermath of the Edward Snowden revelations, Mr Max Schrems (at the time, an Austrian student) complained to the Irish Data Protection Commissioner (DPC) that his personal data was transferred from Facebook Ireland Ltd. to Facebook Inc. (US company), where the level of personal data protection did not meet EU standards.
Mr Schrems argued that the Safe Harbour decision, an EC adequacy decision from 2000 on the transfer of personal data to the USA, did not provide sufficient protections for EU data subjects. Additionally, he argued that the Safe Harbor decision was invalid.
The question of the validity of Safe Harbor was in the end referred to the CJEU, which ruled in Max Schrems v. Data Protection Commissioner case (C‑362/14) (the Schrems I case) that the Safe Harbor decision was, in fact, not valid due to the mass surveillance performed by US public authorities and the lack of legal redress for non-US individuals.
Following the invalidation of the Safe Harbor decision, the EU, the USA, and Switzerland renegotiated the conditions of data transfers from the EU and Switzerland to the USA and set up Privacy Shield, a tool for US companies to self-certify their adherence to the EU data protection standards when transferring personal data from the EU and/or Switzerland to the USA. The US government also created a new oversight mechanism for national security interference, the Privacy Shield Ombudsperson. Independent from the US intelligence community, it evaluates the complaints of EU citizens concerning transfers of their personal data to the USA. The EC assessed US law in regard to access and the use of personal data transferred under the Privacy Shield by US public authorities for national security, law enforcement, and other public interest purposes. Based on this, the EC issued an adequacy decision with the US (Decision (EU) 2016/1250, Privacy Shield decision) allowing personal data to flow from the EU to the USA without any further safeguard being necessary.
The Privacy Shield has been under scrutiny since its inception. The European Parliament and the European Data Protection Board (EDPB), as well as civil society groups, have criticised what they believe to be the insufficient protection of personal data transfers from the EU to the USA, while Quadrature du Net filed a case with the CJEU to declare the Privacy Shield decision invalid.
Schrems II case
After the invalidation of the Safe Harbor decision, Facebook informed Mr Schrems that when transferring his personal data from the EU to the USA, Facebook was not relying on the Safe Harbor decision, but rather on the SCCs.
Mr Schrems reformulated his complaint to the Irish DPC stating that SCCs also did not provide adequate protections for personal data transferred to the USA nor did they sufficiently safeguard his rights. He reasoned that the SCCs are a contractual agreement between companies that do not prevent surveillance activities by US authorities. The Irish DPC referred the matter to the Irish High Court, which submitted 11 questions to the CJEU for a preliminary ruling in the case Facebook Ireland v Schrems (C-311/18), also known as Schrems II. Among the questions referred were the applicability of the GDPR, the level of protection for transferred personal data, the validity of the Privacy Shield decision, and the SCCs as mechanisms for the international transfer of personal data from the EU.
On 16 July 2020, the CJEU issued its judgement in Facebook Ireland v Schrems (C-311/18). In this multilayered, complex decision, the CJEU affirmed, among others, that the data protection rights of EU citizens are fundamental rights and their protection extends to international data processing under the GDPR and the European Charter of Human Rights. The CJEU also declared as invalid the EC decision on the adequacy of personal data transfers under the US-EU Privacy Shield (Decision (EU) 2016/1250). Additionally, the CJEU ruled that the SCCs (Decision 2010/87/EU) are valid as a tool for companies to transfer personal data from the EU to the USA.
In evaluating the validity of the Privacy Shield decision, the CJEU examined whether US law grants protections to EU data subjects that are essentially equivalent to those under EU law. The CJEU looked at the regulations of Section 702 of the Foreign Intelligence Surveillance Act, Executive Order 12333, and US Presidential Policy Directive 28. The CJEU stated that these regulations do not indicate any limitations of powers for US intelligence services, that data collection by US authorities is beyond necessary and proportionate, and that the regulations do not give data subjects actionable rights before US courts. The CJEU also concluded that the position of the Privacy Shield Ombudsperson was not sufficient in providing EU citizens with a judicial redress mechanism, as it is not independent and cannot issue a binding decision to the US intelligence community. Therefore, in its ruling, the CJEU declared the EU-US Privacy Shield to be invalid with immediate effect.
The ruling also confirmed the validity of the SCCs as a mechanism for the transfer of personal data from the EU to non-EU countries (Decision 2010/87/EU). Even though the SCCs are a contractual agreement between companies, the supervisory authorities – Data Protection Agencies (DPAs) may, under certain circumstances, prohibit or suspend the transfer of personal data to non-EU countries, thus providing oversight. The CJEU also stated that the EC should reevaluate the SCCs and that data controllers and processors should be encouraged to provide additional safeguards via contractual commitments that supplement the SCCs.
Impacts of the Schrems II judgement
Within the EU
The CJEU decision is a preliminary determination decision for the Irish High Court and the Irish DPC. It is expected that the Irish authorities will issue a final decision on the transfer of Mr Schrems’ personal data by Facebook, thus setting a precedent on how the Schrems II judgement shall be interpreted.
The EC has yet not issued an official statement on the judgement, other than acknowledging it and preparing guidance. It is clear from the judgement itself, however, that the EC has been asked to reevaluate the SCC guidelines. The EC has previously confirmed that it is preparing updated SCCs to replace the current ones, as well as other alternative instruments for the international transfer of personal data. It is expected that the modernized SCCs will be published shortly.
While the judgement did not affect other currently issued adequacy decisions, it is to be seen whether the EC will reevaluate them in the light of the Schrems II decision. The judgement does not indicate any additional criteria for the assessment of non-EU countries for adequacy by the EC. However, the fact that the EC had their adequacy decision invalidated twice may mean higher levels of scrutiny in the future. Currently, the EC adequacy decision with Argentina is up for re-certification. It was scheduled for May 2020 but has been postponed awaiting this decision. The EC decision on adequacy with Israel is also likely to be evaluated due to their high levels of surveillance.
The Schrems II judgement also strengthens the role of national DPAs and the EDPB, inviting them to take a proactive approach in suspending or banning problematic personal data transfers.
The EDPB issued a statement following the Schrems II judgement, stating that a new framework should be established for personal data transfers between the EU and USA. It also reiterates the necessity of thoroughly assessing data protection standards in non-EU countries by the data controllers and processors, if the data be transferred based on SCC.
National DPAs have not issued individual statements so far, except for the Berlin Commissioner. In their guidance, the Berlin Commissioner asked data controllers to stop data transfers to the USA until a new legal framework is formed; if data controllers are transferring data to the USA, they are now required to use service providers based in the EU or in a country with an adequate level of protection. The statement of the Berlin Commissioner basically instructs for data localization.
With the immediate invalidation of the Privacy Shield decision without a grace period, data controllers/exporters within the EU face a high compliance burden. They must switch to alternative safeguards for personal data transfers from the EU to the USA, such as the SCCs. In these cases, it is up to data controllers/exporters (EU company) to assess whether the legal regime of a non-EU country provides adequate protection for the transferred personal data. Data controllers are also encouraged to provide for “additional safeguards” to complement the SCCs, however the CJEU did not specify what kind of safeguards these should be.
In the case of transferring personal data from the EU to the USA, even transfers under the SCCs are problematic. The decision of the CJEU invalidating the Privacy Shield is based on the statement that US law is not compatible with EU fundamental rights and does not provide personal data protection adequate to that of the EU. This indicates that a US company (i.e. data importer) would not be able to uphold their obligations under the SCCs, especially if they would be required under US law to share the personal data of non-US individuals with US authorities for surveillance purposes.
Wilbur Ross, the US Secretary of Commerce, issued a statement highlighting the need to maintain data flows between the EU and the USA and noted that the Department of Commerce will continue to administer the Privacy Shield program. US companies that signed up for the Privacy Shield are still obliged to maintain it, even though it is no longer legally valid for personal data transfers with the EU.
It is expected that the EU and USA will renegotiate an agreement on the transfer of personal data by companies to reflect the Schrems II judgement. The open questions remaining are the timing of such negotiations given the upcoming election in the USA, how the USA could fulfill the requirements of ‘essentially equivalent’ personal data protection regulations, and the requirement of judicial redress for EU data subjects, as this would mean changes to US law and judicial system.
United Kingdom and Switzerland
Even though the UK left the EU on 31 January 2020, EU law, including the jurisdiction of the CJEU, still applies until the end of the transition period on 31 December 2020. Therefore, personal data transfers between the UK and the USA and between the EU and the UK are affected. The UK would have to negotiate personal data transfer protections with the USA and the EU.
The Schrems II judgement did not invalidate the Privacy Shield in Switzerland, where it does not have jurisdiction. It remains up to Switzerland whether to proceed with the Privacy Shield arrangement with the USA or to adopt other ways to protect personal data transfers in line with the EU.
It is clear that the Schrems II decision does not only affect EU-US relations and data flows, but that it also has global ramifications.
At its core, the Schrems II decision evaluates the rule of law in the USA and highlights what changes to the US legal and judicial system should happen in order for personal data flows to be in compliance with EU data protection laws. While the USA and the EU share many of the same values, and will most likely come to a practical solution to allow for the transfer of personal data, it remains to be seen how personal data transfers from the EU to China, Russia, or other authoritarian regimes will be affected in the future.