EU-US Data Transfers Under Fire: The CJEU’s Schrems II Decision
Last week the Court of Justice of the European Union (“CJEU”) issued a decision in Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (“Schrems II”) addressing personal data transfers to the US.
In its decision, the CJEU (1) invalidated the EU-US Privacy Shield Framework as a mechanism for data transfers from the EU to the US and (2) confirmed the validity of Standard Contractual Clauses (“SCCs”), subject to certain conditions.
These holdings, however, are deceptively simple and contain nuances with significant implications for cross-border data flows. This post summarizes Schrems II and provides suggestions for steps companies should be taking in response.
Schrems II was a continuation of case C-362/14 Maximilian Schrems v Data Protection Commissioner (“Schrems I”). Schrems I originated when Max Schrems, an Austrian privacy activist, filed a complaint with the Irish Data Protection Commissioner (“DPC”) challenging Facebook’s transfers of his personal data to the US based on the Safe Harbor Framework. That complaint eventually caused the CJEU to invalidate the Safe Harbor Framework.
Schrems later reformulated his complaint to challenge the SCCs, the alternative international data transfer mechanism that Facebook relied on for its EU-US data transfers. The DPC subsequently initiated proceedings against Facebook in the Irish High Court following that complaint. The Irish High Court then referred 11 questions regarding the SCCs and Privacy Shield—the new adequacy mechanism established to permit data transfers to the United States following Safe Harbor’s invalidation—to the CJEU.
Following that referral, the CJEU’s Advocate General (“AG”) issued an advisory opinion recommending that the CJEU find the SCCs valid subject to certain conditions. The AG also recommended that the CJEU decline to address Privacy Shield issues—in part because answers to those questions were unnecessary “to allow the referring court to resolve the dispute in the main proceedings.”
The CJEU’s Decision
- The Privacy Shield Framework is invalid.
The CJEU addressed the Irish High Court’s inquiries regarding Privacy Shield despite the AG’s contrary recommendation. The court overruled the European Commission’s finding that Privacy Shield provided EU data subjects an adequate level of protection, for two reasons.
First, the court found that neither Privacy Shield nor US law generally provided “effective administrative and judicial redress” for US government intelligence and surveillance activities sufficient to support an adequacy finding under GDPR Article 45.
Second, the court found that US intelligence activities do not satisfy the European Charter of Fundamental Rights “proportionality” requirement. On that point, the court essentially held that the scope of US intelligence data collection is too broad, and the accompanying legal standards too vague, to justify the degree of intrusion on European data subjects’ rights involved in that collection.
- SCCs are valid subject to (1) a case-by-case assessment of the relevant aspects of the legal regime in the recipient’s country and (2) the implementation of “supplementary measures” if the relevant legal regime does not provide the level of protection required under EU law.
Turning to Schrems’s challenge to the SCCs, the CJEU focused first on GDPR Article 44’s requirement that an international transfer not undermine “the level of protection of natural persons guaranteed under [GDPR].” That requirement, the court explained, applies “irrespective of . . . the basis of which a transfer of personal data to a third country is carried out.” In other words, GDPR imposes a baseline requirement—regardless of the legal mechanism used to justify a transfer—that personal data transferred internationally be subject to a level of protection that is “essentially equivalent” to that provided under GDPR.
The SCCs, explained the CJEU, do not necessarily guarantee that level of protection with respect to entities other than the contracting parties, such as public authorities in the data importer’s country. In the court’s view, therefore, parties to the SCCs must take two more steps to identify and address potential gaps between the GDPR and the recipient country’s legal regime.
First, the data exporter, with the importer’s assistance, must assess the level of protection afforded to European data subjects in the data importer’s jurisdiction. That assessment must consider (1) the content of the SCCs and (2) “the relevant aspects of the legal system of that third country” with regard to public authorities’ access to any transferred personal data. This assessment, explained the CJEU, must include the same factors the European Commission needs to consider in making an adequacy assessment pursuant to GDPR Article 45.
Second, if the parties’ assessment suggests the level of protection in the recipient’s country falls below that required under GDPR, the data exporter must implement “supplementary measures” to remediate those issues. The court did not address what those “supplementary measures” might entail.
However, if the assessment reveals it is impossible to remediate any GDPR legal risks through “supplementary measures”, the transfer must be suspended.
So Can We Keep Making EU-US Data Transfers Under the SCCs?
It’s possible. But Schrems II suggests that EU-US data transfers relying on the SCCs must implement “supplementary measures” to address the judicial redress and “proportionality” issues regarding US government intelligence activities that caused the court to invalidate Privacy Shield.
Whether and how any “supplementary measures” implemented by data exporters or data importers can meaningfully address these issues is unclear. The European Data Protection Board (“EDPB”), a body composed of representatives from EU member state data protection authorities, has promised to provide “further clarification . . . [and] guidance” on the issue in the coming weeks. The US Department of Commerce and the European Commission may also weigh in on the judicial redress and “proportionality” issues presented by US government intelligence activities in order to create a new adequacy framework.
What Should We Do Today?
- Put SCCs in place for transfers for which Privacy Shield was the sole legal basis.
European regulators have offered different takes on whether companies have a grace period to put alternative mechanisms in place for transfers that relied in the Privacy Shield. For example, the UK Information Commissioner’s Office is still directing entities that use Privacy Shield to “continue to do so until new guidance becomes available,” while data protection authorities in Germany have issued guidance directing companies to immediately cease transfers relying on Privacy Shield. To mitigate risk, companies should immediately begin to put SCCs in place for transfers that relied solely on Privacy Shield. While SCCs will not guarantee the legality of US data transfers following Schrems II, putting SCCs in place will put companies in a better position than continuing to rely on an invalidated mechanism.
- Continue to comply with Privacy Shield.
The US Department of Commerce stated that it will continue to administer Privacy Shield. As a result, ceasing to comply with the Privacy Shield Framework’s requirements could still expose a company to FTC enforcement actions and, potentially, misrepresentation and unfair and deceptive trade practice claims by individuals.
- Monitor statements and guidance from European data protection authorities.
The longer-term implications of Schrems II on the SCCs will depend on how EU supervisory authorities decide to interpret and enforce the ruling. Last week’s EDPB statement suggests that EU supervisory authorities are coordinating to reach a common understanding of how to conduct the requisite SCC assessment and what “supplementary measures” should be put in place when the recipient country’s law provides less protection than GDPR.
The European Commission may also offer some interpretive help on this point: it stated earlier this year that it is working on updating the SCCs. The updated versions may contain provisions or recommendations that could help address the Schrems II holding.
- Inventory international transfers from the EEA or the UK to any nation without an adequacy decision in place.
Inventorying international transfers and assessing the circumstances of those transfers will enable a company to respond quickly to guidance from European data protection authorities, whenever it comes.
That inventory should include an assessment of the nature of each transfer to help identify potential “supplementary measures” or arguments to justify the use of the SCCs pending final guidance from European data protection authorities. While the CJEU’s decision did not identify what those measures might entail, it is worth considering issues such as the sensitivity of the data at issue, the existence of industry-specific regulations, and data security measures applicable to each transfer that could be invoked as “supplementary measures.”
The inventory should also assess whether any of the limited derogations in GDPR Article 49(1) may apply, such as situations when the data subject consented to the transfer in accordance with GDPR requirements or where the transfer is necessary to perform a contract. While identifying situations in which the derogations apply is unlikely to be sufficient as a long-term compliance solution, this effort will help prioritize transfers for any future SCC remediation or assessment activities.