The long-awaited judgment by the Court of Justice of the European Union (CJEU) in the Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/1) was handed down on 16th July, 2020.
The case has become known as “Schrems II” as this is the second case Austrian privacy activist Max Schrems has brought against Facebook. The judgment, which you can read in full here, invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield. The CJEU also held that the Standard Contractual Clauses (“SCC”) were not automatically invalid. More details on both these judgements below.
The validity of the Privacy Shield
The Court set out that the US Privacy Shield does not provide recourse to an authority that “offers guarantees substantially equivalent to those required by EU law”. The protection in the US under its domestic law did not satisfy the requirements of EU data privacy law.
The court also found that the US Privacy Shield does not grant EU individuals actionable rights before the courts against the US authorities. The court pointed out the access that the US government has, through its various security agencies, to all personal data and that such access was not proportionate or strictly necessary.
Standard Contractual Clauses
The CJEU however did uphold the use of European Commission’s SCCs, which are template contracts covering the transfer of data to ‘third countries’ (countries outside the EU) in general. The Court ruled that SCCs provide sufficient protection for EU personal data, but they should be used more effectively.
It went on to say organisations relying on them must take a proactive role in evaluating, prior to any data transfer, whether there is an adequate level of protection for personal data in the receiving jurisdiction. The Court ruled that SCCs are only helpful if they contain effective mechanisms that make it possible to ensure compliance with the level of protection required by EU law.
Technology firms have a duty to verify that appropriate safeguards are in place before transferring data outside the EU. This was because the company transferring the data and the recipient were obliged to ensure that the required level of protection was respected in the non-EU country concerned and the data recipient was also obliged to tell the data exporter about any inability to comply with EU law. The Court highlighted the role that supervising authorities should take in assessing transfers of personal data to an importing jurisdiction. Modifications to SCC system are anticipated.
Consequences of the ruling
The ruling has major implications going forward for the Privacy Shield (dead and buried?) and the use of SCC’s in relation to data transfers to USA, other third countries and additionally, to the UK after the Brexit transition period expires and they are outside the EU for data transfers.
Actions required as a result of the ruling will be considered an enormous headache and should be a wakeup call for thousands of EU-based companies, including Facebook, Google and Twitter, who rely on the privacy shield to legitimately transfer personal data from the EU to third countries such as the United States, where technology companies are legally obliged to give government agencies access to personal data on national security grounds.
The findings are also a blow to the European Commission and the Data Protection Commissioner as it disentangles an arrangement it designed with the US to allow organisations comply with EU data protection laws.
However the Irish Data protection Commissioner, Helen Dixon, said she welcomed the clarity the judgment brings stating that” for reasons associated with the structure of the legal system in operation in the United States, EU-US data transfers were inherently problematic”
Organisations engaging in the transfer of personal data from the EU to the US should look at the basis on which they engage in that transfer. Organisations that previously relied upon the US Privacy Shield will have to find alternatives and if organisations are using SCCs, they will need to verify the existence of appropriate safeguards. Following from this judgement companies should review this aspect of their policies and procedures and data protection arrangements.
About the authors: Emer Murphy, Solicitor on the Litigation Team
Conor Robinson, Consultant and GDPR Expert