Last Thursday the Court of Justice of the EU (CJEU) ruled in the case Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) (‘Schrems II’).

Most news outlets focused their attention mainly on the Privacy Shield, which was declared invalid in this ruling. However, there is quite a bit more to it than that. The EU–US Privacy Shield is a framework for regulating transatlantic exchanges of personal data for commercial purposes between the European Union and the United States. In this post I will outline how I read the case and what I think it means for Transatlantic data flows going forward. This post is aimed at non-privacy people, so it may be too simplistic for you experts out there ;). It is my aim to make this as simple as possible, not simpler which with a complex case like this is quite a challenge. 

International data transfers - the basics

Broadly speaking, transfers of data of people in the EU, to countries outside of the EU, are unlawful unless you have a so-called data transfer mechanism in place. These include(d)

1. Privacy shield (no longer valid)

2. Standard contractual clauses (SCCs) - These are model data protection clauses that have been approved by the European Commission and enable the free flow of personal data when embedded in a contract.

3. Binding corporate rules (BCRs) - these are used for international transfers within a group of companies

4. Adequacy decision from the European Commission - An adequacy decision means that the European Commission has decided that a third country or an international organisation ensures an adequate level of data protection for EU personal data.  

5. Derogations - narrow exceptions available under article 49 GDPR where transfers are considered “necessary” or where a person has provided explicit consent for the international transfer.

EU-US Privacy Shield - why was it invalidated?

It is surprising the validity of the privacy shield lasted as it has, it did not have a lot to offer to EU citizens which is who it was aimed to protect. It was invalidated with immediate effect, which means organisations can no longer rely on it to lawfully transfer EU data to the US. At the time of writing this, there has been no official communication of a ‘grace period’. This has consequences both for intra-group data transfers as well as for the transfers of personal data to third parties in the US where no other transfer mechanism is in place.

The reasons for which the Privacy Shield was invalidated are comprehensive and set out in detail in the ruling. First, EU persons are not offered the same protection under US surveillance laws as US persons. Interferences in EU human rights must be strictly necessary and proportionate to be considered lawful. This is the test the CJEU set out in its judgment as regards the surveillance laws enabling US intelligence services to interfere with EU data protection rights. The CJEU looked specifically at Section 702 of the Foreign Intelligence Surveillance Act (FISA), Executive Order 12333, read in conjunction with Presidential Policy Directive ‑28 and concluded “that under EU law, from the principle of proportionality, with the consequence that the surveillance programmes based on those provisions cannot be regarded as limited to what is strictly necessary.” A crucial factor in the decision was that it is hard to bring a case for unlawful surveillance before the US courts as a non-US citizen. Put more eloquently, the CJEU concluded that laws such as the above-mentioned do not set out limitations on the powers of the intelligence services and don’t offer sufficient remedies for non-US persons if their rights are infringed upon.

The system put in place under the Privacy Shield Framework had an Ombudsperson whose role was to act as an additional redress avenue for all EU people whose data was transferred to the US under the Privacy Shield. The CJEU held that the Privacy Shield Ombudsperson could not be regarded as offering effective judicial protection against inference authorised by the surveillance laws in the US. In the words of the CJEU “as far as concerns effective judicial protection, […]the introduction of a Privacy Shield Ombudsperson cannot […] remedy those deficiencies since an ombudsperson cannot be regarded as a tribunal within the meaning of Article 47 of the Charter.” In short: under the discussed US surveillance laws, EU people have pretty much no rights when they are subjected to unlawful surveillance.

Standard contractual clauses

The CJEU also ruled on SCCs and stated that it is no longer sufficient for a data exporter and data importer to just sign the agreement, the exporting party must do a factual assessment of whether the contract can actually be complied with in practice. This means doing an analysis of the laws in the country that will receive the data to see if there are any surveillance laws in place that would interfere with the data protection rights of the people whose data is being transferred. The onus is therefore on the organisation wishing to export data to countries outside of the EU to assess the laws in the importing country. This is a very challenging task; it is hard to imagine that all organisations would have the bandwidth and/or the expertise to do this. Due to the contractual nature of SCCs, they only bind the signatories which does not include a third country’s intelligence services. In some countries, including the US, certain companies are required to provide access to data they receive from overseas due to laws such as FISA, discussed above. Essentially, in countries with surveillance laws like FISA, signed SCCs will be invalid because you cannot guarantee the protection from state surveillance. Which means you, as a data exporter, cannot meet your own contractual obligations under the SCCs, clause 4 in particular.

It is important to mention that this ruling does not just have consequences for EU-US transfers. There are many countries with surveillance laws like FISA. For example, in the light of Brexit and the UK’s RIPA law, it appears unlikely that the U.K. will be considered a country with adequate levels of protection. This means that an adequacy decision is unlikely but also that it becomes more difficult to rely on SCCs for EU-UK data transfers. A little further from home, transfers from the EU to China, India and Russia have also become challenging for similar reasons. as pointed out by the Berlin Data Protection Authority. The court also referred to supplementary measures that could be put in place to safeguard data while relying on SCCs, when just the SCCs would not be enough to safeguard EU personal data. However, the court didn’t clarify what these measures could be, which was not particularly helpful. The European Data Protection Board has said it will investigate what this could mean.

All of the above begs the question whether any transfer to the US can be considered lawful if data contained in the transfer is subject to FISA or other surveillance laws. The court did not cover BCRs but it would not be unreasonable to apply this case to them as well. In short, we have some answers but also many many questions.

So what Happens next?

• First of all, it is expected that guidance will be issued from the European Commission as well as the European Data Protection board, so keep and eye out for those.

• Second, you should assess whether your organisation currently relies on the Privacy Shield or SCCs for international transfers both within your group of companies and with third parties. If it’s the privacy shield, put SCCs in place. For now, SCCs are valid even though they have become more complicated.

• Third, I expect the SCCs will be updated as they were never updated for GDPR so they are a tad outdated and with this ruling there is even more incentive for a revamp.

• Last, where possible, process EU personal data within the EU and avoid the hassle, of course this is often easier said than done.

As more information becomes available I will add articles to this blog, so please subscribe if you’re interested. :-) - Also, please read my disclaimer at the bottom of the page. This is not legal advice, this is just an opinion of a person who enjoys data protection and privacy law.