A ruling by the EU’s top court invalidates the key mechanism for transferring personal data from the EU to the US and imposes additional conditions for use of the standard contractual clauses.

On 16 July 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield, one of the key mechanisms for lawfully transferring personal data from the European Union to the United States. At the same time, the CJEU ruled that the standard contractual clauses (Model Clauses) remain valid but can only be used under strict conditions.

This post offers an initial analysis of the judgment and proposes some immediate next steps for businesses to ensure compliant data transfers from the EU.

Background

The case — Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (Case C-311/1) (Schrems II) — is the latest in a series of challenges brought by privacy activist Maximillian Schrems that have highlighted asymmetries between the EU and US privacy regimes, particularly in light of the Edward Snowden PRISM disclosures in 2013.

The first case, Maximillian Schrems v. Data Protection Commissioner (Case C-362/14) (Schrems I), was brought under the Data Protection Directive (95/46/EC), predecessor to the General Data Protection Regulation (GDPR). Schrems I invalidated the Safe Harbor adequacy decision, which then governed data transfers between the EU and the US, as the CJEU held that insufficient protection was offered for EU data subjects against the data access rights of US public bodies. Following the Schrems I judgment, the Safe Harbor provisions were replaced with the EU-US Privacy Shield in 2016 (Decision 2016/1250).

Schrems II relates to a further complaint of Schrems to the Irish Data Protection Commissioner (IDPC) regarding the transfer of his data from Facebook’s Irish subsidiary to Facebook in the US. The IDPC initiated proceedings in the Irish High Court to determine whether the use of Model Clauses provided sufficient safeguards to EU individuals. The Irish High Court referred this question to the CJEU for a preliminary ruling, and additionally raised questions relating to the EU-US Privacy Shield.

The Judgment

EU-US Privacy Shield

The CJEU invalidated the EU-US Privacy Shield, meaning that the EU-US Privacy Shield can no longer be relied on to ensure compliance with the GDPR for relevant existing or future data exports.

The CJEU held that the standard of protection afforded to personal data under the GDPR and European fundamental rights laws could not be guaranteed by the EU-US Privacy Shield, primarily due to the lack of proportionality of specific US national security laws as well as the lack of effective and enforceable rights for data subjects. The CJEU found that:

• The US public authorities’ use of and access to EU data do not comply with the principles of proportionality, as surveillance programmes under specific US national security laws do not limit their access of data to what is strictly necessary.
• The US Ombudsman, the only avenue of recourse for EU citizens under the EU-US Privacy Shield, does not have sufficient independence or authority to ensure the protection of European data subjects’ rights.
• The level of protection afforded to data subjects is therefore not essentially equivalent to EU standards.

Model Clauses

The CJEU held that the Model Clauses remain valid as a mechanism for personal data transfer but clarified that they cannot be used if the legislation in the third country does not enable the recipients to comply with their obligations. The CJEU made clear that reliance on the Model Clauses alone was not necessarily sufficient in all circumstances, and that each data transfer must be assessed on a case-by-case basis to ensure adequate protection for the data. This finding is not limited to EU-US transfers, but is applicable to any personal data export (and onward data transfers) relying on the Model Clauses. The CJEU found that:

• If, in the context of the wider circumstances of the transfer, the Model Clauses are assessed to be insufficiently protective of individuals’ data (e.g., due to the data access rights of public authorities in the recipient jurisdiction), additional safeguards must be put in place.
• The Model Clauses contain mechanisms to ensure compliance with the adequate level of protection prescribed by the GDPR, and also require that transfers of personal data be suspended if such mechanisms cannot be honoured. For instance, the recipient of data must notify the data exporter of any inability to comply with the Model Clauses, in which case the data exporter must suspend the transfer of all data and/or terminate the contract. This means that companies cannot simply sign the Model Clauses, but must actively check that they can be complied with.
• If competent supervisory authorities believe that the Model Clauses cannot be complied with in the recipient country and the required level of protection cannot be secured by other means, such supervisory authority is under an obligation to suspend or prohibit that transfer unless the data exporter has not already done so itself.

Questions and Next Steps

Is there a grace period? No. The judgment confirms that there is no grace period and that the EU-US Privacy Shield is invalidated with immediate effect. Whether there will be a grace period for enforcement (as there was when Safe Harbor was invalidated in Schrems I) is unclear.

What should businesses that used the EU-US Privacy Shield do?  Check to see if the Model Clauses can be used for specific transfers. In limited circumstances, consider relying on one of the derogations for specific circumstances set forth in Article 49 of the GDPR, e.g., explicit consent or transfer necessary for the performance of a contract. The European Data Protection Board’s (EDPB’s) Guidance on the Article 49 Derogations, and in particular their limited application, should be taken into account before relying on any of these conditions for transfer.

Should businesses take down their Privacy Shield certification while considering an alternative mechanism? Not yet — the US Secretary of Commerce has publicly said that organisations should still abide by their EU-US Privacy Shield commitments, and that the EU-US Privacy Shield still has value in signalling adherence to certain data protection standards.

What should businesses know about the Model Clauses? For now the Model Clauses remain valid, but the CJEU did not leave them unscathed, and there are additional conditions on their use (as discussed above). These conditions effectively will require a self-assessment of whether the Model Clauses can be used with regards to a specific transfer to a third country.

• Organisations with existing arrangements for Model Clauses should consider mapping and reviewing those arrangements, particularly data transfers to jurisdictions with more extensive national security and surveillance laws. Businesses may need to supplement their documentation for Model Clauses with additional safeguards, and implement mechanisms to ensure that compliance with the Model Clauses is monitored and documented.

What might regulators do? Three main issues have arisen from this judgment:

1. Regulators can suspend the Model Clauses for specific transfers. The judgment is clear that competent supervisory authorities are required to suspend or prohibit a transfer of data to a third country pursuant to the Model Clauses if, in the view of that supervisory authority and in light of all the circumstances of that transfer, the Model Clauses are not or cannot be complied with in that third country. Data privacy activists may use this to launch complaints, prompting supervisory authorities to investigate.
2. Regulators might have divergent views. The CJEU acknowledged that this may lead to divergent decisions by regulators — for example, one regulator might suspend reliance on Model Clauses to a certain third country, while another may not. The CJEU noted that Article 64(2) GDPR provides for the possibility of a decision to be referred to the EDPB for an opinion (which could ultimately lead to a binding decision) to ensure uniformity.
3. Regulators might prioritise data transfer cases. The judgment shines a spotlight on third country data transfers, and regulators might prioritise such cases. With respect to the use of Model Contracts, regulators may expect to see the case-by-case analysis by the data exporter to determine whether adequate safeguards are provided in a particular country before the Model Clauses are relied upon.

What about Brexit and transfers from the UK? The UK remains subject to CJEU decisions during the transitional period. On 16 July 2020, the UK ICO  issued a statement clarifying that it is “considering the judgment from the European Court of Justice in the Schrems II case and its impact on international data transfers, which are vital for the global economy”.

What will happen next? The IDPC will need to consider whether the data transfer under Facebook’s Model Clauses is valid. The IDPC may decide to seek the opinion of the EDPB — a process that will take time, but may provide more guidance for businesses on what data protection authorities’ expectations are when using Model Clauses for data transfers.

This post was prepared with the assistance of Leanne Chen in the London office of Latham & Watkins.