Background and Issue
On July 16, 2020, the CJEU confirmed the validity of the EU Standard Contractual Clauses for the transfer of personal data to processors outside the EU/EEA ("SCCs") in Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (called "Schrems II"), while invalidating the EU–U.S. Privacy Shield.
The Schrems II case originated from the 2015 CJEU decision in Case C-362/14 Maximilian Schrems v Data Protection Commissioner ("Schrems I"), which invalidated the EU–U.S. Data Protection Safe Harbor decision from 2000 ("Safe Harbor") for the international transfer of personal data (see our previous Alert, "EU–U.S. Data Protection Safe Harbor: Not Safe Anymore").
In Schrems II, the Irish Data Protection Commission argued that the SCCs did not constitute an adequate level of protection of personal data, as they lacked safeguards against U.S. government surveillance and therefore violate Articles 7, 8, and 47 of the EU Charter of Fundamental Rights ("Charter").
Following the invalidation of the Safe Harbor in Schrems I, Ireland's High Court referred a preliminary ruling to the CJEU on October 3, 2017. The CJEU was asked to rule on the validity of another international data transfer mechanism, i.e., the SCCs provided by the EU Commission's Decision 2010/87/EU.
The CJEU was requested, inter alia, to determine whether U.S. legislation ensures adequate protection of personal data of EU citizens, and whether using SCCs offered sufficient safeguards as to the protection of their freedoms and fundamental rights.
CJEU Followed Advocate General's Opinion
Following the Advocate General's view in his Opinion of December 19, 2019, the CJEU confirmed that the Commission's Decision 2010/87/EU is valid and that the EU SCCs provide appropriate safeguards for international transfers of personal data. This decision was regarded as being compatible with the Charter since data controllers and supervisory authorities are obliged to suspend or prohibit data transfers in cases of conflict between the obligations arising under the SCCs and those imposed by the law of the third country.
To ensure compliance with the level of protection required by EU law, the CJEU stressed that data controllers established in the European Union need to consider not only the international data transfer agreements based on the SCCs agreed between them and the data importer established in the third country, but also—prior to any transfer—the relevant aspects of the data importer's legal system, in particular any access by public authorities to the data transferred. If an essentially equivalent level of protection cannot be guaranteed, data controllers are required to terminate such data transfers and also, if necessary, the contract with the data processor in the third country.
However, the CJEU held the view that another data transfer mechanism, the EU–U.S. Privacy Shield, does not include satisfactory limitations in order to ensure the protection of EU personal data from access and use by U.S. public authorities on the basis of U.S. domestic law. The newly introduced Ombudsperson mechanism in particular does not provide substantially equivalent guarantees to those required by EU law, as the CJEU questioned its independence and observed a lack of authority to make binding decisions on U.S. intelligence services. The CJEU therefore invalidated the EU–U.S. Privacy Shield Decision, which can no longer be relied upon for EU–U.S. data transfers with immediate effect.
Lucie Fournier, an associate in the Brussels Office, and Christopher Schmidt, a law clerk in the Frankfurt Office, assisted in the preparation of this Commentary.