Organizations that transfer personal data from the European Union on the basis of the EU Commission-approved Standard Contractual Clauses (SCCs) may be breathing a sigh of relief on hearing that the SCCs have been upheld by the EU’s top court, the Court of Justice of the European Union, in its decision in the Schrems II case. However, the 5,378 US organizations that have certified to Privacy Shield will be deeply disappointed that the Court has invalidated Privacy Shield with immediate effect, just as it did Safe Harbor in 2015. (For what those organizations need to do now, see the end of this post.)
The Court’s invalidation of Privacy Shield came as something of a surprise since the validity of Privacy Shield was not a question directly presented to the Court in this case. However, it is fair to say that the Court did go directly to the heart of the matter: whether the US national intelligence agencies’ ability to require US entities (subject to various conditions) to turn over personal data of people who are in Europe fatally undercuts the EU-approved data transfer mechanisms as a means of ensuring that European personal data is adequately protected when it is transferred to the US.
As discussed in prior posts (particularly here and here), both Member State national courts and the Court of Justice of the European Union previously have expressed deep concern regarding US national security laws and related executive orders, protocols and programs. In a nutshell, in Schrems II, the Court has held that US national security powers and programs conflict with the fundamental rights of people in the EU (in part due to overly broad data collection) and do not provide adequate remedies for EU persons who suspect their fundamental rights have been violated. Because of that, the EU Commission’s decision adopting the Privacy Shield framework that was painstakingly negotiated by the EU Commission and the US government in 2016 is invalid in its entirety.
While on first glance, Schrems II may look like a win for US organizations that rely on the SCCs as their lawful basis under the GDPR for transferring EU personal data from the US, in reality, the decision kicks the SCC question back to the Irish data protection authority and the Irish courts. The Irish court that referred the Schrems II case to the Court of Justice has already issued an opinion (reposted here) that suggests it would be inclined to prevent Facebook’s data transfers to the US on the basis of the SCCs if it has that power. The Schrems II decision confirms that national data protection authorities (and by extension, national courts hearing appeals) do indeed have that power. The power to ban transfers on the basis of the SCCs could be targeted to an individual recipient, but the underlying logic of the decision suggests that all transfers to the US under the SCCs are in peril because (the argument goes) US national security laws make it impossible for the recipients to give the data protection guarantees required by the SCCs. (Topic for another day: How the SCCs would fare if an EU person raised a concern about the surveillance practices of countries that are far less transparent about their surreptitious collection of personal data than the US is.)
So what should US organizations that receive EU personal data do now?
If you rely on Privacy Shield, you will need to evaluate your EU personal data transfers and determine which ones can be addressed with the SCCs – and then put the SCCs in place expeditiously. However, the SCCs are not appropriate for some data transfers, for example, when personal data is collected directly from individuals. For transfers that cannot be covered by the SCCs, companies will need to evaluate the GDPR’s Article 49 derogations. It is vital to interpret those derogations in light of the European Data Protection Board’s Guidelines on Derogations, which interprets the derogations very restrictively.
If you rely solely on the SCCs for all of your EU personal data transfers, you don’t need to do anything immediately, but it will be vital to watch the progress of the Schrems v. Facebook case when it moves forward in Ireland. The Schrems II decision contains some implicit suggestions from the Court as to how organizations could strengthen their contractual commitments such that their SCCs, coupled with those additional commitments, might pass muster with the national data protection authorities. We will follow up with further analysis of the sort of additional provisions that may be helpful. However, given the European Commission’s recent statement that its long-awaited replacements for the existing SCCs are likely to be approved and issued in August or September, we may find that the Commission itself will take a crack at addressing the Court’s comments to create a more robust suite of SCCs.
Schrems II: Decision in Case C‑311/18, REQUEST for a preliminary ruling under Article 267 TFEU from the High Court (Ireland), made by decision of 4 May 2018, received at the Court on 9 May 2018, in the proceedings Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems, with intervening parties: The United States of America, Electronic Privacy Information Centre, BSA Business Software Alliance Inc., and Digitaleurope.
Proceedings of the referring court (Ireland): The High Court Commercial [2016 no. 4809 p.] Between The Data Protection Commissioner (Plaintiff) and Facebook Ireland Limited and Maximillian Schrems (Defendants).