In July, the EU Court of Justice made a landmark decision on the international transfer of personal data in a case called Schrems II. The Court invalidated the EU-US Privacy Shield with immediate effect. It also imposed significant limitations around the use of standard contract clauses.
This decision requires many organizations to change their practices and documentation. It has the potential to disrupt business in multiple sectors and countries, particularly as between the EU and the US.
The EU’s GDPR sets a gold standard for protecting personal data that applies in all EEA1 countries and affects organizations in other parts of the world that do business in Europe.
Broadly, the GDPR prevents an organization transferring personal data outside the EEA unless the destination country is on a white list or the organization adopts an adequate safeguard. Given the powers of EU supervisory authorities to ban unlawful data transfer and to levy large fines, up to 4% of global group turnover or €20 million, and the ability for individual data subjects to sue for compensation, it is important to respect these rules.
Relatively few countries2 are on the white list. However, the list is not limited to entire countries – the EU can also white-list sectors within countries. Using this power, in July 2016 the EU whitelisted US organisations certified under the EU-US Privacy Shield.3 This replaced its 2000 whitelist decision known as Safe Harbor, which the EU Court struck down as invalid in 2015, in a case known as Schrems I.
As mentioned above, to transfer personal data outside the EEA to a non-whitelisted country or sector, an organization must first adopt an adequate safeguard (except in very limited circumstances). In theory there are up six types of adequate safeguard, but only two of these are in use. Of these, the easiest to put in place and the only one available where the parties are not part of the same corporate group, is to use standard contract clauses (SCC) for the transfer. These SCC are in a form designated by the EU and are used by thousands of organisations around the world.
In Schrems II the EU Court ruled on a challenge to both the EU-US Privacy Shield and the SCC, striking at the heart of cross-border transfer of personal data.
In 2013 Austrian law student, Max Schrems, asked the Irish Data Commissioner to prevent Facebook Ireland transferring his data to Facebook USA. He argued US law didn’t adequately protect his personal data, given the FBI and NSA’s surveillance powers and activities.
This resulted in the Schrems I ruling that the US Safe Harbor was invalid. This didn’t end the argument because Facebook said most of its data was transferred to the US under the SCC, not Safe Harbor. Accepting the invitation to reformulate his complaint, Schrems argued that once in the US his data was available to the FBI and NSA under laws incompatible with the EU Charter and was not adequately protected despite the use of SCC.
The Commissioner agreed and brought court action in Ireland, questioning the validity of the EU decision which adopted the SCC.
The Irish Court heard evidence on the effect of US national security laws. Finding these concerning, it referred the SCC question to the EU Court of Justice. For the same reasons, it also asked the EU Court to rule on the validity of the EU-US Privacy Shield, which had been adopted in the intervening period to replace Safe Harbor.
EU Court’s Decision on the Privacy Shield
The Court observed the Privacy Shield was expressly stated to be subject to US national security requirements, which enabled interference with the fundamental rights of data subjects. The Court went on to examine the EU Commission’s justification for nevertheless approving the Shield. These are set out in the following recital:
“[O]n the basis of available information about the U.S. legal order … any interference by U.S. public authorities with the fundamental rights of the persons whose data are transferred … under the Privacy Shield … for national security [or] law enforcement purposes,… will be limited to what is strictly necessary to achieve the legitimate objective in question, and there exists effective legal protection against such interference.”
The Court examined FISA, the US Foreign Intelligence Surveillance Act, and Executive Order 12333 on Intelligence Activities and fundamentally disagreed with the above justification. The Court found U.S. surveillance programs under these laws allowed the FBI and NSA to access personal data transferred to the U.S. without limitation and without guarantees for non-US individuals. Ultimately, it concluded that US laws:
- limit the protection of personal data in ways which are not restricted in a manner equivalent to EU law requirements; and
- do not grant data subjects actionable legal rights against US authorities
Consequently, it ruled the Privacy Shield invalid with immediate effect.
EU Court’s Decision on SCC
The Court’s ruling on SCC was less drastic. Its key finding was that the decision approving the SCC was valid. However, the Court applied a significant qualification, ruling that SCC can only be used where data subjects are given a level of protection equivalent to GDPR in the destination country.
Applying this qualification, the judgment directs EU data protection authorities to suspend or prohibit data transfer using SCC where the law of the destination country does not provide appropriate safeguards, rights and remedies against access by national authorities.
Organizations concluding from this that they can carry on using SCC until an authority stops them will be disappointed. The court declared every organization transferring personal data out of the EEA under the SCC responsible for assessing whether the destination country’s laws ensure adequate protection. This must be done on a case by case basis, before any further data is transferred.
The burden does not stop at the EEA data exporter: the Court pointed out that the SCC require the data importer to notify the exporter if it cannot comply with them, including where public authorities in its country can access the data disproportionately or without redress. Data transfer must stop if the exporter receives such notification.
Finally, the Court suggested a data exporter could take “adequate additional measures to guarantee protection” if the destination country’s laws did not pass the assessment.
Effects of the Decision
Data Transfer to the US
Personal data transfers under the Privacy Shield are unlawful. Organizations which have been using the Shield, whether EU exporters or US importers, need to find an alternative basis for transferring personal data to the US as soon as possible.
To be lawful, that alternative basis requires an adequate safeguard. The usual safeguard is SCC. However, given the EU Court’s qualification on their use, it is most doubtful that a transfer of EU personal data to the US under SCC would comply with GDPR. There is some speculation that it might be compliant if accompanied by “additional measures. In July, the European Data Protection Board (EDPB) said it was “looking further into what these supplementary measures could consist of and will provide more guidance”. Three months on, we are still waiting.
Meanwhile, in September the US Government issued a “white paper”, strongly arguing that the European Court had misunderstood its laws and failed to take account of legal developments since 2016. The paper essentially concludes that U.S. intelligence agencies’ access to data meets all GDPR standards. However, it is doubtful that the EU will accept this. It also seems strange that the US government, which was legally represented in Schrems II, did not submit these points at the hearing, which took place in 2019. The white paper cannot therefore be relied on as a defense to enforcement action by EU authorities or compensation claims from data subjects.
Apart from SCC, the only other adequate safeguard available to private organisations is binding corporate rules, but these apply only within corporate groups and are therefore no use for transfers between independent entities. They also require bespoke drafting and individual regulatory approval.
Without an adequate safeguard, private organisations can only transfer personal data to the US on a repeat basis with the explicit consent of the data subject or where necessary for a contract (or to save life or for a legal claim). Even one-off transfers will require justification and regulatory notification.
The use of consent is therefore likely to increase as potentially the only available route. This may not be practical and will need careful management, since the GDPR has strict rules on consent. If data subjects refuse consent, and every data subject is entitled to do so, one can foresee major problems.
Data Transfer to other Non EEA Countries
Most EEA data transfers to non-white-list countries take place under SCC. Every EU data exporter using SCC must now assess the laws of the destination country, if necessary with the help of the importer, before carrying out further transfer.
The assessment should include a focus on laws enabling public authorities in the destination country to access data, in particular whether the access is proportionate and whether data subjects have a legal right of redress.
Having assessed the relevant foreign law, unless the exporter finds it “equivalent” to GDPR in terms of fundamental protections, it must end the transfer. There must be a significant concern that many countries will fail this assessment. Where that is so, the position will be the same as for the US.
EU data protection authorities are required to enforce the GDPR with all due diligence. Applying Schrems II, they should suspend or ban personal data transfer to third countries under the SCC where it cannot be protected to EU standards. In the coming months, we may see decisions from the authorities that the SCC cannot be used for certain named countries.
Conclusions and Recommendation
The EU Court’s decision in Schrems II disrupts current practice in international data transfer from the EU.
How many nations have data protection laws sufficiently equivalent to GDPR, sufficiently circumscribe access to data by their intelligence and national security authorities and give foreign nationals legal redress against them?
Until now, use of the SCC was the oil on the wheels of EEA data exports system. If Schrems II is rigorously applied this will no longer be the case. This is a problem since swathes of businesses rely on transferring personal data from the EU to the US and other major countries without specific authorization.
Until a solution is found, businesses that export or import data are likely to have to make changes to their practices and legal arrangements.
We recommend that organisations which export or import EU personal data take urgent legal advice on the best way forward.
1 The 27 EU countries plus Norway, Iceland and Lichtenstein.
2 Including Argentina, Israel, Japan, New Zealand, Switzerland and Uruguay
3 There is a similar whitelist decision for commercial private-sector organizations in Canada.