In a landmark decision for the EU-US data transfer regime, the European Court has struck down the EU-US Privacy Shield but given respite to Standard Contractual Clauses
Schrems II sounds like the sequel to an Austrian horror film but, in fact, it is a landmark case that has plunged GDPR data transfer safeguards into a new nightmare and proven fatal for the EU-US Privacy Shield.
Schrems II is the legal action launched by privacy activist Maximillian Schrems against Facebook Ireland regarding the transfer of his personal data from Ireland to the US, which was decided in July 2020. The transfer of Schrems’ personal data, from the EU to a non-EU business, like for any EU citizen, is unlawful under the overarching EU privacy rules, GDPR. Certain jurisdictions are exempt from the rules because the EU views their privacy standards as equivalent, and GDPR establishes certain scenarios in which data transfers are permitted where certain safeguards are in place. One of these, the Standard Contractual Clauses (SCCs), was the initial focus of Schrems II case.
SCCs are a contractual framework which have been approved by the EU and allow parties to agree to replicate standards of EU privacy law by entering into agreements in a form approved by the EU with their parties outside of the EU.
Schrems initially brought a case against Facebook in Ireland looking at the validity of SCCs. The Irish Privacy regulator subsequently referred the matter to the European Court. On July 16, the European Court ruled that SCCs were valid, stressing that EU law requires entities relying on SCCs to be sure that the protections that the SCCs provide can be met by the recipient of the personal data. The Court stressed that there is a requirement “to verify, on a case-by-case basis”, effectively decreeing that whilst SCCs are a more selective and flexible standard of protection for personal data of EU citizens they should be used carefully and with full scrutiny that the recipient of personal data is able to comply with its obligations under the SCCs, and offer protection for personal data equivalent to the protection EU privacy laws provide.
In what came as a major plot twist in the proceedings, however, the Court scrutinized the EU-US Privacy Shield, despite the mechanism not being in the initial scope of legal case to be determined. The Privacy Shield is, or was, another permitted safeguard under GDPR. It was an agreement between the EU and the US that allows personal data to flow from the EU to the US, provided that the US recipient of the data has achieved certain privacy compliance standards which replicate EU privacy laws, and has self-certified to the jurisdiction of the Department of Commerce for enforcement purposes.
Whilst the short history of EU to US data transfer mechanisms has been turbulent (the predecessor of the Privacy Shield, the Safe Harbor mechanism met a similar fate as the Privacy Shield before the European Court) a period of tranquility had begun after Privacy Shield passed its second annual review by the European Commission. Therefore, the European Court’s move to invalidate the Privacy Shield has provided one of the biggest shockwaves to the effective operation of data transfer mechanisms since GDPR came into effect.
The European Court said that US laws authorizing public authorities to access personal data transferred from the EU to the US were not compatible with EU privacy laws. Moreover, the Court held that the Privacy Shield did not provide protections that are “essentially equivalent” to those set out in EU law, specifically that to the independent ombudsperson mechanism which is provided for under the Privacy Shield regime had not been effectively established and therefore did not provide effective administrative or judicial redress for EU individuals.
As such, the Court invalidated the Privacy Shield with immediate effect, in a move that will be a blow to many US organizations that have invested heavily in achieving certification under the EU-US Privacy Shield mechanism, and opted for its protection when receiving personal data from the EU. The impact of the decision is wide, as it affects not only the day to day transfers of personal data which happened in global companies, but also the numerous agreements with non-EU based vendors engaged to provide services by EU businesses. They must now carefully review their network of relationships with vendors to check which are reliant on the Privacy Shield and put a new data transfer mechanism in place, most likely SCCs as they are now the most effective and readily available data transfer mechanism to ensure that personal data can continue to be transferred to countries outside the EU lawfully.
However, the challenges do not end there as scrutiny of the SCCs has never been higher, and the European Court’s decision in Schrems II places the responsibility with the entity transferring personal data outside the EU to carry out effective due diligence on both the country that the personal data is being transferred to, and the recipient entity to ensure it can meet the obligations when signing up to the SCCs. Commentators have already raised concern about the burdensome nature of these obligations and how they can be effectively achieved.
Equally concerning is the significant prospect of consumer litigation challenging the extent to which a data transfer has been adequately safeguarded when SCCs are relied upon. Record keeping of the types of risks and how they have been mitigated will need to be developed in order to evidence the steps taken to assess and manage risk.
The ongoing nature of the issue and the bumpy road ahead is likely to mean some businesses seek solutions by implementing data localization solutions – the sure-fire solution to the significant hurdles of compliance with EU law on data transfers. However, how this will impact the economies of major data hubs and impact the use of service providers outside of the EU remains to unfold.
While Schrems II untimely saw the demise of the Privacy Shield – and this is hardly a spoiler – a reboot, remake or sequel will be inevitable.