Privacy Shield scheme declared invalid
On Thursday, 16 July 2020, the European Court of Justice ruled in the so-called Schrems II case on the transfer of personal data from the EU to the United States. The judgment states that the Privacy Shield scheme is invalid. Therefore, it immediately ceases as a basis for transfers from the EU to the United States.
Briefly about the case
The Schrems II case stems from the first Schrems case from 2013, in which Austrian data rights activist Max Schrems lodged a complaint with the Irish Data Protection Authority about Facebook's transfer of his personal data from the EU to the United States based on the then Safe Harbour scheme. The case ended up with the European Court of Justice (CJEU), which in October 2015 declared the Safe Harbour scheme an invalid basis for the transfer of personal data from the EU to the United States. Max Schrems was, thus, successful in his claim that the Safe Harbour scheme could not ensure an adequate level of protection required by European data protection legislation.
In 2016, the Safe Harbor scheme was replaced by the corresponding Privacy Shield scheme, which, in the opinion of the European Commission, addressed the shortcomings of the Safe Harbor scheme. However, Max Schrems chose to reword the original complaint to the Irish Data Protection Authority, as Facebook – now based on the amended SCCs (the European Commission’s standard contractual clauses) – continued to transfer personal data to the United States. Schrems was of the opinion that the amended SCCs did not give him protection as within the EU area, in particular, due to the lax legislation in the United States concerning public authorities' access to collecting personal data.
When examining the new complaint, the Irish Data Protection Authority considered that there was a larger and more systematic problem with SCCs. Therefore, the Irish Data Protection Authority brought proceedings before the Irish High Court in order for the case to be referred to the CJEU for a preliminary ruling.
Main conclusions of the judgment
The Privacy Shield scheme is invalid and can no longer be used as a transfer basis.
The CJEU finds that the Privacy Shield scheme is not compatible with Article 45 of the GDPR in conjunction with Articles 7, 8, and 48 of the EU Charter of Fundamental Rights (the Charter), which relate to the right to privacy, data protection, and access to effective remedies. Thus, the CJEU overrules the European Commission's assessment that the United States ensures adequate protection of personal data transferred from the EU to certified US companies under the Privacy Shield scheme.
The reason for the CJEU sets aside the Privacy Shield scheme is mainly due to US legislation on national security, etc., which according to the CJEU does not comply with the proportionality requirement, as stated in Article 52 of the Charter. The CJEU states that infringements of fundamental rights can only take place by virtue of a clear and precise legal basis and that any restriction or infringement of fundamental rights can only be justified to the extent that it is strictly necessary.
The SCCs remain generally valid as a basis of transfer to countries outside the EU/EEA, cf. Article 46 of the GDPR.
The CJEU ruled that the SCCs must provide a level of protection that is "essentially equivalent" to the level in the EU. This confirms that this yardstick applies not only to the assessment of safe third countries under Article 45 of the GDPR but also to the other transfer options available under Article 45 of the GDPR, including SCCs (and Binding Corporate Rules).
The CJEU considers that there is nothing to prevent SCCs from providing the required level of protection. Still, it does require a concrete, comprehensive assessment of all the circumstances of the transfer, in particular, whether the public authorities of the importing country can access the transferred personal data or to require that personal data be disclosed. This focus on the public authorities of the importing country is due to the fact that SCCs are not binding on the authorities of the importing country.
Therefore, it is a requirement that, prior to the commencement of each transfer, the data exporter makes a concrete assessment of whether the transferred personal data are subject to access by the public authorities.
The decision has major practical consequences. However, initially, there is a need for the European Data Protection Board to present its interpretation of the decision.
The Danish Data Protection Agency has announced that in the near future, the European Data Protection Board, together with the other European supervisory authorities, will carry out a more detailed analysis of the decision and its significance for the transfer of personal data to third countries and international organisations.
At this stage, therefore, we are awaiting the announcement of the European supervisory authorities, but we can already examine:
Are third-country transfers carried out by your company? It is particularly important to be aware that cloud providers often use data centres in the EU and service centres outside the EU (unless you have an agreement on a so-called "limited cloud", where transfers only take place within the EU). Support access for persons in a third country to data in data centres in the EU also constitutes a third country transfer.
If third-country transfers occur; determine the transfer basis for the third country transfers – for example, is the basis of transfer the Privacy Shield, SCCs, Binding Corporate Rules, or the special basis of transfer in Article 49?
NJORD will follow developments closely and update you when there is news from the European Data Protection Board.