The Court of Justice of the European Union has delivered its eagerly awaited decision, in Schrems II (Case C-311/18).
Why is the case important?
Schrems II calls into the question the ability of companies to lawfully transfer data from the EU to the United States (US) and other countries.
The GDPR contains strict rules on transferring data from the EU to third countries, and this case deals with the compatibility of these rules with surveillance laws in other countries.
What has the Court decided?
The headline outcome is that:
The Privacy Shield decision is invalid with immediate effect – this means that companies can no longer rely on a Privacy Shield certification when transferring personal data to the US.
Standard contractual clauses (SCCs) are valid – but their use is subject to certain pre-conditions and ongoing obligations.
What are the important aspects of the Court’s judgment?
In line with its previous case law, the Court has underscored the high bar there is for lawfully transferring personal data from the EU to other countries.
Whatever transfer mechanism is being used – an adequacy decision under Article 45, SCCs or binding corporate rules (BCRs) under Article 46/47 – the protection afforded to EU citizens’ data must be “essentially equivalent” to that which it enjoys within the EU. This means that the standard of protection for EU citizen’s data cannot be lowered when it is transferred under SCCs to a third country.
Before using SCCs, a controller and recipient of personal data must verify that the level of protection required by EU law is respected in the third country concerned. This implies that some level of due diligence on the laws of the third country must be undertaken before transferring data under SCCs.
The recipient is also under a duty to notify the controller where the law of the third country does not allow the recipient to ensure an adequate level of protection in that country.
Where the SCCs cannot themselves ensure an adequate level of protection in the third country, the controller may adopt “supplementary measures” in addition to SCCs. The Court did not detail what these measures may entail. Encryption or other technical protection measures may be possible candidates.
If an adequate level of protection cannot be ensured in the third country through SCCs (or the adoption of supplementary measures), the controller is obliged to suspend or terminate the transfer of data under the SCCs.
The competent data protection authority (DPA) has the power, and duty, to suspend transfers made under SCCs where the SCCs “are not or cannot be complied with in that third country“.
The SCCs are valid because they include an obligation on the data exporter and the competent DPA to suspend or terminate transfers in cases of non-compliance.
The Court acknowledged that access to EU data by public authorities in third countries is not per se impermissible. The test of what level of access is permissible is that the “mandatory requirements” of the third country legislation “must not go beyond what is necessary in a democratic society to safeguard, inter alia, national security, defence and public security.”
The Privacy Shield decision is invalid because the Court believes that US surveillance powers are not sufficiently circumscribed in US legislation and because EU citizens do not have an effective and enforceable means of asserting their rights before the US courts.
What happens next?
The case will now return to the Irish High Court, and the DPC will continue its examination of Schrems’ complaint and will have to make a decision as to whether or not to suspend EU to US transfers. The Court has clearly ruled that the DPC has the power to make such a direction. The Court has also pointed to the possibility of the GDPR’s co-operation and consistency mechanism being used by the DPC to ensure that a consistent EU approach is taken on these issues.
What can organisations do?
Organisations relying on the EU-US Privacy Shield to legitimise personal data transfers from the EU to the US must immediately find an alternative transfer mechanism, such as the SCCs.
Controllers will effectively have to perform a “mini-adequacy” assessment and should:
Review their data flows.
Identify the third countries to which they transfer personal data under SCCs.
Assess whether the third country provides an adequate level of protection (in particular with respect to the third country’s surveillance laws), taking account of the considerations listed in Article 45.
Consider whether “supplementary measures” can be adopted where SCCs are adjudged not to be capable of ensuring an adequate level of protection on their own.
Document the assessment and the decision made.
The Court’s ruling requires that the third country due diligence be carried out prior to making a transfer under the SCCs. The Court did not comment on the position of transfers that currently use SCCs, most of which one assumes take place without a prior examination of the third country’s laws. It would seem a prudent step to carry out that assessment now to ensure compliance with the ongoing obligations of controllers and recipients under the SCCs.
The European Commission is currently working on updating the SCCs in light of GDPR requirements, and it is to be hoped that the updated SCCs will provide some clarity on how data exporters, third party recipients, and EU DPAs can carry out their assessment of the laws of third countries to ensure that the SCCs can be validly relied on as a transfer mechanism.
The decision will also inevitably have an impact on the European Commission’s adequacy assessment of UK laws, and whether to permit transfers on the basis of a UK adequacy decision post-Brexit.
While organisations will welcome the Court’s confirmation that the SCCs are valid, the decision places onerous due diligence obligations on controllers and recipients when using SCCs to assess whether the laws of the third country to which the data is being transferred provide an adequate level of protection (in particular with respect to that country’s surveillance laws).
Guidance is needed from the European Data Protection Board, EU DPAs and potentially the courts, in regard to what level of due diligence must be carried out and the standards to meet.