Today, the Court of Justice of the European Union (“Court”) issued its judgement in the Schrems II‑case. The case relates to the validity of certain transfer mechanisms to legitimize international sharing of personal information from the EU to outside the EU. In short, the Court ruled that the Standard Contractual Clauses (“SCCs”) are valid, but that another widely used mechanism, the EU-U.S. Privacy Shield certification (“Privacy Shield”), is not.
However the Court’s ruling is not as straightforward as it seems. The Court makes a number of sweeping observations relating to both the SCCs and Privacy Shield, which may very well have far wider implications to international data transfers out of the EU.
EU data privacy laws have historically regulated international transfers of personal information out of the EU. The EU General Data Protection Regulation (“GDPR”) provides that personal information can only be transferred out of the EU, if the personal information will receive an “adequate level of protection” in the destination country. Such level of protection can be achieved by virtue of the destination country’s laws, if the European Commission (“EC”) has ascertained that the laws provide for an adequate level of protection (through an “adequacy finding”), such as the U.S., but only if the recipient certified to the Privacy Shield. But absent such finding from the EC, companies are also able to utilize special instruments to still legitimize the transfer of personal information such as SCCs or Binding Corporate Rules (“BCRs”).
In the Schrems II case, the court opined on both the Privacy Shield and the SCCs.
With respect to Privacy Shield, the court indicated that it is not valid. The Court takes issue with certain U.S. government surveillance powers (under the Foreign Intelligence Surveillance Act and Executive Order 12333), specifically indicating that the exercise of these powers lack (i) proportionality and (ii) a means of judicial redress for individuals impacted by the surveillance. For clarity, this regards to the transfer of EU personal information transferred to the United States. The Court’s review was limited to assessing whether EU personal information was adequately protected when it was in the U.S.
The Court found that the surveillance powers permitted in the U.S. were not proportionate to the need and were too broad. The court also found that the judicial redress in the U.S. was insufficient and that the creation of the Ombudsperson under Privacy Shield was insufficient because individuals should have the right to have their objection to surveillance to be reviewed by an independent body.
As a result, effective immediately, the Court invalidated the Privacy Shield framework.
As a note, it is not yet clear how the UK (post‑Brexit) or Switzerland will react – for example, whether they will feel it necessary to carry out any re-assessment of their own privacy shield arrangements with the U.S.
The court also ruled on the validity of the SCCs. Unlike Privacy Shield, that is a mechanism specific to the U.S., the SCCs are an instrument to transfer personal information where the destination country by virtue of its laws does not provide for an adequate level of protection. The question put before the court was whether, by design, the SCCs can then still achieve such level of protection, despite the laws of the destination country.
The Court upheld the SCCs as transfer mechanism because, by design, the SCCs provide for mechanisms to achieve adequate protection. However, the Court noted that additional steps may need to be taken in respect of transfers based on the SCCs, depending on the foreign country’s laws. For example:
In other words, while the SCCs as an instrument are still valid, the Court shifts the burden to companies and data protection authorities to evaluate for themselves the destination country’s legal regime and assess the impact on data protection (i.e. what is the level of surveillance and judicial redress)
Although the scope of the Court’s ruling is limited to the validity of Privacy Shield and SCCs as a transfer mechanism, the reasoning with respect to the SCCs is equally applicable to BCRs because they are similar mechanisms. BCRs, like SCCs, are a means to legitimize transfers where it has already been established that the destination country’s privacy laws do not provide for an adequate level of protection. So it is anticipated that like SCCs, BCRs as instrument will still continue to be valid. However, it is equally likely that companies relying on BCRs will have to go through the same assessment -- namely to establish whether there are surveillance powers and judicial redress issues that could interfere with the protections awarded by the BCRs.
The Court’s ruling puts companies in an impossible position. By putting the burden on companies and DPAs to assess foreign countries’ legal systems and the protection of personal information post‑transfer, this puts a huge burden on companies. While the Court does not indicate how much effort a company must apply in making this assessment of another country’s laws, it puts companies on notice that they may have to go above and beyond implementing the transfer mechanism. It certainly is a good question whether it is appropriate to put this burden with companies. The underlying issue – namely governments’ potential access to personal information after the transfer – is not something that companies can address. This problem is of a political nature, and can only be addressed by governments with a political solution.
Second, data flows from the EU to outside the EU, whether it is the U.S. or any other country in the world (including the EU’s major trading partners such as India, Brazil, China and Russia), are an economic reality, and the impact of having to potentially cease such data flows would be enormous.
Third, it is also unknown what the Court’s decision means for other adequacy decisions. Countries such as Japan, Argentina and Israel have been deemed to provide an adequate level of protection by virtue of their national privacy laws. But we also know that these adequacy decision are subject to periodic review. Court’s decision today may very well have an impact on those reviews because the review must now also consider the surveillance powers of the government and judicial redress. Having a broad privacy laws will likely no longer be sufficient.
In addition, the UK is due to leave the EU by the end of 2020. It is very much anticipated and hoped that the UK will receive an adequacy status post-Brexit such that EU companies can continue to transfer data to the UK freely. However, we already know that the UK’s surveillance powers are under the microscope as part of the EU’s adequacy assessment, and the EDPB raised a red flag when the UK recently entered into data sharing arrangements with the U.S. The Court’s decision could very well be an impediment to an adequacy finding for the UK.
Suffice to say that for now, there are a lot of unknowns. We expect that DPAs will issue statements shortly to start to make sense of this decision and to provide some direction on the way forward. As with the invalidation of Safe Harbour in 2015, we anticipate that the DPAs will give the European Commission time to try to address the issues with the U.S. at a political level and suspend enforcement for the time being. We will need to see over the days and weeks to come how global transfers of EU data will come out of this hurdle.