Privacy + Data Security
In the Schrems judgment the Court of Justice of the European Union (CJEU) invalidates the EU-US Safe Harbor Framework for data transfers to the US, but does this judgement also have consequences for the alternative data transfer instruments, like the EU Standard Contractual Clauses (SCCs) and so-called Binding Corporate Rules (BCR)? Are data transfers to other countries outside the EU like China and India now also at risk? Does the new EU-US Privacy Shield agreement solve the data transfer issues to the US?
The Schrems judgment relates to an ‘adequacy decision’ of the European Commission based on Article 25 of the European Privacy Directive (Directive). These adequacy decisions are of a completely different nature than the decisions of the Commission or national Data Protection Authorities (DPAs) based on Article 26 Directive, authorizing alternative data transfer instruments, such as SCCs and BCR. In the first case, the Commission evaluates whether the legal regime of the country of destination is adequate, as a result whereof data transfers can take place without implementing additional contractual safeguards. In the second case, the Commission or national DPA evaluates whether a set of contractual measures/BCR provide for sufficient safeguards in case the legal regime of the country of destination is not adequate. These two assessments: (1) whether the law is adequate or (2) whether contractual measures can provide sufficient safeguards when the law is not adequate, are different assessments based on different criteria. For assessment (2), the assessment of the adequacy of US law in the Schrems case (assessment (1)), is therefore not relevant. The adequacy of the laws of the country of destination is one factor only for the assessment whether contractual measures can provide adequate safeguards. Any other interpretation would lead to the current system of derogations for data transfers to non-adequate countries under the Directive and the upcoming European General Data Protection Regulation (GDPR) having no function. Transfers would then only be possible to countries providing an adequate protection, which is contrary to the legislative history of the Directive and the GDPR.
The Schrems judgment further confirms that only the CJEU - and not national DPAs or courts - can strike down a decision of the Commission authorizing SCCs under Article 26 Directive. As a consequence, the SCCs (and BCR) remain valid. Recent blanket statements by certain national DPAs that these transfer instruments are no longer valid for data transfers to the US are therefore legally unfounded.
National DPAs remain, however, at all times authorized, when hearing a claim, to examine the relevant specific data transfers. This requires a case-by-case assessment considering all relevant circumstances. The 'adequacy' of the laws of the country of destination is again one factor only and can in itself not be the basis for deciding that the transfers under SCCs or BCR should be prohibited or suspended. This applies also to the CJEU when it would be requested to decide whether SCCs and BCR constitute valid instruments for transfers to the US.
The EU data transfer rules are further based on the fundamental starting point that data transfers may take place to countries that provide a level of protection of fundamental rights that is essentially equivalent to that guaranteed in the EU legal order. It is therefore not appropriate to hold the US to higher standards than we live up to ourselves. Similar concerns could further be raised in respect of the surveillance powers and redress mechanisms in many other countries outside the EU, including other major trading partners of the EU, such as China, Russia, Japan, South Korea, India, Brazil and Canada. Applying inconsistent and discriminatory rules would likely violate the EU's international trade commitments.
Read the full client alert.
©1996-2019 Morrison & Foerster LLP. All rights reserved.