In Case C‑311/18, the Court of Justice of the European Union has invalidated data transfers from the European Union to the United States of America that rely on the EU-US Privacy Shield. While this decision – popularly referred to as Schrems II – has a significant impact on data exchanges between the two countries, its effect will also be felt amongst thousands of businesses that rely on data flows out of the EU. Confused? We try to break it down.
First: The Law
Under the General Data Protection Regulation 2016/679 (the “GDPR”), transfers of personal data out of the EU are permissible only in certain situations. One method of transfer is to rely on an adequacy decision by the European Commission (“Commission”). A country that has received an adequacy decision is deemed to provide an adequate data protection standard under EU law. There are limited examples of jurisdictions that have successfully received adequacy decisions: examples include Argentina, Japan, Israel, and the US (limited to the EU-US Privacy Shield).
Alternatively, businesses may rely on binding corporate rules for transfers among group companies (“BCRs”) or standard contractual clauses (“SCCs”, which are not limited to intra-group transfers). Both, BCRs and SCCs must be approved by the Commission; however, the process for approval of BCRs is a labourious one. Unsurprisingly, reliance on SCCs in contracts between data exporters and importers are a more popular mode of data exchange.
The EU-US Privacy Shield
The EU-US Privacy Shield (“Privacy Shield”) was a framework designed by the US government and required companies to undertake a self-certification mechanism to comply with its requirements. In 2016, the Commission issued an adequacy decision, deeming that the framework provided an adequate level of data protection. As of the date of the judgment, over 5000 companies had self-certified under the Privacy Shield.
Background of Schrems II
In 2013, Maximillian Schrems, an Austrian privacy activist, challenged the export of his data from Facebook’s Irish entity (which is the Facebook entity that contracts with European users) to Facebook’s US bases. In a historic verdict (popularly referred to as Schrems I), the Court of Justice of the European Union (“CJEU”) struck down the EU-US Safe Harbour Principles (which was, in a manner, the precursor to the Privacy Shield). In the aftermath of this ruling and the Commission’s subsequent Privacy Shield adequacy decision, Schrems challenged the validity of the use of SCCs – allegedly relied on by Facebook for data transfers – before the Irish supervisory authority, arguing that the US’s surveillance laws restricted the SCCs from providing adequate safeguards to his data. In the course of proceedings before the Irish High Court, eleven questions were referred to the CJEU for a preliminary ruling, the significant ones being questions on the validity of the SCCs and the adequacy decision on the Privacy Shield.
Standard Contractual Clauses: the CJEU’s Findings
SCCs are intended to provide an appropriate safeguard for cross-border data transfers. In other words, data subjects whose personal data are transferred on the basis of SCCs must enjoy the same level of data protection afforded by the GDPR. This is not only limited to contractual protection but should be viewed in light of the legal system of the country to which data is transferred and access to such data by public authorities of that country.
Accordingly, the CJEU re-iterated that the use of SCCs by itself does not provide an appropriate safeguard: both, supervisory authorities and data exporters are required to analyse the data transfers on a case-to-case basis to ensure such a transfer satisfies requirements under the GDPR. Further, if comparable standards cannot be used to protect the data, supervisory authorities are under an obligation to suspend the transfer of that data. The CJEU went on to hold that the SCCs approved by the Commission took these elements into consideration and upheld their validity.
The Privacy Shield
The CJEU also examined the validity of the Privacy Shield. It noted that US national security requirements and surveillance mechanisms utilised by US authorities interfered with the fundamental rights of data subjects whose data was subject to such requirements and mechanisms. The CJEU was of the view that the data protection mechanisms afforded by US law were not comparable to standards required under the GDPR, especially considering that data subjects did not have actionable rights against these authorities. Based on these findings, the CJEU invalidated the use of the Privacy Shield for data transfers.
The Way Forward
While Schrems II will impact data flows between the US and the EU (and will no doubt involve a degree of political pressure), the CJEU’s observations will also have a bearing on data flows to other jurisdictions. From an Indian perspective, the CJEU’s decision is another factor – this time, from a trade and business viewpoint – that adds to the urgent need for the enactment of the Personal Data Protection Bill, 2019 (the “Bill”), which is presently under scrutiny by a Joint Parliamentary Committee (“JPC”). An additional worry for the JPC is whether the wide-ranging rights of access and control by Indian authorities on national security grounds under the Bill will pass the standards set out in Schrems II.
More on that during our Webinar on July 24, 2020, titled “Schrems II and India”. Sign up here!