On the 16 July 2020, the Court of Justice of the European Union ("CJEU") finally rendered its long-awaited judgement in the Case C-311/18, Data Protection Commissioner v Facebook Ireland & Schrems ("Schrems II") on the validity of Standard Contractual Clauses ("SCC") as a transfer mechanism for transferring personal data from the EU/ EEA to third countries under the General Data Protection Regulation ("GDPR"). In its decision, the CJEU considers that the Commission Decision 2010/87 on standard contractual clauses is valid. However, in its decision, the CJEU also ruled on the adequacy provided by the EU-US Data Protection Shield and invalidated the protection afforded by this Decision.
Swiss data protection law also uses the protection of the SCCs and the Privacy Shield as mechanisms for data transfers. Both in Switzerland and the EU many businesses rely heavily on the SCCs and the Privacy Shield for their data transfers to countries outside of the EU/EEA or Switzerland. As a result of the CJEU's judgement, businesses will need to take immediate action or be in breach of data protection laws. Find out in our blog what this landmark decision from the CJEU means for your business.
1. What has happened so far?
Max Schrems is a privacy activist who is concerned about the cooperation between US companies and US intelligence agencies, particularly about Facebook sharing personal data of EU residents with the US National Security Agency. The fundamental argument before the CJEU has been the alleged power of the US to carry out mass surveillance of EU residents' personal data without justification. These concerns led to the Schrems I case and the invalidation of the Safe Harbour Framework in 2015. This framework was a mechanism that legitimised data flows from the EU to the US. Max Schrems then challenged the validity of the SCCs and the Privacy Shield in the Schrems II case, using a similar argumentation as in the Schrems I case.
In December 2019, the CJEUs Advocate General ("AG") Henrik Saugmandsgaard released a non-binding opinion on the Schrems II case, in which the AG stated that the SCCs generally provide sufficient protection for personal data. Notwithstanding this, the AG also raised concerns whether the Privacy Shield as an alternative transfer mechanism under the GDPR is sufficient under GDPR.
Although the AG stated that the SCCs are a valid transfer mechanism, he also suggested that new obligations for those using the SCCs should be implemented. In particular, he proposed that they need to examine the national security laws of the country of the data importer to determine whether the data importer can comply with the terms of the SCCs.
Against this backdrop, the CJEU released its decision in the Schrems II case on 16 July 2020.
2. What does the CJEU decision say?
In short, the CJEU comes to the conclusion that the SCCs are valid as such, but that parties to SCCs are obliged to ensure that they are able to meet the level of protection provided for in the SCCs. The EU-US Data Protection Shield on the other hand does not provide sufficient guarantees for data transfers and is therefore invalid.
2.1. Decision 2010/87 on Standard Contractual Clauses
When evaluating the validity of Commission Decision 2010/87 on the SCCs, the CJEU stated that the validity of that decision is not called into question by the mere fact that the SCCs do not bind the authorities of the third country to which data may be transferred. However, that validity depends on whether the decision includes effective mechanisms that make it possible to ensure compliance with the level of protection required within the EU by the GDPR. The CJEU made it clear that the transfer of personal data pursuant to SCCs must be suspended or prohibited in the event of the breach of the provisions in the SCCs or if it is impossible for the data importer to honour its obligations under the SCCs.
The CJEU stressed that in its opinion the SCCs establishes mechanisms that can ensure the same level of data protection as required in the EU by GDPR. However, the court highlights that the decision on the SCCs puts an obligation on the data exporter and the data importer to verify prior to any transfer, whether the relevant level of data protection is respected in the third country to which data is exported. Furthermore, the CJEU reads into the SCCs an obligation on the data importer to inform the data exporter of any inability to comply with the SCCs. If the data importer is not able to comply with the SCCs, the data exporter has to suspend the transfer of data immediately and/or to terminate the contract with the data importer at the next possible opportunity.
2.2. Decision 2016/1250 on the EU-US Data Protection Shield
With regard to the validity of the EU-US Privacy Shield, the CJEU holds that the fact that the requirements of US national security, public interest and law enforcement have primacy, clashes with the requirements from GDPR guaranteeing respect for private and family life, personal data protection and the right to effective judicial protection. In particular, the CJEU stated in its decision that even though US law includes requirements with which the US authorities must comply when implementing their surveillance programmes, the provisions do not grant data subjects actionable rights against the US authorities before the courts. The CJEU stated that contrary to the position taken in the Commission Decision on the Privacy Shield the Ombudsperson mechanism does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law. Based on this and other arguments, the CJEU invalidated the Decision 2016/1250 on the EU- US Data Protection Shield.
3. What does this decision mean for my business?
For businesses in the EU and businesses in Switzerland that are subject to GDPR, this means that for data transfers to the USA, they are left in an impossible situation. According to the CJEU decision, they will have to opt for another data transfer protection mechanism than the Privacy Shield, for example Binding Corporate Rules for group internal transfers. For non-group internal transfers, the strict interpretation of the court decision would be that a lawful data transfer to the USA is no longer possible.
The Swiss-US Privacy Shield is not directly affected by the CJEU decision and so remains in force for the time being. However, it is very likely that it will also be declared invalid and so Swiss business relying upon it for transfers of data to the USA should take action now to put in place alternative protections.
For businesses working with SCCs, this decision clarifies the obligations of the data exporter and the data importer when using the SCCs as a transfer mechanism. So far, many entities have simply signed SCCs as a formality without making any further enquiries into the data protection law of the country to which they are transferring their data. With this decision of the CJEU, this pragmatic business approach brings major legal risks. The CJEU defined the following obligations, all of which have to be fulfilled when using SCCs:
- The data exporter has to verify, prior to any transfer, whether the relevant level of data protection is respected in the third country to which data is exported.
- The data importer of a data transfer has to inform the data exporter of any inability to comply with the standard data protection clauses.
- If the data importer is not able to comply with the SCCs, the data exporter has to suspend the transfer of data and/or to terminate the contract with the data importer.
From now on, businesses in the EU, and likely also in Switzerland, will have to pay closer attention to the precise terms of SCCs and make sure that they really live by them, and not just on paper. At this stage, it is difficult to see how data importers in many countries will be able to meet their obligations under the SCCs and so how data can be transferred to those countries at all.
If you are unsure whether you have to change the mechanisms for data transfers in your business, please reach out to us. We would be happy to discuss with you what the decision may mean for your business.
Also, if you are working with or for a start-up and are interested in regular updates from the legal world, check out our event Start-up Stories Night at which we share our experiences from consulting for and with start-ups. Given the current situation and the latest recommendations by the Federal Office of Public Health, we are confident that our next edition of Start-up Stories Night will take place in person on 19 August 2020. If you want to know more click here.
Stay on top of the latest legal topics and subscribe to our blog here:
Photocredit: Pixabay / The Digital Artist