CJEU ‘Schrems II’ Ruling – Five actions to take now
The EU-US Privacy Shield has been ruled invalid by the Court of Justice of the EU (CJEU) with immediate effect. Standard Contractual Clauses (SCCs) are still a valid international data transfer mechanism, but there’s a significant catch.
What do you need to know and what actions should you take now?
The impact on your business of the ‘Schrems II’ ruling on 16 July will vary. Actions needed will clearly depend on the scale of your international data flows and the transfer mechanisms you rely on.
This will be most acute if any of your data transfers relied solely on the EU-US Privacy Shield. However, there are also ramifications for the widespread use of SCCs. The ruling stresses an obligation on controllers to assess the privacy laws in third countries if they wish to continue to use SCCs.
Start by asking:
- Do you have data transfer arrangements based solely on the Privacy Shield?
- Do you use suppliers based in the US or who host your data in the US?
- Do you use telecommunications and/or cloud-based services based in the US?
- Do you rely on SCCs to transfer data to other non EEA countries?
If you answered YES to any of the above, assessing your international data flows and the safeguards you are relying upon just moved up your list of priorities.
But don’t panic, many organisations are understandably focused on the fallout from COVID-19, we would anticipate a degree of leniency following this ruling. Take a measured approach considering the risks the ruling presents for your business.
This article covers:
- Quick summary of the ‘Schrems II’ ruling
- The fallout from the ruling
- What about Brexit?
- Five actions to take now
- Impact on Binding Corporate Rules (BCRs)
- Background to the ruling
Quick summary of the Schrems II ruling
The CJEU ruled on two areas:
a) EU-US Privacy Shield
The Privacy Shield has been struck down as invalid and, without going into the minutae, this was due to concerns about US privacy law, specifically government surveillance programmes and how these may restrict the privacy rights of EU citizens.
The ruling found US law does not put sufficient limitations on the access and use of EU citizens data by US intelligence services. It also found EU citizens do not have adequate remedies in respect of the processing of their personal data by US public authorities.
b) Standard Contractual Clauses (SCCs)
There was initially relief that the CJEU ruled SCCs, which a large number of businesses rely on, remain valid. There had been fears these might be invalidated. However, any signs of relief amongst privacy professionals were short lived – the devil was in the detail.
The CJEU stressed the obligation on data controllers to carry out an assessment of the data protection afforded by the country (not the company itself) where the data is transferred to.
Organisations have a duty to consider the privacy laws of that country, especially potential access to personal data from public authorities, for example, for surveillance purposes.
If local privacy laws allow this type of use, its likely additional safeguards will be required, otherwise the SCC’s may become invalid for similar reasons to the Privacy Shield. But the CJEU didn’t specify what safeguards would be appropriate.
The fallout from the ruling
Unsurprisingly following the CJEU’s ruling and the demise of the EU-US Privacy Shield there has been a flurry of opinions published.
Some claim SCCs can no longer be used for data transfers to the US full stop. Others point to the need to check specifically whether the company you wish to transfer data to is subject to the Foreign Intelligence Surveillance Act (FISA) and/or Executive Order 12333. This permits US security authorities to access personal data without a court order.
For example, US-based telecommunications companies fall within FISA and its been argued that SCCs may no longer provide adequate protection for data transfers to these providers.
This logic may extend to others such as cloud service providers which utilise the services of the telecommunications providers.
Following the CJEU ruling, the Irish Data Protection Commission (DPC) issued a statement in which it said;
“In practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable. This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis”.
The Hamburg Data Protection Authority has taken a robust stance saying;
“If the invalidity of the Privacy Shield is primarily justified by the sprawling intelligence activities in the United States, the same must apply to the standard contractual clauses. Contractual agreements between data exporter and importer are equally unsuitable to protect data subjects from state access.” (Translated from German)
There are some who argue the CJEU’s ruling has given rise to an impractical state of affairs. Are organisations going to heed the ruling or take a risk and continue working with US-based companies, even those who may be subject to surveillance law? Others argue the CJEU is taking a principled approach to protect EU citizens data.
Much focus is on transfers to the US, but the CJEU ruling will also impact on transfers to other third countries too. The United States isn’t the only country where questions have been raised about state access to personal data. The assessment obligations on the use of SCCs will equally apply to transfers to such countries.
What about Brexit?
To add to the complexity, we clearly need to consider Brexit within this evolving narrative. The UK is in a unique position. Currently under the transition period EU data protection law still applies. However, come 1 January 2021 the UK will become what is termed a ‘third country’.
Outside the EEA the UK will be subject to restrictions on the flow of personal data from the EU, unless the UK is awarded adequacy by the European Commission. And it’s a BIG if.
The CJEU ruling has sparked concerns the UK is now less likely to be awarded adequacy. Could adequacy be denied if the EU considers ‘UK GDPR’ to have strayed too far from ‘EU GDPR’? Will concerns about UK surveillance laws prevail?
If adequacy is not granted, transfers from the EU to the UK will require a different lawful transfer mechanism (such as SCCs or BCRs). Will SCCs be sufficient? Will additional safeguards be required? What approach will be taken for UK to US transfers (third country to third country)?
There are many unanswered questions and we will have to sit tight and await the upshot of the EU-UK Brexit negotiations and the UK-US trade deal negotiations.
Five actions to take now
What should you do next?
The scale of the task ahead is dependent on the degree of international transfers your business engages in, what steps you have already taken, the transfer mechanisms you rely upon and what risks you are prepared to live with.
While awaiting further statements and guidance from EU Supervisory Authorities, the ICO, the European Commission and the European Data Protection Board (EDPB), here are some steps you could take now.
1) Identify which of your transfers are reliant on the Privacy Shield and consider use of an alternative transfer mechanism.
2) Identify transfers to the US under SCCs. Start to assess the risk. In particular pinpoint the businesses you transfer data to who may be subject to US surveillance laws (Section 702 FISA and Executive Order 12333).
3) Map your international data flows to other ‘third countries’ and identify which transfer mechanisms you rely on. You are going to need to know more about the privacy laws in those countries, how these might conflict with GDPR and, in particular, whether public authorities are able to access the data of EU citizens transferred there.
4) Get ready to adopt updated SCCs. The European Commission had put its plans to update SCCs on hold until after the CJEU’s decision. It’s possible they will want to address the issues raised in this ruling sooner rather than later.
5) Keep a close watch on UK Government & ICO statements on Brexit and data transfers.
Since the ruling the EDPB has published FAQS on the CJEU ruling. On 28 July the ICO issued an updated statement on the judgement by the European Court of Justice in the Schrems II case. The ICO says EDPB guidance still applies to UK controllers and processors and advises you to; “take stock of the international transfers you make and react promptly as guidance and advice becomes available.”
Impact on Binding Corporate Rules (BCRs)
I’m afraid it doesn’t stop with the Privacy Shield and SCCs. The ruling has an impact on the use of BCRs, which some organisations rely on as a lawful mechanism for intra-group transfers.
The EDPB FAQs clarifies the CJEU’s judgement applies to BCRs as well. This means, according to the EDPB, whether or not you can transfer personal data on the basis of BCRs will also depend on the result of an assessment of the privacy laws in the third country.
The EDPB says such an asssement will need to take into account the circumstances of the transfers and any supplementary measures you have or could put in place. It goes on to say;
“These supplementary measures along with BCRs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee. If you come to the conclusion that, taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, you are required to suspend or end the transfer of personal data. However if you are intending to keep transferring data despite this conclusion, you must notify your competent SA [Supervisory Authority]” .
It’s also worth noting the EDPB note about BCRs and Brexit. It says if your BCR cites the ICO has your lead Supervisory Authority, you need to take steps now to identify a new BCR lead in the EEA before the end of the transition period.
The background to the CJEU ruling
The ‘Schrems II’ ruling has its roots back in 2013. Eight years ago, the Austrian privacy activists Max Schrems brought a complaint before the Irish DPC, in which he claimed personal data transfers under what was then called the EU-US Safe Harbor were not safe.
This related to Facebook Ireland’s transfer of personal data of its European users to its parent company’s servers in the US. The case led to Safe Harbor being struck down in 2015 as invalid and being replaced shortly after by the Privacy Shield.
But Max Schrems didn’t stop there. He’s had an on-going complaint with the DPC regarding his concerns about privacy risks to EU citizens when data is transferred to the US.
In May 2018 the Irish High Court referred questions about the validity of SCCs and the Privacy Shield to the CJEU. The CJEU needed to consider if the law in the US, particularly in relation to intelligence services’ access to personal data, could render one or both of these mechanisms invalid.
The result is this CJEU ruling striking down the Privacy Shield and casting doubt over the blanket use of SCCs without due consideration. Schrems commented:
“I am very happy about the judgment. It seems the Court has followed us in all aspects. This is a total blow to the Irish DPC and Facebook. It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market.”
Philippa Donn, 28 July 2020
For further reading I’d recommend the following articles:
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.