knowledge 16 July 2020 |

Schrems II: CJEU Strikes Down EU – US Privacy Shield but Standard Contractual Clauses Remain Valid

The Court of Justice of the European Union (the “Court”) delivered its judgement in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems Case C-311/18 (“Schrems II”) on 16 July 2020¹.

In a landmark decision, the Court has upheld the validity of Standard Contractual Clauses (“SCCs”) in principle as a means for companies to transfer data to non-EU ‘third countries’, subject to important caveats on their use in practice. However, the EU-US Privacy Shield (the “Privacy Shield”), which facilitates the transfer of data between Europe and the United States, has been deemed invalid.

Background

This case stems from a complaint made by Facebook user Maximilian Schrems to the Irish Data Protection Commissioner (the “DPC”) in June 2013 in relation to the processing of his personal data by Facebook. As outlined in our previous briefing (available here), the CJEU invalidated the Safe Harbour Decision in October 2015, which was replaced by the Privacy Shield in July 2016.

Mr. Schrems went on to reformulate his complaint to the DPC in December 2015 to focus on the validity of SCCs, contending that U.S. domestic legislation does not afford the same protections over personal data as exist under EU law. On 12 April 2018, the Irish High Court referred a number of questions to Court.

Judgement

Key points made in the judgement include the following:

• In upholding the controller to processor SCCs, the Court mainly followed the Advocate General’s (the “AG”) non-binding opinion (see our previous briefing on the topic here), published on 19 December 2019. It held that SCCs establish effective mechanisms which make it possible, in practice, to ensure compliance with the level of protection required by EU law. It emphasised, however, that SCCs might not, in and of themselves, address all requirements imposed by the GDPR.

• The Court highlighted an obligation on a data exporter relying on the SCCs and the recipient of the data to verify, prior to any transfer, whether that level of protection required by EU law is respected in the third country concerned. If there are laws in the third country that do not enable the recipient to comply with the SCCs, then the data exporter should not proceed with the transfer.

• In a departure from the approach suggested by the AG, the Court examined the validity of the Privacy Shield framework. It held that the limitations on the protection of personal data arising from the U.S. domestic law on the access and use by U.S. public authorities of such data transferred from the European Union are “not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary”.²

• The Court found that although there are provisions which lay down requirements with which the U.S. authorities must comply when implementing the surveillance programmes in question, this framework does not grant data subjects actionable rights against such authorities.

• The Privacy Shield provided an Ombudsperson mechanism to satisfy the requirement of a form of judicial protection. However, the Court has determined that this is insufficient, as the provision does not enable data subjects to ensure the independence of the Ombudsperson and does not empower the Ombudsperson to adopt decisions which are binding on US intelligence services.

Next Steps

While SCCs remain valid, there are now significant questions regarding whether they are sufficient to permit transfers of personal data to all jurisdictions.  In the first instance, organisations should identify the countries to which they transfer personal data using SCCs.  This will then allow them to takes steps to consider whether those countries respect the level of protection for personal data, as required by EU law.  Given the complexity of such an analysis, it is likely that companies will require some time to take the necessary steps, and will eagerly await guidance from supervisory authorities and the European Data Protection Board to assist them. 

Organisations reliant on the Privacy Shield will need to identify an alternative data transfer mechanism to continue transfers of personal data to organisations based in the United States.