Schrems II

The Court of Justice of the European Union has given a landmark decision on data transfers to the US in Data Protection Commissioner v Facebook Ireland and Max Schrems (Case C-311/18; 16 July 2020) – known as Schrems II.

The CJEU has ruled that the Privacy Shield, a scheme which governed many data transfers to the US, is not compliant with the GDPR. This article explains the impact of the judgement.

International transfers of personal data

The GDPR restricts the transfer of data outside of the European Economic Area, the intention being to protect data subjects’ rights when their data is transferred to a country that is not subject to GDPR.

Privacy Shield was a scheme designed to allow for data transfers between the EU and US.

Under the scheme, US entities which imported personal data from the EU could voluntarily subscribe to stronger obligations to protect that personal data than they would otherwise be bound by under US law. Transfers of personal data to US companies registered with the scheme were unrestricted.

Background to the case

Mr Schrems, a privacy campaigner, brought a case against Facebook’s use of personal data. His case was that as an EU-based Facebook user some of your data will be transferred to Facebook’s US entity under the Privacy Shield. Under US law, Facebook Inc. may be required to make that personal data available to US authorities, including the FBI, NSA and CIA. That data may then be used in security and surveillance programmes. US citizens may assert their rights in respect of such use under US law, but EU citizens cannot. As a result, according to Mr Schrems, if you use Facebook in the EU your rights under GDPR are compromised.

The CJEU’s decision on the Privacy Shield

The CJEU has ruled that the Privacy Shield did not adequately protect EU data subjects’ rights.

The court decided that the US legal regime governing that access to personal data by security authorities does not contain adequate safeguards and access to that data risks being neither necessary or proportionate. EU citizens are also not afforded an adequate judicial remedy for such use of their personal data.

What are the alternatives to the Privacy Shield?

With the Privacy Shield no longer an option, organisations transferring personal data to the US will need to choose an alternative legal route.

The most common options for international transfers are:

• transfers may be governed by standard contractual clauses (SCCs) between a EU-based data exporter and a non-EU data importer;
• transfers may be protected by bespoke Binding Corporate Rules (BCRs); or
• transfers are permitted if the data subjects have given clear, informed consent, after being warned about the legal risks.

The SCCs have often been a popular choice, since they are relatively straightforward to put in place. However, the judgement presents serious difficulties for their continued use.

The CJEU did not hold that the SCCs are invalid, but held that they are only a suitable mechanism for transfer if in practice they guarantee the same level of protection as the data would enjoy in the EU. If the wider legal context means that the SCCs will not offer that protection then the SCCs will not provide a compliant means for transferring the data.

The CJEU stated that that it is the responsibility of the data exporter and the data importer to assess whether the legal context in the relevant non-EU country will prevent the SCCs from properly protecting the data, and whether any ‘supplementary measures’ can be put in place to rectify the situation.

The CJEU made clear that if the recipient of the personal data cannot guarantee it will be able to comply with SCC terms, or if there are other reasons why the SCCs will not adequately protect the data, then the transfer must be stopped.

The CJEU also applied the same reasoning to BCRs.

The potential consequences for the UK outside of the EU

The Schrems II judgement may have implications beyond transfers between the EU and US.

The UK is currently in the midst of the transition period and remains subject to EU law, including GDPR. Come the end of the year, that will no longer be the case. The UK will still seek unrestricted data transfers with the EU and is hoping to obtain an adequacy decision. It was also hoping to achieve the same with the US by in effect copying the Privacy Shield. That will no longer be possible if the UK hopes to obtain an adequacy decision from the EU. The EU will not want personal data to be transferred to the UK if there is a risk that it may be transferred on to the US through an unlawful Privacy Shield. The Schrems II judgement could cause the UK to rethink its future plans for data transfers to the US and EU.

The fallout of this case may take some time to unravel and we will be keeping a close eye on developments in this area. If you have any questions regarding data transfers to the US or to other countries outside of the EU, please get in touch with the BDB Pitmans data protection team.