Déjà-vu - Schrems strikes again: Privacy Shield is invalid

What just happened?

The Court of Justice of the European Union (CJEU) ruled on 16 July 2020 that the EU-US Privacy Shield is invalid as a mechanism for transferring personal data to third parties in the US.

If that sounds all too familiar, that is because there was a similar decision five years ago when the previous EU-US transfer mechanism, known as the Safe Harbour Decision, was also found to be invalid.

The Information Commissioner's Office (ICO) is considering the CJEU's judgement to support organisations with international data flows. Watch this space for further guidance, and potentially an alternative scheme to replace the Privacy Shield. However, given the CJEU's comments about the ability of US intelligence agencies to harvest data through the sub-sea cables that form the backbone of the internet, we may not see a revitalised Privacy Shield for some time to come.

What should I do?

Organisations must once again rely on the standard contractual clauses approved by the European Commission to provide an adequate level of protection for personal data transferred to a third country. The most recent CJEU decision does at least provide some comfort that the standard contractual clauses will continue to be upheld as a valid transfer mechanism as the court considered their effectiveness.

Organisations should identify contracts under which data has been transferred to the US based on the Privacy Shield and put in place standard contractual clauses instead. There is new emphasis on data exporters to monitor the protection in place for the data transferred, and stopping transfers if the clauses are breached or the country to which data is being exported no longer provides sufficient protection.

Here is the detail:

Background

Under the General Data Protection Regulation (the GDPR)^[1] , data transfers to a third country may, in principle, only take place if that third country ensures an adequate level of data protection, as determined through the third country's domestic law or international commitments. In the absence of an adequacy decision, such transfers may only take place in limited circumstances or where the data exporter (established in the EU) has provided appropriate safeguards, such as standard data protection clauses adopted by the Commission in Decision 2010/87^[2], and data subjects have enforceable rights and effective legal remedies.^[3]

In 2013, an Austrian national, Mr Schrems, brought a complaint against Facebook to prohibit data transfers from Facebook Ireland to servers in America belonging to Facebook Inc. for processing, on the basis that the law and practices in the United States did not offer sufficient protection from access by public authorities and intelligence agencies (Schrems I)^[4]. The court rejected the complaint as they found an adequate level of protection existed in Decision 2000/5205 (the Safe Harbour Decision)^[5]. Mr Schrems reformulated his complaint to seek the prohibition of future transfers of his personal data through standard data protection clauses. The Irish High Court referred questions to the CJEU, which subsequently declared in Decision 2010/87 that the Safe Harbour Decision was invalid. Consequently, the Commission adopted Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield (the Privacy Shield Decision)^[6].

Questions raised

In its preliminary ruling^[7], the CJEU had to decide:

1. whether the protections for personal data under GDPR should be read in light of the Charter of Fundamental Human Rights of the European Union;
2. whether the standard contractual clauses provide an adequate level of protection; and
3. whether the Privacy Shield Decision is valid.

The Decision

The court found that:

1. The GDPR applies to transfers of personal data for commercial purposes by economic operators established in a Member State to another economic operator in a third country even if the third country processes the data for public security, defence and/or State security reasons;
2. The level of protection must be equivalent to that guaranteed in the EU, interpreted in light of the Charter of Fundamental Rights; and
3. Unless there is a valid adequacy decision, competent supervisory authorities must suspend or prohibit transfers of personal data to third countries where, in light of all the circumstances, the third country cannot or will not comply with standard data protection clauses and the protection required by EU law cannot otherwise be ensured by any other means.
4. Standard contractual clauses, as attached in the annex to Decision 2010/87, do provide adequate protection to personal data transferred to a third country. They impose obligations on data exporters and recipients to verify, prior to any data transfers, the level of protection afforded to data subjects and require the recipient to inform the data exporter if they are unable to comply with standard data protection clauses. Importantly though, supervisory authorities are not bound by the standard data protection clauses and are able to suspend or prohibit transfers of personal data in the event that the clauses are breached and the data exporter has not suspended such transfers.
5. The Privacy Shield mechanism does not provide adequate protection to personal data transferred to a third country. Although national security, public interest and law enforcement take precedence over the fundamental rights of individuals, US domestic law offers limited protection to data subjects and does not grant actionable rights before the courts against US authorities. In short, US law does not provide a level of protection "essentially equivalent" to that in the European Union. Further, access and/or use of personal data by US public authorities, specifically surveillance programmes, are not limited to what is strictly necessary. The Ombudsperson mechanism also does not provide any cause of action before a body that could guarantee its independence or provide a mechanism by which it could adopt binding decisions on US intelligence services.

Footnotes

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (OJ 2016 L 119, p. 1).
[2] Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, as amended by Commission Implementing Decision (EU) 2016/2297 of 16 December 2016 (OJ 2016 L 344, p. 100).
[3] Article 46(1) and (2)(c) of the GDPR.
[4] Case C-362/14 see also Press Release No. 117/15.
[5] Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (OJ 2000 p.7).
[6] Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield (OJ 2016 L 207, p. 1).
[7] Case C-311/18.