Contact

Victoria Hordern
Partner & Head of Data Privacy
A decision by the European Court of Justice (ECJ) (the so called Schrems II decision) on Thursday last week will have a significant impact on all businesses and organisations involved in international transfers of personal data. Which is most of us. Even if you’re a small organisation, chances are you will use a third party technology platform based outside the EU.
Partner & Head of Data Privacy
So what happened and what are the implications?
What happened?
As a result of a complaint made by privacy campaigner Max Schrems to the Irish Data Protection Commissioner, the ECJ examined the validity of two widely used mechanisms for transferring personal data outside the EU – Standard Contractual Clauses (SCC) (in this case, controller to processor clauses) and the Privacy Shield (for transfers to the US only). These are mechanism recognised as lawfully permitting data transfers outside the EU. However, the ECJ decided that:
Standard Contractual Clauses remain valid but as a sticking plaster
For many years, organisations have relied on the SCC for a relatively quick and easy solution to international data transfers. Knowing that we’re discouraged from amending the SCC, they’ve often been signed and put away without much further thought or examination.
A key concern that the ECJ highlighted is that the SCC is a contract between two commercial entities – the exporter and the importer – so that the public authorities of the third (non-EU) country are not bound by the SCC at all. So although there are provisions in the SCC which require the importer to notify the exporter about legally binding requests for disclosures of personal data by a law enforcement authority (unless otherwise prohibited), there is nothing in the SCC which prevents public authorities’ access to data. However, this omission in itself did not mean, to the ECJ, that the SCCs are invalid as a data transfer mechanism.
But, according to the ECJ, the exporter and importer should assess on a case-by-case basis whether the law of the third country can properly and adequately protect the personal data to be exported. If not, it may be necessary for the parties to include additional guarantees in the SCC. But, if it’s not possible to implement adequate additional measures, the ECJ indicated that the parties (or the relevant EU data protection authority) should suspend or end the data transfer.
This presents the exporter and importer with a challenging legal puzzle. They are expected now to understand the legal framework of the third country (be it the US, India, the Philippines or China) to which the personal data is being transferred including how public authorities can access data, and then form a view concerning whether that legal framework provides sufficient protection as required under EU law for the personal data being transferred. This applies to all exporters regardless of their level of legal knowledge, expertise or resources.
Certainly there was always a weakness that in relying on the SCC, few parties actually considered the implications of what they were signing up to. Going forward, more due diligence and accountability measures will be expected when making data transfers in reliance on the SCCs.
Hopefully further guidance from the European Data Protection Board and the Information Commissioner’s Office will give organisations a steer concerning what is expected of them in order to be able to rely on the SCC. Additionally, the European Commission is due to publish revised versions of the SCCs which should take account of this ECJ ruling.
The demise of the Privacy Shield
In its examination of the Privacy Shield, the ECJ ruled that the framework was not good enough to meet the requirements under EU law in order for the adequacy decision to be valid. Consequently, just like its forebear – Safe Harbor – the Privacy Shield is no more.
The Privacy Shield was an elaborate and finely balanced framework held together with certain assurances from the US Government. However, there had been criticisms over the years (from the European Parliament and European Data Protection Board in particular) that it fell short of what was required for an adequacy decision. Privacy Shield was required to comply with certain key European legal standards – effective and enforceable rights for individuals, judicial redress and certain requirements under the Charter of Fundamental Rights and Freedoms (the Charter). The ECJ concluded last week that it failed to do so.
The main sticking points for the ECJ were:
Consequently, from 16 July 2020, the Privacy Shield is invalid as a data transfer mechanism under the GDPR. Organisations relying on it will need to consider an alternative – quite likely the SCC (see comments above).
Of course, other options under the GDPR to transfer personal data remain available. However, given that the derogations under Article 49 (e.g. explicit consent/ necessary for performance of a contract) must be strictly interpreted, there are no approved codes of conduct or certification mechanisms yet, and comparatively few companies have embraced binding corporate rules, the SCC will remain the most popular mechanism.
Can we still transfer personal data to the US?
The ECJ’s ruling indicates that the US legal framework does not provide proper protection for data transfers. However, that can lead to the absolutist position that most personal data transfers (apart from those permitted under Article 49 derogations) from the EU to the US should cease immediately. Quite a draconian interpretation. It’s worth considering that the specific US laws in question that permit US public authorities to access personal data tend to be focused on seeking access to data held by telco’s, cloud storage and hosting providers. Therefore, if you’re transferring personal data to a US company that doesn’t fall within that grouping, it’s less likely US public authorities will seek to access the transferred data.
Much will depend upon the response of data protection authorities to the ruling. Significantly, just days after the ECJ’s decision, the Berlin data protection authority has reportedly asked German based controllers transferring data to the US (especially using cloud service providers) to cease transfers to the US and re-procure services either in the EU or in a country that has received an adequacy finding from the European Commission (other adequacy findings remain valid currently). Whether or not most controllers will comply, and what the Berlin data protection authority will do if they don’t, remains to be seen.
So what should organisations do now?
Organisations should:
Should you have any questions or require any support, please contact Victoria Hordern.
This information is necessarily of a general nature and doesn’t constitute legal advice. This is not a substitute for formal legal advice, given in the context of full information under an engagement with Bates Wells.
All content on this page is correct as of July 20, 2020.