On 16 July 2020, the Court of Justice of the European Union (CJUE) issued a landmark judgment in case C-311/18 (Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems), in which it concluded that Decision 2016/1250 on the adequacy of protection provided by the EU-US Privacy Shield is invalid.
However, at the same time, the CJEU confirmed that Commission decision 2010/87 on standard contractual clauses for the transfer of personal data to third countries is valid.
The judgment has important practical consequences, to a certain extent undermining the principles established in previous years for the transfer of personal data outside the EEA, in particular to the US. Entities that transfer data to the US or make use of providers that can carry out such transfers (including IT services, e.g. cloud computing, providers) lose the possibility to use the Privacy Shield mechanism. Hence, unless they have implemented alternative measures, they should refrain from providing services that include data processing in the US.
Key elements of the CJEU judgment
The EC decision on the EU-US Privacy Shield is invalid. According to the Court, the programme is not in line with EU laws. The main allegations relate to the US internal regulations on access and use of personal data by the US authorities and the lack of appropriate remedies in case of violation of individual rights.
Standard contractual clauses, e. model provisions approved by the Commission which impose specific data protection obligations on data recipients, are, in principle, valid. They can therefore still function as a general mechanism for the transfer of personal data (regardless of the country of the recipient).
However, the validity of a clause (as applied in specific case) depends on the reliability of the safeguards provided by the agreements containing these clauses (aimed at compensating deficiencies in the protection provided in the third country).
The supervisory authority should carefully investigate complaints lodged by persons whose data may be transferred to a third country in breach of the standard contractual clauses and, where appropriate, suspend or even prohibit the transfer of data (in particular if it finds that the clauses are not respected and that it is not possible to ensure adequate protection of the transferred data by other means).
In light of the position of the CJEU, traders using the standard contractual clauses to date may continue this practice. On the other hand, those applying (exclusively) the Privacy Shield are forced to seek an alternative.
For many of them this may be a serious problem. When the basis they use for the transfer of data to the US is no longer applicable, activities that involve the processing of data in that country cannot continue until it has been verified whether there is another basis for the transfer, possibly pending its introduction.
The problem concerns both those entities that send data to the US themselves and all persons or organisations that use contractors or providers using servers, data centres and other infrastructure located in the US. After all, they are ultimately the principals who are responsible for the legality of these activities, even if taken (on their behalf) by their business partners.
Stricter requirements for standard clauses
Under these circumstances, at least until the European Commission proposes a new solution for EU-US relations, the above-mentioned standard contractual clauses will (most often) be the natural alternative to the repealed Privacy Shield.
The use of clauses in a contract with the recipient has until now been considered as a means to allow for legitimate data transfer outside the EEA. However, the Schrems II ruling means that simply adding (to contract) provisions whose wording corresponds to the standard clauses will not in every case protect against an alleged breach of data protection rules.
Due to the tighter control of their actual implementation and the real possibility for a competent authority to suspend data transfers based on them, the clauses will pose slightly higher legal risks. To minimise these risks, Union businesses should therefore attach greater importance to ensuring that the obligations imposed by the clauses are actually implemented by the counterparties (data recipients).
As a consequence, supplementing contracts with (potential) counterparties with provisions that complement the standard clauses with additional obligations should be considered. These could include additional guaranties for implementation of data protection safeguards as well as on the reporting of the manner, status or risks to the fulfilment of obligations imposed by the clauses.
It is also recommended that a Data Protection Impact Assessment (DPIA) be carried out in relation to individual third countries and importers, and that associated risks be documented.
Maximilian Schrems is an Austrian lawyer and activist known for his efforts to protect privacy. The Schrems II case initiated by him refers to the Schrems I case from 2015. At that time, the CJEU decided that the so-called “Safe Harbor” programme does not provide adequate protection for EU citizens’ data transferred to the US.
As a consequence, the European Commission had to propose a new programme (the so-called Privacy Shield) in 2016. As a result of the arrangements with the US side, the new programme became (in principle) the basis for the secure and legal flow of data from the European Union to self-certified American entrepreneurs.
However, in 2015, the already-mentioned Maximilian Schrems also questioned the use (by Facebook Ireland) of standard contractual clauses (as a basis for transferring data of Europeans to Facebook Inc. in the USA). According to Mr. Schrems, the clauses do not provide an adequate level of protection of EU citizens’ rights.
The Irish Data Protection Authority, which is dealing with the case, has opened proceedings on these allegations, and the court subsequently ruling on the case has made a reference for a preliminary ruling to the CJEU. However, to the surprise of many commentators, the CJEU referred in its ruling not only to the validity of the standard contractual clauses, but also to the Privacy Shield Programme dating back to 2016.
By Piotr Zawadzki, Head of IP & DP, Penteris