On 16 July 2020 the European Court of Justice (ECJ) rendered its much anticipated ruling in Case C-311/18 (Schrems II) by which it invalidated the European Commission’s Decision on the adequacy of the protection provided by the EU-US Data Protection Shield (the Privacy Shield Decision) and provided some important insight on personal data transfers outside the EU. The ECJ’s decision will have complex implications on EU-US business relations and beyond as it reaffirms the EU’s firm stance on data privacy and individual rights and freedoms.
Data transfers under the General Data Protection Regulation
The GDPR allows for cross-border transfers of personal data to non-EU countries to the extent there are guarantees equivalent to those provided by the Regulation in relation to data subjects’ rights. Under Art. 45 of the GDPR, the European Commission can issue a decision declaring that a third country ensures an adequate level of protection, thus making personal data transfers to that country lawful without further authorization.
In the absence of an adequacy decision, data transfers are still permissible, but only if the EU transferor provides appropriate safeguards, and on condition that enforceable rights and effective legal remedies for data subjects are available. For that purpose, a widely used tool by companies dealing with non-EU business partners or group-related companies are the Standard Contractual Clauses (SCC) adopted by the European Commission.
The invalidated EU-US Privacy Shield
Under the EU-US Privacy Shield framework US companies are self-certifying that they comply with certain data privacy principles. Based on the EC’s Privacy Shield Decision, EU companies could then transfer personal data to such self-certified companies in the USA. In Schrems II, the referring court’s concern was that the Commission’s assessment of the adequacy of the Privacy Shield framework may not be correct, in particular given the US legislation on the powers of national security and intelligence authorities to access the personal data transferred.
The ECJ found that the Privacy Shield Decision is indeed contrary to EU law for the following reasons:
- the provisions of the US surveillance laws do not provide for any limitations on the powers of the national intelligence authorities when implementing foreign intelligence surveillance programmes and do not grant EU data subjects actionable rights before the courts against these authorities, and
- the introduction of the Privacy Shield Ombudsperson cannot remedy the above deficiencies since that ombudsperson does not have the power to adopt decisions that are binding on the US intelligence services.
In light of the above considerations, the ECJ found that the Privacy Shield Decision is invalid with the effect that personal data may no longer be transferred from the EU to the USA based on the Privacy Shield framework.
The Standard Contractual Clauses – valid but insufficient for EU-US data transfers?
The SCC are contractual provisions conferring rights on data subjects against the EU data exporter and the non-EU data importer that could be enforced in civil courts. In Schrems II the ECJ found that the EC’s decision on the SCC is valid because the SCC ensure appropriate safeguards on the processing of personal data by the signing parties.
However, the SCC do not create legal obligations on the third country’s public authorities. This means that they may not be sufficient to meet the requirements of Art. 46(1) of the GDPR where such public authorities can also access the personal data transferred. Therefore, EU companies transferring data abroad should assess to what extent there are safeguards and effective remedies for data subjects when their data is processed by the third country’s authorities. The factors to be taken into consideration include those set out in Article 45(2) GDPR, i.e. the relevant legislation, the existence and effective functioning of one or more independent supervisory authorities in the country etc.
As regards EU-US data transfers, based on the ECJ’s analysis of the applicable US legal framework it seems that reliance solely on the SCC is not recommended. It remains uncertain what could be the additional safeguards that private companies should implement to address the deficiencies in the US surveillance legislation identified in the Schrems II decision. Thus, a new mechanism for cross-Atlantic data transfers would most likely have to be negotiated.
Impact of the Schrems II case
Following the Schrems II decision, multinational companies and companies working with non-EU clients or suppliers should consider:
- reviewing their agreements to identify the legal basis for any international data transfer;
- confirming that their non-EU business partners comply with the data transfer agreements;
- assessing, in collaboration with the data importers and absent an adequacy decision of the European Commission, if public authorities in the destination country may access the data transferred and to what extent there are safeguards and effective remedies for data subjects in such cases;
- seeking additional safeguards or derogations under Art. 49 of the GDPR, in case the assessment shows that the SCC are not sufficient, and
- suspending data transfers where no additional measures or derogations are available.
The information and opinions contained in this post are not intended to and do not constitute a legal advice under Bulgarian law or under the laws of any other jurisdiction and is provided for informational purposes only.