No Privacy Shield. Must-read for international data transfers17 July 2020
On 16 July 2020, in a landmark judgment in Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (”Schrems II”), the CJEU declared the Privacy Shield invalid and, while finding the European Commission’s Standard Contractual Clauses for data transfers (“SCCs”) valid, questioned the adequate level of protection they provide.
Timeline of events
In June 2013, Maximillian Schrems brought a complaint to the Irish Data Protection Commissioner claiming that EU-US Safe Harbor personal data transfers were unsafe. One year later, the Schrems case goes to CJEU. In October 2015, Safe Harbor is invalidated, in order for a year later the EU-US Privacy Shield to be born. In May 2018, the Irish High Court referred to the CJEU several questions regarding SCCs and the Privacy Shield while the GDPR just entered into force. 2019 brought the Schrems II hearing at the CJEU and ended with the issue of an Opinion in Schrems II by the CJEU’s Advocate General.
In analysing their validity, the CJEU highlighted that SCCs are simply contractual guarantees that can apply uniformly to third countries and, by their contractual nature, are not capable of binding the public authorities of third countries, which are not party to the contract.
The Court determined that, in order to guarantee natural persons the level of protection provided by GDPR, it may be necessary for controllers to supplement the SCCs with other safeguards. The CJEU highlighted that controllers or processors should, before transferring personal data to a third country, on a case-by-case basis, analyse the legislation of the respective third country, by comparison to the GDPR, and establish if additional measures to the SCCs are in order.
The CJEU held that the recipient must inform the controller if it is not able to comply with the SCCs and that the EU controller or processor is under an obligation to suspend or end the transfer of personal data to the third country if necessary safeguards cannot be taken (e.g. public authorities from third countries are able to gain access to data without an adequate level of protection). If the data has already been transferred, it should be entirely returned or destroyed, if the recipient has notified the controller that compliance with SCCs is inhibited by the third country’s legislation.
The Court stated that the data subject has a right to compensation for damages in case of breach of the SCCs. In case of special categories of data, the data subject should be informed in advance or immediately after the transfer to a third country.
EU-US Privacy Shield invalidated
The Court analysed the validity of the Privacy Shield by comparison to the requirements of the GDPR and deemed it invalid. The CJEU pointed out that the Privacy Shield Decision does not ensure a level of protection essentially equivalent to that arising from the EU law, considering that the data subjects whose personal data is being transferred to the US, don’t have the same effective and actionable rights.
Regarding the implementation of US surveillance programmes, the CJEU pointed out that non-US data subjects, which could be targeted, would not be granted with enforceable rights before the courts against the US intelligence authorities. It was also pointed out that there is a lack of limitation of powers of such authorities. The CJEU observed another shortcoming in the possibility of the surveillance programmes to access data in transit to the US without judicial review or delimitation of the scope of personal data collection.
The Court highlighted that the Ombudsperson mechanism is a political commitment with no power to adopt decisions binding on intelligence services, unable to showcase its independence and which does not actually provide data subjects with legal safeguards similar to those required under EU law.
What should you do?
- Identify all international data flows and the safeguards you apply to each one
- Make sure you’re providing a level of protection essentially equivalent to that guaranteed by GDPR
- In order to assess the level of protection, analyse contractual clauses and relevant aspects of the third country legal system showing the access of public authorities to personal data
- For data transfers to the US, verify if you were using the Privacy Shield and switch to another safeguard
- If you’re using SCCs, verify if it is necessary to supplement them with additional safeguards and analyse the legislation of third countries to which you are transferring personal data
- Suspend or prohibit the transfer of data if:
►no Commission adequacy decision stating that that third country provides an adequate level of protection exists
►the supervisory authority asserts that standard data protection clauses are not or cannot be complied with in that third country
►there are no other means to ensure data protection as per EU law