This article has been written by Kazi Ashique Azfar, pursuing a Diploma in Cyber Law, FinTech Regulations and Technology Contracts from LawSikho.
Introduction
The Court of Justice of the European Union (CJEU), on 16th July 2020, published its judgement on Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18 (the Schrems II case). The EU-US Privacy Shield, a system that controlled data transfers across the Atlantic, was ruled illegal. Furthermore, even though the Court upheld the validity of Standard Contractual Clauses (SCC), it set out essential conditions for data controllers to follow while using SCCs. There is still some ambiguity that needs to be settled.
Background and a brief history
The European Union’s (EU) Charter of Fundamental Rights protects the rights of every EU citizen to have their data handled fairly, for specific reasons, and with their consent. The General Data Protection Regulation (GDPR) elaborates on this right by establishing appropriate safeguards/checks and balances to protect EU citizens’ personal data. It also specifies that data transfers to third countries are contingent on those countries providing an appropriate degree of data security.
The US Department of Commerce and the European Union, until 2015, had a safe harbour agreement, which regulated the data flow between them and this agreement was said to meet the level of ‘adequate protection’ required by GDPR. However, this was challenged in 2013 by Max Schrems, an Austrian privacy rights activist. It specifically challenged the transfer of personal data by Facebook to its server in the US. The case was finally heard by the European Court of Justice, which found the safe harbour agreement inadequate in protecting EU citizen’s data and thus made it invalid. (This ruling is popularly known as Schrems I).
Facebook continued to transfer data outside the EU using SCCs, a standard contract authorised by the EU to secure data transfers between EU and non-EU countries. The European Commission and the USA’s Department of Commerce later drafted and adopted an alternative framework, the EU-US Privacy Shield, to replace the safe harbour agreement and its void. The EU-US Privacy Shield was created and adopted to ensure compliance with EU laws but faced heavy criticism from privacy activists and data protection experts. It provided unhindered access to personal data without any protection for national security purposes. Schrems challenged Facebook’s use of SCCs to move EU citizens’ data to the United States again in 2015, claiming that it did not adequately protect the interests of EU-based data subjects and violated Art 7, 8, and 47 CFR. When the case was referred to the ECJ in 2018, a decision was requested on 11 questions. The questions were related to the validity of the privacy shield and SCCs, and the level of protection required to be afforded to personal data transferred to a third country.
Schrems II
The EU-US Privacy Shield: Invalid
The CJEU stated that for the EU-US Privacy Shield to be valid, it had to be established that the level of protection provided under the laws of the third country is “essentially equivalent” to what is guaranteed under the EU Law. Looking into the provisions of the US’s Foreign Intelligence Surveillance Act and the surveillance programmes that such provisions allow, the CJEU found that it did not satisfy the “essentially equivalent” requirement. According to it, the surveillance programmes that are empowered under the law are neither proportional nor “strictly necessary”.
The Court stated that the United States’ prioritisation of national security, public interest, and law enforcement provided for interference with the constitutional rights of those whose data were transmitted to that third country. It noted, for example, that the US government did not grant data subjects actionable rights against US authorities in the Court. Furthermore, according to the Court, the EU-US Privacy Shield’s mechanisms for mitigating these harms did not meet the necessary legal requirement of “essential equivalence” with EU law and it to be insufficient and invalid on these grounds.
While this means that the EU-US Privacy Shield cannot be used to export data under article 45 of the GDPR, the organisations that got certified to Privacy Shield are still subject to its requirements. According to the US Department of Commerce, the Privacy Shield program will continue to be enforced, and this decision will not relieve the organisations from their obligations.
The standard contractual clauses: valid with qualification
The CJEU held that SCCs are valid for transferring data under Article 46 of the GDPR. However, it noted that the execution of SCCs alone would not be enough and that organisations relying on SCCs for data transfer to the third country will have to assess the level of protection afforded to the data subjects rights. The “essentially equivalent” requirement will still have to be fulfilled, and that the adequacy of the SCCs will be based on the law of the third county on a “case-by-case” basis.
Some of the relevant factors for such assessment are set out in Article 45(2) of the GDPR. Among other things, it considers public authorities’ access to personal data and data subject’s right to redressal. If it is not adequate, then additional safeguards to compensate for it are needed to supplement the SCCs. The supervisory authorities are required to check and prohibit transfers to third countries if the data subjects are not afforded “essentially equivalent” protection. This is especially important for the U.S. because the Court has already found that the laws regarding data protection are insufficient. Thus, data transfer can be made through the SCCs only if additional remedies can fulfil the requirements for equivalent protection.
The Court further noted that where the recipient of data transfer cannot provide the needed protection in a third country, it must return or destroy the data. It also stated that the data subjects have the right to compensation for damages where the clauses are breached
Post Schrems II
Since the Privacy Shield has been held invalid by the CJEU, it is no longer a valid mechanism for third country data transfers. While the privacy shield applies to only US companies, the effects of this ruling are not limited to the US, and it will also affect other countries and the application of SCCs. All companies relying on SCCs for data transfer to third countries will have to ensure that the laws there are not in conflict with the EU privacy laws.
However, there was confusion among the companies understanding that the European Data Protection Board (EPBD) came out with a Frequently Asked Questions (FAQ) document. It clarified, among other things, that the Schrems II ruling not only affects the Privacy Shield and SCCs but also additional data transfer mechanisms like Binding Corporate Rules (BCR). The alternative means for data transfer highlighted were – under article 49 of the GDPR, adequacy decisions. It also later issued guidelines to elaborate on steps to be followed by data exporters for transferring data outside European Union jurisdiction.
While the guidance and FAQ were intended to bring clarity, the organisation transferring data had to face ambiguity still to conclude the legality of the transfer and the correct procedure to follow. This was primarily because the supervisory authority (SA) was “required to suspend or prohibit such a transfer”, and each member state has a different SA that may interpret them differently. As has been the case where some SAs have stated that any data transfer to the US is illegal, which is similar to the stand taken by the European Data Protection Supervisor (EDPS) asking to avoid any processing activities that involve the transfer of personal data to the US. The EDPS has called for undertaking an exercise to identify which “on-going contracts, procurement procedures and other types of cooperation involve transfers of data”. Whereas other SAs have noted that the use of SCCs as a transfer mechanism is valid for transfer to the US provided that additional and adequate measures are implemented.
Conclusion
The CJEU has upped the stakes for the organisations involved in data transfer outside the EU and increased their obligation. However, the uncertainty still attached to the regulation after the judgement, and the EPBD guidance is a concern and needs to be rectified.
The best way forward for organisations is to follow the guidelines and map, document, and be accountable for their data transfers. They should most importantly actively undertake continued re-assessment of the third country’s laws where data is to be transferred to ensure that it is compliant with the adequacy requirement and can make changes to the data transfer mechanism if required.
References
- CURIA – Documents (europa.eu)
- Schrems II: A brief history, analysis and the way forward – Shreya Tewari – Informs Blog
- Schrems II landmark ruling: A detailed analysis | India | Global law firm | Norton Rose Fulbright
- Schrems II: The next chapter – EDPB issues recommendations on supplementary measures for transfers of personal data to the US, European essential guarantees for surveillance measures | Insights | DLA Piper Global Law Firm
- Regulatory response trends to Schrems II decision | EY – Global
- The E.U.—U.S. Privacy Shield Invalidated in “Schrems II” – Berkeley Technology Law Journal (btlj.org)
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: