The highly anticipated judgment of the Court of Justice of the European Union (CJEU) came out on 16th July 2020. The consequences of this judgment would be seen in the transfer of personal data outside of the European Union (EU). In the case of Data Protection Commission v. Facebook Ireland, Schrems, the CJEU invalidated the EU-US Data Protection Shield (the “Privacy Shield”), which was put in place after the ‘Schrems I’ decision invalidated the prior ‘Safe Harbor’ framework in 2015. Further, while the ‘Schrems II’ decision upholds the technical validity of the Standard Contractual Clauses (SCC), it creates a new legal diligence burden on organizations relying on them and introduces practical uncertainty, risk, and complications in connection with their use.
The inception of this case roots from the personal data transfer practices of Facebook. This began way back in 2015 when Maximillian Schrems, an Austrian lawyer brought out a complaint against Facebook Ireland, a subsidiary of Facebook Inc. and the data processor of Facebook Inc., in the US. The issue raised was concerning Article 44 of the General Data Protection Regulation (GDPR) stating that citizens did not receive sufficient protection, challenging the validity of the European Commission’s “Safe Harbour” scheme on data transfers from the EU to the U.S.A (“adequacy exemption decision”).
Under EU law, an organization may only transfer “personal data” about an individual to a non-EU country for processing if the destination country “ensures an adequate level of protection”. The European Commission has the authority to decide whether the protections afforded to personal data in a given third country are or are not ‘adequate’ in this regard. Max Schrems contended that the US was a mass surveillance state with data being processed by intelligence agencies without having adequate remedies in place for the EU citizens.
As a result of Mr Schrems’ complaint, the CJEU invalidated the Safe Harbour principles, ruling that the law and practice of the U.S. do not offer sufficient protection against surveillance by the public authorities (C-362/14). The Safe Harbour scheme was subsequently replaced by the EC’s “EU-U.S. Privacy Shield”, a similar self-certification scheme for U.S. based organisations receiving personal data from a European Economic Area (EEA) transferor. Following ‘Schrems I’, Facebook purported to rely on contractual commitments as the basis for its transfer of personal data to the US. Mr Schrems renewed and reformulated his original complaint, alleging both that Facebook’s specific contracts did not meet the obligations of EU law and that, in any case, the contracts could not provide adequate protection where national laws of the third country would override them. The Irish Data Protection Commissioner published a “draft decision” and obtained an order from the Irish High Court for a second reference to the CJEU. This ‘Schrems II’ decision is the CJEU’s judgment on the reference questions arising from that reformulated complaint.
CJEU’s Schrems II Judgment
It is safe to say that this judgment has come as a shock amongst data stakeholders and citizens. The judgment lays down two important decisions that have the potential to change the dynamics of data transfer between the EU and the US. The main practical results of the ‘Schrems II’ decision are (i) the invalidation of the Privacy Shield, and (ii) the uncertainty, risk, and complications introduced into the use of the standard contractual clauses.
In simple terms, this means that the CJEU found that the United States was engaging in overreaching surveillance, incompatible with the European level of data protection. Furthermore, the CJEU reiterated the importance of the availability of effective administrative and judicial redress for data subjects whose personal data is being transferred. Consequently, the CJEU found the legal procedures available to Europeans, regarding the processing of their data once transferred to the United States, were insufficient, on the basis that there was no such procedure available to non-U.S. citizens. The decision reinforces the importance of data protection to global commerce and the critical role that privacy professionals play in implementing protections in line with foreign legal requirements. For privacy professionals today, though, there may be more questions than answers. Here is a quick initial breakdown of what the court said, what it might mean and affect, and how privacy professionals could begin to respond.
CJEU’s decision of validating SCC instead of Privacy Shield framework
Interestingly, SCC’s have been upheld because their validation comes from the supervisory authorities of the EU. The Data Protection Commission (“DPC”) argued that SCC was not an appropriate arrangement and shall not be valid. These arguments were substantiated by Article 7, 8, and 47 of the European Union Charter of Fundamental Rights. It was contended by DPC that the clauses of SCC do not necessarily bind the public authorities of the third country to provide an effective remedy. This argument of the DPC did not stand in front of the CJEU, they refused to invalidate the SCC mechanism. The rationale behind doing so was stated as the SCC’s were an adequate mechanism as per GDPR and EU law standards. It provided sufficient safeguards towards protecting the freedom and fundamental rights of EU citizens.
However, this validation came with a rather large caveat: the court stressed that entering into the standard contractual clauses is not sufficient in-and-of-itself. The controller or processor must also, on a case-by-case basis, verify that the laws of the destination country ensure adequate protection under EU law of any personal data transferred according to the standard contractual clauses. Where the laws of the destination country do not ensure adequate protection, controllers must implement supplementary measures and additional safeguards to attain the required level of protection or else cease the transfer. It is believed that data controllers and supervisory authorities are obliged to suspend or prohibit data transfer in cases of conflict between obligations arising out under EU SCC’s and those imposed by laws or international commitments of those countries.
CJEU’s decision of invalidating Privacy Shield Framework
The Privacy Shield Framework which was supposed to be the successor to the Safe Harbour arrangement was held to be invalid by the CJEU. The working of the privacy shield was to transfer data from the EU to the US following the clauses as set out in the previous Schrems I decision. However, to the utter shock of everyone in the privacy shield judgment, it was held that adherence to the principles as set out in the privacy shield may be limited to the extent of “national security, public interest or law enforcement requirements”. This in a way allowed US surveillance to have access to the personal data being transferred from the EU to the US.
The CJEU examined the Privacy Shield in consideration of the requirements of the GDPR and the provisions of the Charter of the Fundamental Rights of the European Union that guarantee respect for private and family life, personal data protection and the right to effective judicial protection. These requirements were considered against the backdrop of the limitations imposed by US law that allows access to personal data by US public authorities, including Section 702 of Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333. Based on this analysis, the CJEU concluded that, firstly, the limitations on the protection of personal data arising from US law that allows US public authorities to access and use personal data are not circumscribed by the Privacy Shield in a way that satisfies EU law. And secondly, the Privacy Shield does not provide individuals with a sufficient level of judicial redress to satisfy EU law.
In sum, effective immediately, the Privacy Shield no longer provides a valid legal basis for the transfer of EU personal data to the US, suffering the same fate that the Safe Harbor framework did five years earlier. Organizations relying solely on Privacy Shield for such transfers must, therefore, take urgent action or face potentially significant liability.
The Reaction of the United States Department of Commerce
The Secretary of the U.S. Department of Commerce, Wilbur Ross, promptly released a press release in response to the Schrems II decision, expressing its deep disappointment with the decision. The statement indicates that the decision creates significant negative consequences to the transatlantic economic relationship that is vital for businesses of all sizes and sectors. It further states that the Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and recertification to the Privacy Shield framework and maintaining the Privacy Shield List as the Schrems II decision does not relieve participating organizations of their Privacy Shield obligations.
Impact of Schrems II Judgment
Schrems II changes the landscape for SCCs and data compliances between the US and the EU. With the reluctance of the US to make amendments in its domestic laws, the companies in the US will be paralyzed in terms of providing effective remedy to the EU citizens. As per the ruling in Schrems II, if the third country companies are unable to comply with the SCC, they must inform the controller in the EU. Even if the data processor outside the EU is prohibited from their national laws from disclosing such inability to comply with the SCC Decision, must nonetheless disclose to the controller in the EU of its inability to comply with SCC.
On the other hand, authoritarian regimes such as Russia and China would have a tougher time with this judgment coming in, owing to the fact the protections offered as per their laws should be “essentially equivalent” to that in the EU. Further, it is well known that such regimes are known for their misuse of power, it shall be interesting to see whether the EU would be able to sufficiently address this aspect. This would have an immense impact on the enforcement of their privacy framework across continents. While the US shares privacy values closer to that of the EU, China has a stringent regime where there is a lack of transparency on how the data is being processed. With the wider adoption of internet marketplaces like Alibaba and TikTok, the data flow to China is more than one imagines. Although this decision comes as a setback to major US corporations, there have been announcements made by corporations like Microsoft who make it clear to its users how they would be adhering to these regulations. Microsoft has clarified even though the Privacy Shield framework has been invalidated, they have always maintained to adhere protection measures by SCC’s thus the users shall have nothing to worry about.
Impact of Schrems II Judgment on India-EU trade
As India (third country) does not yet have a separate data protection law in place thus it would be regarded as an unsecured or inadequate third country according to GDPR norms, the agreements with EU countries consist of a standard contractual clause as per notifications by the EU Commission which Indian entities abide while dealing with processing of personal data.
The use of SCC’s in India-EU trade is validated by the EU Commission’s decision dated 5 February 2010 which deals with standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of European Parliament and of the Council which is still to be followed under the GDPR laws. This Notification C(2010) 593 applies to as given under Recital Point 2 stating:
“Member States may authorise, subject to certain safeguards, a transfer or a set of transfers of personal data to third countries which do not ensure an adequate level of protection. Such safeguards may in particular result from appropriate contractual clauses.“
Thus along with other agreed terms between a controller situated in EU and a processor processing data in India, the standard contractual clauses stated in the Notification C(2010) 593 are required to be followed by India. These additional obligations are followed by Indian companies as India does not have a Data Protection Act in place.
Most companies in India currently rely on SCC to transfer data from the EU since India does not have a data protection regime equivalent to the GDPR standard. The Personal Data Protection Bill, 2019 (“PDP Bill”) has been considered by the parliament and likely to be passed. The PDP Bill provides for a carve-out power in favor of the central government which may not be looked at favorably by the EU. Therefore, it is not certain that India will get its adequacy status even after the PDP Bill is enforced. The incorporation of SCC’s in India-EU trade makes sure that the Schrems II judgment would not have any major impact on Indian trade. However, these SCC’s would be under strict scrutiny now as there is an attempt to wipe out any level of inadequacy by third countries in data protection.
The CJEU’s decision offers significant clarity in some areas and raises additional questions in others that will undoubtedly be hashed out by companies, regulators, and policymakers in the days and perhaps even years to come. The practical impact of this aspect of ‘Schrems II’ is likely to be quite significant, given that the most popular method for transfers out of the EU is the use of standard contractual clauses. The decision creates a new diligence burden on organizations seeking to rely on them and creates a significant risk that such transfers may be challenged. The resulting uncertainty, risk, and complexity that the decision introduces further highlights the advantages and benefits of transfers made under adequacy judgments, such as the adequacy status currently enjoyed by Canada’s PIPEDA.
This article can be cited as:
Bluebook, 20th edn.: “Tushar Sinha, The Schrems Saga: Upholding SCC at the expense of Privacy Shield Framework, Metacept – InfoTech and IPR, accessible at https://metacept.com/the-schrems-saga:-upholding-scc-at-the-expense-of-privacy-shield-framework.”
- Schrems II (Data Protection Commissioner v. Facebook Ireland Ltd.), 2020 C‑311/18 (Jul. 16)
- Shivani Agarwal, Samaksh Khanna, Mustafa Rajkotwala, Deciphering Schrems II, W Investment. Jul. 20, 2020, accessible at https://winvestment.wordpress.com/2020/07/20/deciphering-schrems-ii/.
- Claude-Étienne Armingaud, Natali Adison, Dr Thomas Nietsch, Martin Fokken, EU Data Protection: Privacy Shield Shattered by the Sword of European Justice What Comes Next for Transatlantic Dataflows?, K&L Gates. Jul. 17, 2020, accessible at www.klgates.com/eu-data-protection-privacy-shield-shattered-by-the-sword-of-european-justice-what-comes-next-for-transatlantic-dataflows-07-17-2020/.
- Konstantinos Logaras, Schrems II. The saga continues, Data Protection and Privacy, Jul. 2020. accessible at https://uploadsssl.webflow.com/5d777c469faddd58092730fd/5f07213d495b7085522f9964_Schrems%20II.pdf.
- Michael Scherman and Keith D. Rose, Schrems II: The Saga Continues, Lexology, Jul. 16,2020. accessible at https://www.lexology.com/library/detail.aspx?g=edfdd673-123d-4197-a7f0-19d23d78772f.
- Renzo Marchini, Schrems II Judgment Day, Fieldfisher, Jul. 16, 2020. accessible at https://www.fieldfisher.com/en/insights/schrems-ii-judgmentday.
- European Union, International, The Schrems Saga Continues: Schrems II Case Heard Before the CJEU, Hunton Andrews Kurth, Jul. 10, 2019. accessible at https://www.huntonprivacyblog.com/2019/07/10/the-schrems-saga-continues-schrems-ii-case-heard-before-the-cjeu/.
- Julie Brill, Assuring Customers About Cross-Border Data Flows, EU Policy Blog, Microsoft, Jul. 16, 2020, accessible at https://blogs.microsoft.com/eupolicy/2020/07/16/assuring-customers-about-cross-border-data-flows/.
- Eduardo Ustaran, Bret Cohen, Harriet Pearson, Henrik Hanssen, Laur Badin, and Julian Flamant, Schrems II: Privacy Shield invalidated and Standard Contractual Clauses under scrutiny, Engage, Jul. 16, 2020. accessible at https://www.engage.hoganlovells.com/knowledgeservices/news/schrems-ii-privacy-shield-invalidated-and-standard-contractual-clauses-under-scrutiny.
- Caitlin Fennessy, The ‘Schrems II’ decision: EU-US data transfers in question, 20iapp, Jul. 16, 2020. accessible at https://iapp.org/news/a/the-schrems-ii-decision-eu-us-data-transfers-in-question/.
- Schrems II case: EU to U.S. transfers of personal data challenged, Elvinger Hoss. Jan. 29, 2020. accessible at https://www.elvingerhoss.lu/publications/schrems-ii-case-eu-us-transfers-personal-data-challenged.
- 2010/87/: Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593
- Sharmin Godrej Irani, Application of General Data Protection Regulation on Indian Processor, The SCC Online Blog. May. 12, 2020. accessible at https://www.scconline.com/blog/post/2020/05/12/application-of-general-data-protection-regulation-on-indian-processor/.