Schrems II: ECJ Rules EU-US Privacy Shield invalid and puts a sting in the tail for Standard Contractual Clauses

The European Court of Justice (ECJ) has ruled in the “Schrems II” case that the EU-US Privacy Shield is not a lawful safeguard for transferring data between the EU and US. 

The Court ruled controller to processor Standard Contractual Clauses (“SCCs”) are a lawful safeguard, but the judgment increases the due diligence required for businesses to rely on them.

This ruling has significant implications as most businesses will transfer personal data internationally. This might be directly as a controller or through a multitude of data processors used for all sorts of business functions, from email, to client management and HR systems, for example, through to cloud software for accounts or marketing purposes. 

We explain below how this ruling might affect your commercial business and your data protection compliance arrangements, and how Doyle Clayton can help you navigate any challenges.

Background - International Data Transfers

The GDPR prohibits personal data transfers to countries outside of the EU unless certain conditions are met. In principle, transfers may take place in any of the following circumstances:

• To a country with a European Commission adequacy decision (GDPR Article 45)
• With appropriate safeguards in place, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules, if data subjects have enforceable rights and effective legal remedies (GDPR Articles 46 and 47) 
• Where a derogation for a specific situation applies, for example the data subject has given their explicit consent (GDPR Article 49).

Schrems I ruling

In October 2015, Maximillian Schrems (a lawyer and data privacy campaigner) successfully challenged the EU-US Safe Harbor arrangements. He challenged Facebook transferring data from Facebook Ireland to servers belonging to Facebook Inc., located in the US. In Schrems I, the ECJ declared Safe Harbor an unlawful safeguard for transferring data.

Following the judgment, the European Commission adopted a replacement adequacy decision for data transfers using the new EU-US Privacy Shield. This replaced Safe Harbor. 

Mr Schrems brings new complaint (Schrems II)

Mr Schrems reformulated his complaint to the Irish Data Protection Commissioner and alleged the EU-US Privacy Shield also does not offer sufficient protection for personal data transferred. He wanted to suspend or prohibit his personal data being transferred from the EU to the US. Facebook was using SCCs to transfer his data to the US.  

Irish High Court refers issue to the ECJ

The High Court referred some preliminary issues to the ECJ for a preliminary ruling. The issues included the Privacy Shield and SCCs and the safeguards these offered. 

In December 2019, the Advocate General delivered an opinion (which was not binding on the ECJ).  He upheld the controller to processor SCCs as lawful. Therefore, he did not determine the Privacy-Shield’s validity as a mechanism to transfer personal data. However, the Advocate General questioned its validity in his reasonings. 

ECJ ruling

The ECJ based its ruling on the GDPR (although the complaint was initially based on its predecessor). It ruled the European Commission’s decision on controller to processor SCCs is valid but its decision on the EU-US Privacy Shield was invalid.

Issue 1: Controller to processor SCCs

The ECJ noted that the SCCs require individuals whose data is transferred outside the EU to be offered an essentially equivalent level of protection to that offered by the EU under the GDPR. Therefore, the SCCs and relevant legal protections of the third-party country must both be considered. 

The ECJ stated supervisory authorities are required, in the absence of an adequacy decision, to prohibit a transfer of personal data to a third country where they consider that SCCs are not, or cannot be, complied with in that country and the level of protection required by EU law cannot be ensured by other means. 

This increases the burden on organisations, as they must assess the third-country’s legal protections before entering into SCCs. 

Issue 2: EU-US Privacy Shield

Although the Advocate General had suggested the ECJ did not need to examine the EU-US Privacy Shield, the ECJ did anyway. It noted that the European Commission’s adequacy decision enshrined the USA’s requirements for US national security, public interest and law enforcement having primacy. It therefore condoned interference with the fundamental rights of individuals whose data is transferred to the US. 

The ECJ also noted that the Privacy Shield Ombudsperson did not give individuals any cause of action before a body equivalent to those under EU law. 

It therefore ruled the Privacy Shield invalid.

Information Commissioner's reaction

The ICO has issued two statements since the ruling- first it is considering the judgment and will speak to government and international agencies to ensure global data flows may continue. The second statement clarifies that organisations currently using the Privacy Shield may continue to do so until new guidance is available, but organisations should not start using the Privacy Shield during this period.

Implications

The ruling has key two implications:

• Data transfers under the Privacy Shield need to be revisited. Another lawful safeguard for transfers with the US is needed  
• Organisations using controller to processor SCCs need to re-evaluate these and check they still provide a lawful safeguard 

Organisations using SCCs need to assess the safeguards available in the third country data is transferred to. The SCCs are outdated (as they have not been updated since the GDPR came into force), so we expect these to be revisited and updated. More organisations may seek to use SCCs following this ruling.

Following Schrems II, organisations using SCCs have the additional burden of conducting their own assessment and evidencing this for data transfers to third countries. Data Protection Impact Assessments for international transfers will need revisiting. Supervisory authorities may prohibit data transfers to third parties where they consider SCCs cannot be complied with in that country.  

Other mechanisms for international transfers include Binding Corporate Rules, although these are not used often as they are extremely time-consuming and costly to implement. 

With the UK becoming a third country for data transfers after 31 December 2020, the UK (as it stands) does not have an adequacy decision with the EC. It will be interesting to see how negotiations proceed in light of this new ruling. In any event, international organisations should be assessing how they transfer data outside the UK and ensuring they have the necessary safeguards in place. 

Doyle Clayton’s Privacy Team can help your business undertake a review of its current international data transfer arrangements and develop a compliance strategy as more guidance is released from the ICO. Please feel free to contact the author, Mike Hibberd, in the first instance at mhibberd@doyleclayton.co.uk or any member of the Privacy team.