Blog - 24/01/2020
Schrems II: Some good news on international data transfers, but at whose cost?
The recent opinion of the Advocate General (AG) to the Court of Justice of the European Union (CJEU) in the Schrems II case makes welcome reading to UK businesses. In his opinion the AG confirms the legality of the Standard Contractual Clauses (SCCs) which are currently one of the main ways to lawfully move personal data from the European Economic Area (EEA). This is particularly important for UK businesses because once the UK leaves the EU it is likely that the SCCs will need to be entered into to legalise the flow of data from the EEA to the UK.
Following Schrems I and the demise of Safe Harbor as an appropriate instrument to transfer personal data from the EU to the US, transfers of data to the United States and other non EEA countries have largely continued on the basis SCCs.
Schrems II is the latest challenge brought by Max Schrems against Facebook Ireland Ltd. The case continues to question the lawfulness of Facebook Ireland’s transfer of EU citizens’ personal data to Facebook Inc. in the US using SCC (as an alternative safeguard to Safe Harbor).
The AG’s analysis led to the conclusion that SCCs remain a valid mechanism which organisations may rely on as means to legitimise transfers of personal data outside of the EEA.
The AG’s Opinion will provide comfort to the many businesses in the EU that rely on SCCs as a way to transfer personal data to countries outside the EEA. It will also provide some relief to UK businesses as they prepare for Brexit.
EU data protection law prohibits the transfer of personal data to countries outside the EEA unless that third country, or the organisation in question, ensures an adequate level of protection in line with those of the EU. In absence of an adequacy decision, appropriate safeguards must be put in place to legitimise the transfer.
For data transfers between the EU and US, the European Commission and the U.S Department of Commerce jointly devised a framework known as “Safe Harbor”, which was based on certain European privacy principals which US companies could voluntarily sign up to in order to engage in cross-border data transfers. In essence, Safe Harbor allowed US businesses who had self-certified their compliance to the Safe Harbor framework to lawfully receive data from the EU.
Following revelations by Edward Snowden in May 2013 that the US National Security Agency (NSA) carries out mass surveillance in the U.S., Max Schrems, an Austrian privacy activist, complained to the Irish Data Protection Commission (Irish DPC) that Facebook Ireland was improperly transferring his data to Facebook Inc. in the US where it could be accessed by the NSA for foreign intelligence purposes. The case, known as Schrems I, led the CJEU on 6 October 2015 to invalidate the Safe Harbor arrangement on grounds that it failed to protect EU citizens’ personal data from surveillance by US law enforcement agencies.
Shortly following the CJEU’s ruling, Facebook Ireland signed an agreement with Facebook Inc. which relied on using SCCs (as an alternative safeguard to Safe Harbor) to transfer personal data on Facebook’s EU customers to the US. The Safe Harbor framework was also updated and a new EU-US framework, named the Privacy Shield, rolled out in August 2016.
Subsequently, Mr Schrems reformulated his compliant, challenging Facebook’s reliance on SCCs to transfer data to the US on the basis of similar arguments raised in Schrems I – that mass surveillance by the NSA and other US agencies violate the fundamental rights of EU citizens. This resulted in the Irish DPC bringing the case back before the Irish High Court, who then referred the matter to the CJEU.
The Irish High Court referred a total of 11 questions to the CJEU in which it asked the CJEU to consider not only the validity of SCCs, but also the validity of the new EU-US Privacy Shield (despite the latter not forming part of Mr Schrems’ reformulated complaint). The key issue underpinning these questions is the compatibility between the US’s retention and use of personal data for national security purposes on the one hand and the EU’s protection of privacy and protection of personal data as fundamental rights on the other.
Standard Contractual Clauses
In his reformulated compliant, Mr Schrems claims that the safeguards offered by SCCs do not justify the transfer of his personal data to the US. This is because, under US law, Facebook Inc is required to make personal data it holds about its users available to US authorities, such as the NSA and the FBI. Additionally, Mr Schrems claims there is no remedy that would allow EU citizens to invoke their rights afforded by Charter of Fundamental Rights (Charter) in the US, particularly in relation to respect for private life and to protection of personal data.
The AG concluded that although SCCs are not binding on the authorities of the third country of destination, that does not in itself render the SCCs invalid. Rather, in his view, the focus should be on whether or not there are sufficiently sound mechanisms to ensure that a transfer based on SCCs can be suspended or prohibited where those clauses are breached or impossible to honour.
The AG also concluded that the SCCs do provide sufficiently sound mechanisms in so far as they place an obligation on data controllers and, if they fail to act, on supervisory authorities, to suspend or prohibit a transfer when there is a conflict between the obligations arising under the SCCs and those imposed by the law of the third country of destination which results in the SCCs not being complied with.
The AG’s position is clear – SCCs are valid. However, by avoiding rendering SCCs invalid, the AG places a huge amount of responsibility on the exporter, and ultimately the supervisory authority, to suspend any transfer where the law of the third country of destination prevents the importer from complying with the SCCs. Mere existence of SCCs being in place is not enough. This requires a proactive approach to be taken by exporters, who will need to investigate all the circumstances characterising each transfer and act to suspend or prohibit a transfer if it finds problems.
US surveillance is likely to be a serious concern for transfers made to the US. However, the outcome will largely depend on the nature of the transfer and the volume and type of the data being transferred. Large scale data transfers (for example by Facebook Ireland to Facebook Inc in the US) are likely to be considered incompatible with EU citizens’ Charter rights. The final position on this will become clearer when the CJEU hands down its judgment.
The CJEU is due to deliver its judgment on the Schrems II case early this year. Until then, both the SCCs and Privacy Shield remain valid mechanisms to transfer data outside of the EEA.
If the CJEU decides to follow the AG’s Opinion (which is non-binding), the burden placed on the exporter will be a heavy one – ensure that SCCs are being complied with in practice, or risk the transfer being suspended by the supervisory authority.
Whilst we await the CJEU’s judgment, exporters wanting to keep one step ahead are advised to:
- Review their data flows to countries outside of the EEA without an adequacy decision.
- Review the purpose of this transfer (and its necessity).
- Identify the transfer mechanism relied on to transfer data to that country.
- Assess whether there are any other transfer mechanisms available to legitimise the transfer.
- If SCCs are the only transfer mechanism available, assess all the “circumstances characterising each transfer” and consider whether there are any reasons why the use of SCCs will not protect EU citizens’ Charter rights (e.g. through government surveillance).
- Carefully document the above analysis.
- And finally, check back here for an update on the Schrems II case.
If you would like to discuss the AG’s Opinion and the impact it may have on international transfers of data that your organisation makes, please get in touch with Selina Clifford or Nick Phillips.
If you aren’t receiving our legal updates directly to your mailbox, please sign up now
Please note that this blog is provided for general information only. It is not intended to amount to advice on which you should rely. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content of this blog.
Edwin Coe LLP is a Limited Liability Partnership, registered in England & Wales (No.OC326366). The Firm is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office address: 2 Stone Buildings, Lincoln’s Inn, London, WC2A 3TH. “Partner” denotes a member of the LLP or an employee or consultant with the equivalent standing.