The Schrems decisions:
On 16 July 2020, Court of Justice of the European Union (CJEU/ the Court) issued its judgment in Data Protection Commission v. Facebook Ireland, Schrems (Schrems II), invalidating the EU-US Privacy Shield with immediate effect. The Court upheld the European Commission’s Standard Contractual Clauses (SCC) for controller-to-processor transfers (C2P SCCs).
Who is Schrems?
Maximillian Schrems is an Austrian attorney and privacy advocate. Schrems I (Maximillian Schrems v Data Protection Commissioner) and Schrems II (Data Protection Commission v. Facebook Ireland, Schrems) arose from complaints lodged by Schrems with the Irish Data Protection Commission. In his complaints, he challenged the lawfulness of transfers of his personal data by Facebook in Ireland to Facebook in the US, on the ground that the legal system in the US did not ensure adequate protection of his personal data against US national security surveillance activities. Schrems I invalidated the Privacy Shield’s predecessor- the Safe Harbour. In Schrems II, Schrems challenged the validity of the Privacy Shield.
What is Privacy Shield?
The Privacy Shield was negotiated between the US Department of Commerce, the European Commission, and the Swiss Administration in 2016, to provide companies with the ability to transfer personal data across the Atlantic while adhering to EU data protection laws (prior to the General Data Protection Regulation (GDPR)). The Privacy Shield remained in use even after the GDPR came into effect on May 2018.
What were the reasons for invalidating the Privacy Shield?
CJEU held that the Privacy Shield was invalid because:
- US authorities are able to access and use personal data of EU subjects transferred under the Privacy Shield for purposes which go beyond what is strictly necessary and proportionate to the purpose of national security. The prime concern with US law and practices is that US businesses receiving national security letters, or other such federal investigative actions, are often precluded from contacting the investigation targets (data subjects) about the inquiry. This is contrary to the transparency principles of the GDPR.
- The Court concluded that the US laws and practices do not ensure a level of protection essentially equivalent to that guaranteed under EU laws, especially the actionable rights of individuals before the US courts with respect to the US intelligence services’ powers.
- The Privacy Shield secures the primacy of US national security laws over the fundamental rights of EU data subjects (right to privacy) whose personal data has been imported into the US under it.
What about the validity of C2P SCCs?
The Court upheld the use of C2P SCC as a data transfer mechanism. The Court cautioned that the SCCs offer only the basic level of protection. Data exporters must assess on a case-by-case basis whether additional safeguards are needed. In particular, data exporters need to verify the laws which may apply to the particular parties or personal data before making a transfer. Also, data exporters should put additional measures of protection in place to address any issues wherever necessary.
The Court further noted that If the law of the recipient’s country imposes obligations on the recipient contrary to the SCCs (undermining an adequate level of protection against access by the public authorities) the transfer cannot be made.
What does the decision mean for your organization?
The Schrems II decision invalidated the Privacy Shield with immediate effect, with no transitional period, making any transfers under the Privacy Shield illegal. If you wish to continue receiving EU subject data in the US, you must use other data transfer mechanisms- the SCC, Article 49 GDPR derogations*, and Binding corporate rules (BCR)**
* In the absence of an adequacy decision or of appropriate safeguards, a transfer or a set of transfers of personal data to a third country shall take place only on the following conditions including the data subject has explicitly consented to the proposed transfer, or In the absence of an adequacy decision, EU or Member State law may, for important reasons of public interest, expressly set limits to the transfer of specific categories of personal data to a third country or an international organization.
** BCR are data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a group of undertakings or enterprises.
Daniel Solove, Schrems II: Reflections on the Decision and Next Steps, available at https://teachprivacy.com/schrems-ii-reflections-on-the-decision-and-next-steps/
Norton Rose Fulbright, Schrems II landmark ruling: A detailed analysis, available at https://www.nortonrosefulbright.com/en/knowledge/publications/ad5f304c/schrems-ii-landmark-ruling-a-detailed-analysis
Caitlin Fennessy, The ‘Schrems II’ decision: EU-US data transfers in question, available at https://iapp.org/news/a/the-schrems-ii-decision-eu-us-data-transfers-in-question/