The validity of key methods of transferring personal data to non-EEA territories in a GDPR-compliant manner is set to be tested. Standard Contractual Clauses (SCCs) and the EU-US Privacy Shield (the Privacy Shield) will be scrutinised in cases due to be heard by the Court of Justice of the European Union (“CJEU”) this month. Rulings that either, or both, fails to offer “adequate protection” for the rights of and freedoms of data subjects will have far-reaching legal implications for data controllers and processors. While all organisations undertaking international transfers should watch carefully, those with significant US operations should be especially wary.
Background – Restrictions on international personal data transfers
The GDPR restricts international personal data transfers on the basis that weaker international protections increase the risk that individuals’ data will be compromised and their rights and freedoms undermined. Clearly, however, the day-to-day operations of many organisations (or their suppliers) necessitate such transfers, whether in the context of procuring cloud services, using online storage systems or carrying-out inter-group transfers for HR purposes.
Consequently, the GDPR allows the transfer of personal data to a third country or international organisation if:
- The European Commission (EC) decides that the third country or international organisation ensures an adequate level of protection (an Adequacy Decision); or
- The controller or processor has:
- provided appropriate safeguards; and
- enforceable data subject rights and effective legal remedies for data subjects are available; or
- A specific derogation applies to the transfer.
We discuss these compliance options in greater detail here.
The Privacy Shield
In the context of EEA-US transfers, the Privacy Shield currently enables organisations to benefit from the “Adequacy Decision” exemption. Adopted in July 2016 in response to a CJEU ruling that the previous “Safe Harbour” regime was inadequate (see our discussion on the Schrems case here), the Privacy Shield is a self-certification regime for US-based organisations receiving personal data from an EEA transferor. Certification is managed by the US Department of Commerce and US public authorities are subject to monitoring and enforcement requirements, as well as an expectation that they cooperate with European data protection authorities.
While the arrangement is subject to annual review by the EC – which gave its (qualified) approval in 2017 and 2018 - the European Parliament has repeatedly challenged its adequacy. In the aftermath of last year’s Cambridge Analytica revelations, which exposed how Facebook has allowed third party applications to access users’ personal data, MEPs went so far as to pass a non-binding resolution demanding that the Privacy Shield be suspended.
Standard Contractual Clauses
SCCs are standard data protection clauses approved by the EC for use by organisations carrying out international personal data transfers. They set out how the data should be handled when transferred to a third country and, provided that they are used in full and without amendment, SCCs enable the parties to benefit from the “appropriate safeguards” exemption.
Being both easy to use and offering compliance certainty, SCCs are a crucial and frequently-adopted compliance tool for organisations. Indeed, the ICO has highlighted that, in the event of a “no deal” Brexit, SCCs would be one of the key mechanisms through which UK-based small- and medium-sized enterprises could look to maintain the free flow of data from the EEA.
The Cases
Both mechanisms now face CJEU scrutiny. La Quadrature du Net v Commission (Case T-738/16) will subject the Privacy Shield framework to direct assessment. Three French digital rights groups are challenging the adequacy of its protections, citing alleged failures to prevent personal data abuses by US intelligence agencies.
First, however, on 9 July, the CJEU will hear Facebook Ireland & Schrems (Case C-311/18) (Schrems II), which is likely to have a major bearing on La Quadrature du Net (with the effect that it has been delayed, pending the Schrems II judgment). The case follows the Irish High Court’s 2017 ruling that US authorities had engaged in the mass processing of European data subjects’ personal data (as exposed in the Snowden revelations). The data had been transferred under SCCs, provoking the challenge to their validity by Maximillian Schrems, a data privacy activist. Facebook attempted – unsuccessfully - to block the Irish court’s referral to the CJEU of eleven questions relating to the adequacy of SCCs.
The Schrems II ruling is expected in early 2020. The court’s views on the SCCs (and its comments on the Privacy Shield) will be a crucial development: it could undermine and re-shape the existing international personal data transfers framework; by clarifying and further asserting European data protection standards, its impact could also be felt across the wider digital economy.
What to do now
Pending judgment from the CJEU, organisations that make international transfers outside the EEA should take time to understand current international transfers and the basis for such transfers to ensure that they are in a position to respond if the CJEU finds one or both mechanisms invalid.
For further information please contact the firm's data protection team.