Schrems II landmark ruling: A detailed analysis

Introduction

On July 16, 2020, the Court of Justice of the European Union (CJEU) published its decision in the landmark case Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18 (known as the Schrems II case). While the EU-US Privacy Shield (Privacy Shield) has been completely invalidated, the Standard Contractual Clauses (SCCs) remain valid, but with strict conditions.

This article provides a detailed analysis on the judgement, but first, here are our recommendations on what organizations should consider doing next:

• Monitor guidance updates from the European Data Protection Board (EDPB) and Data Protection Authorities (DPAs): The judgment is not clear as to how satisfactory compliance should be achieved. This guidance will be crucial in determining whether any of the following measures are sufficient.
• Carefully map international data flows and existing transfer mechanisms: Data flow mapping may have been less rigorous in the past if the assumption was that if SCCs were put in place personal data could be transferred anywhere. A first step therefore is to map precisely which personal data is transferred to, or accessed from, which country outside of the EEA and determine which export mechanism was previously being relied on to legitimize that transfer (i.e. the Privacy Shield, SCCs or binding corporate rules (BCRs)) or a derogation).  The mapping should note the quantity and sensitivity of the data so that this can be assessed against likelihood of government access and consequential harm to the individual, and how easily the processing activity could be relocated if necessary.
• Transfers to the US will require assessment; other countries will follow: So far, the US is the only country that the CJEU has actually ruled on the equivalence of its surveillance practices and law and has found it to be wanting. Although other countries might have wider and less controlled regimes, these have not been the subject of a finding or ruling of a DPA, EDPB or the CJEU in this context. Therefore, doing nothing until guidance is published in relation to these countries would appear more defensible.
• Put SCCs in place if you were previously relying on the Privacy Shield: The Privacy Shield is no longer valid. It is therefore prudent to implement SCCs at this stage to ensure that a valid export mechanism is in place (albeit one that gets updated by the EU Commission or to which you have to add additional safeguards). BCRs might be a long term solution but will not be approved overnight (more likely approval will take between 6 and 24 months).
• Consider how you are going to approach the assessment required when using the SCCs: Where SCCs are currently in use or are intended to be used, the judgment requires parties to evaluate the laws applicable to public authority access of the data importer’s jurisdiction. The judgment does not provide a solid framework for organizations to use and guidance from the EDPB and/or DPAs will be required to assist with this. In the interim, it may be prudent to review the non-EEA and non-Commission approved countries to which data is exported (both on an intra-group and extra-group basis). You should consider whether any of these countries’ laws could be problematic and whether additional safeguards may be required. A similar exercise is advisable in relation to BCRs. BCRs are also a contractual mechanism and therefore subject to any deficiencies in the importer’s surveillance regime (although depending on the BCRs’ content they may already incorporate measures equivalent to the additional safeguards required for SCCs).
• Consider what additional safeguards could be applied: These could be technical, contractual or involve a throttling back of certain transfers. Technical safeguards will include:
  • Encryption of the data flow (remember the adversary here is a nation state so the measures will need to be robust – which may mean cumbersome or expensive to use). US companies should use commercially available encryption, or else they may need a special license to export the software, since US export laws regard such unique software as a “munition” under 15 C.F.R. 742.15. 
  • Contractual measures that might include increased transparency from, and control over, the data importer so that the data exporter can satisfy itself that the importer has a robust process for challenging requests.
  • Minimizing the amount of data disclosed.
  • Notifying the exporter of requests from law enforcement authorities so it can intervene unless truly prohibited by law from doing so, together with statistics as to how often and what types of requests have been complied with in the past 24 months so the exporter can assess the likelihood of its data also being accessed. 
  • The ability to relocate certain data types or data processing activities to other countries or ultimately ceasing processing (on acceptable commercial terms).
• Consider if a derogation may apply: There are a number of derogations available (discussed in more detail below). We consider these to be of limited assistance with respect to “usual” day-to-day transfers. However, they may be useful as a fall back in terms of assessing how quickly an additional safeguard should be implemented or processing activity relocated if necessary.
• Ensure key stakeholders are aware of the implications of the judgment: Senior management should be made aware of the decision as there will likely be cost implications (e.g. around assessing importer jurisdiction legal systems and updating contracts) and impacts to key business decisions (e.g. around whether data should remain in the EEA going forward). 
• Consider delaying transactions involving the export of personal data to non-EEA or Commission approved jurisdictions: The impact of the judgment in practice remains to be seen, but it is clear that parties will be required to make and sign-off on assessments of non-EEA legal frameworks. Where a transaction is in progress the parties will need to consider allocating the risks and responsibilities around this. These requirements may also result in decisions to restructure transactions to retain personal data within the EEA or a Commission approved jurisdiction (e.g. Canada).  

What is the background to this case?

In 2015, Austrian privacy advocate Max Schrems lodged a complaint with the Irish Data Protection Commissioner (Irish DPC). Mr Schrems alleged that the transfer of his personal data from Facebook Ireland to its parent company in the US, made on the basis of the SCCs, did not protect his fundamental rights under EU law, given the ability of US public authorities to carry out surveillance on EU individuals’ personal data without adequate controls or judicial remedies. He argued that the Irish DPC should suspend those particular transfers, not the SCCs generally.

However, the Irish DPC took the view that the SCCs are part of a systemic problem and should be invalidated in general. 

The DPC brought proceedings before the Irish High Court, requesting it to refer questions around the validity of the SCCs to the CJEU. This case is a continuation of Mr Schrems’ earlier complaint against Facebook (known as Schrems I), which invalidated the Privacy Shield’s predecessor, Safe Harbor, in 2015.

What did the CJEU say?

1. SCCs are valid, provided that additional assessments are undertaken

The CJEU held that the SCCs remain a valid export mechanism under Article 46 of the EU General Data Protection Regulation (GDPR). 

To date, most organizations have simply assumed that the execution of SCCs alone are sufficient to meet the export requirements of the GDPR. This approach can no longer be taken in light of the judgment. 

For the purpose of assessing the adequacy of the level of protection for transfers made pursuant to the SCCs, the CJEU confirmed that organizations must first undertake an “assessment” to ensure that, as required by Article 46(1) of the GDPR, data subjects are afforded appropriate safeguards, enforceable rights and effective legal remedies.

This assessment must involve both a consideration of the provisions of the SCCs, and the laws of the country in which the data importer is located, on a “case-by-case” basis.

Factors that are relevant to making this assessment include (but are not limited to) those same factors which the EU Commission considers when evaluating whether an adequacy decision should be made, as set out in Article 45(2) of the GDPR.

Some of the factors set out in Article 45(2) of the GDPR include: the rule of law; respect for human rights; access by public authorities to personal data; the existence of independent supervisory authorities; effective data subject rights; and redress avenues afforded to data subjects.

Many of these factors can be met through the data importer agreeing to the provisions in the SCCs.  For example, the data importer can agree to process data subject rights requests to EU standards and gives enforceable third party rights to the data subjects. The problematic area is around factors that cannot be addressed through contracting with the data importer – principally (and this is where all the complaints have focussed) on mandatory laws applicable to the data importer (such as surveillance laws) that trump the contractual terms that the data importer has agreed with the data exporter in the SCCs.

As noted, the focus has been on surveillance laws applicable to the data importer. This judgment suggests that the assessment should at least evaluate and appraise the data importer’s legal system to the extent that it permits access by public authorities to personal data. It should include an assessment of: (i) the circumstances in which access is permitted; (ii) the oversight of the access; and (iii) redress available to data subjects (including EU data subjects). This may not be an easy task as the data importer’s laws in this area may be opaque and require specialist advice to interpret. Further, the standard that must be met is also not particularly clear. It is fair to say there will be considerable scope for differences in opinion between data exporters who want to export and will tend to read the data importer laws restrictively, and privacy activists who want rights to be protected and who will read them expansively. 

Following this assessment, parties to the SCCs may also be required to “supplement” the SCCs with additional safeguards to remedy any shortcomings. For example, if the relevant surveillance can only take place in transit under the data importer’s law, then encrypting the personal data in transit might be an appropriate additional safeguard.

The CJEU’s judgment could be read as suggesting that the assessment should be based on the data importer’s legal system in this area alone, without specific regard to the nature and purpose of the personal data transferred. In contrast, the Advocate General’s (AG) Opinion in the case suggested that the assessment requires a consideration of the foreign legal system in the context of the characteristics of the particular transfer, including the nature of the personal data; the purpose of the processing; and how and why public authorities access personal data. The implication of this passage in the AG Opinion may have been that transfers where any harm from surveillance would be low or where the risk of surveillance was low might by justified with no or fewer safeguards. This passage was not repeated in the CJEU judgment and so it remains to be seen if deficiencies in the data importer’s legal system in this area would require the same safeguards to be deployed for all transfers to the data importer’s country using SCCs or whether the level of safeguards could be flexed depending on the risk of harm and surveillance actually happening. Clearly this latter view is more pragmatic.

In this context, many EU businesses are looking to their DPA for guidance as to what is required and how such an assessment should be made. The DPAs in turn should consult through their collective body, the EDPB, and produce guidance that applies across the EU Member States to help avoid divergence. However, it is clear that there are differences in opinion between DPAs as to how to proceed following the ruling and therefore, such guidance may not come until after the European summer holidays are over at the end of August.

2. Parties to the SCCs, and DPAs, need to view their obligations differently

It is clear that parties to the SCCs must now actively ensure compliance with the requirements – whilst this is not new under the SCCs, organizations have not (typically) given much thought to their specific obligations under the SCCs.

This will need to change, given that the CJEU now places an explicit obligation to assess the adequacy of the level of protection for transfers made under the SCCs and “supplement” the SCCs.  The CJEU reiterates that data exporters are primarily responsible for this, working in collaboration with data importers.  The judgment also stresses the obligation of data importers to satisfy themselves that their legal systems allow for them to comply with their obligations under the SCCs.  This will need data exporters to explain what EU law actually requires of importers in clearer terms than the SCCs do today.

Where the data importer is unable to do this, it must inform the data exporter, who must consider suspending or terminating the transfer. The CJEU makes clear that this is an obligation, as opposed to merely a right. If the data exporter does not suspend or terminate the transfer following such notification from the data importer, the data exporter is required to inform the relevant DPA which must then undertake an investigation. DPAs are also required to check how compliance is achieved with “due diligence” where an individual lodges a complaint about transfers of personal data.

This means that DPAs will also need to familiarize themselves with foreign legal systems, in order to investigate such complaints effectively and take appropriate actions to remedy findings of inadequacy, such as suspending or prohibiting the transfer. The guidance discussed in the previous section is going to be necessary to keep the dispatch of these complaints consistent between the DPAs as they each separately assess the same importing jurisdictions’ laws and types of transfers. Divergence on this point would seriously undermine the unifying aim of the GDPR.

3. Privacy Shield is invalid

The CJEU reached this determination following a review of US surveillance laws (principally Section 702 of Foreign Intelligence Surveillance Act and Executive Order 12333) and the EU-US Privacy Shield decision itself.

The CJEU concluded that such laws do not limit or effectively oversee public authorities’ access to EU personal data; and the Privacy Shield does not grant EU individuals actionable and effective rights before the courts against such public authorities. To the latter point, the CJEU held that the Privacy Shield Ombudsman cannot effectively remedy these deficiencies.

For these reasons, the CJEU held that the Privacy Shield framework is incompatible with the protections afforded and required by EU law.

This means that the Privacy Shield can no longer be used as an export mechanism under Article 45 of the GDPR.

Notwithstanding the implications of the judgment on the SCCs, organizations that have relied on the Privacy Shield should at this point put in place SCCs as an alternative mechanism to cover the export of personal data. There may however be challenges associated with this, as discussed below.

US organizations that certified to Privacy Shield are still subject to Privacy Shield. In a statement, the US Department of Commerce said that it “will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List” and that “today’s decision does not relieve participating organizations of their Privacy Shield obligations.”

4. Has the assessment of laws already been made in respect of the US?

Section 702 Foreign Intelligence Surveillance Amendment Act (FISA) Amendment Act of 2008 authorizes the Attorney General and the Director of National Intelligence to jointly authorize targeting of persons reasonably believed to be located outside the United States, but is limited to targeting non-US persons for the purpose of collecting foreign intelligence information. The National Security Agency has used this authority to establish programs like PRISM and Upstream – the bulk collection of information from the Internet backbone (i.e. major underwater cables and switches). These collections include the personal information of EU data subjects.   

The CJEU explicitly states that section FISA 702, and Executive Order 12333, as limited by Presidential Policy Directive 28, do not meet the minimum safeguards resulting, under EU law, from the principle of proportionality; and concludes that this, in conjunction with the lack of redress afforded to EU individuals, “makes it impossible to conclude…that United States law ensures a level of protection essentially equivalent to that guaranteed by Article 47 of the Charter of Fundamental Rights of the European Union.” However, these statements are made in light of the bulk collection of data outside the United States or at its borders, particularly in view of “mass” surveillance programs such as “UPSTREAM” and “PRISM”. The CJEU did not attempt to address all of the protections and limitations on US intelligence gathering inside the US. As such, the CJEU opinion does not necessarily mean that all transfers to the United States violate GDPR.

This suggests that any transfers to the US that are subject to FISA 702(d) will be not be acceptable without any additional safeguard that shields the transfer from these powers. It should be noted that it would not cover any transfers not subject to these rules (for example if personal data were physically sent on a hard drive to the US it would not be subject to PRISM or Upstream). 

5. Are there any other export mechanisms or derogations that can be relied on as an alternative to Privacy Shield and / or the SCCs?

Article 46 of the GDPR sets out additional export mechanisms, which organizations could attempt to utilize in lieu of the SCCs or the Privacy Shield, such as BCRs or approved Codes of Conduct/Certification.

Whilst the CJEU does not directly address these alternative export mechanisms, it logically follows that the requirement to assess the compatibility of foreign legal systems against EU standards would equally apply to these additional mechanisms.

Unlike the SCCs, before BCRs can be relied upon they require approval from a DPA. This might bring a requirement in the future for organizations that rely on BCRs to disclose their assessments as part of the application process – a double-edged sword giving certainty on one side; and possibly preventing transfers on the other if the DPA becomes aware of the transfer and disagrees with a positive assessment or the efficacy of an additional safeguard. The availability of these alternative export mechanisms is also limited in practice. BCRs can take up to two years to approve, and the process is costly, administratively burdensome and often requires significant organizational changes. Further, there are currently no available approved Codes of Conduct/Certification.

Where an export mechanism is not available, an organization may seek to rely on a derogation to exempt it from the requirement to enter into an export mechanism.

These derogations are set out in Article 49 of the GDPR. The Article 29 Working Party’s Guidelines on Article 49 of the GDPR (WP29 Guidelines) make it clear that the derogations should be relied on in limited circumstances only, as an exception rather than the norm.

Most of the derogations will not be relevant for the “usual” day-to-day transfers of personal data. Of the derogations, those likely to be relevant are that the EU individual has provided explicit consent to the transfer (Article 49(1)(a) of the GDPR); or the transfer is necessary for the performance of a contract between the organization and the EU individual (Article 49(1)(b) of the GDPR).

With respect to explicit consent, the WP29 Guidelines state that the consent must be opt-in, specific for the particular transfer(s), and the individual should be informed of the risks resulting from the fact that the transfer will result in their data residing in a country that does not provide adequate safeguards.  The consent must also specify all data recipients/categories of recipients and all non-EU countries [that the data will be exported to]. The high threshold for valid consent and the fact that consent can also be withdrawn at any time make it difficult to rely on as a long-term solution for data export.

With respect to contract necessity, Recital 111 of the GDPR states that this derogation may only be used where the transfer is occasional and necessary. The “necessity” threshold requires an objective link between the contract and the transfer, and will not cover ancillary uses of data. The “occasional” threshold is to be determined on a case-by-case basis and may include one-off activities such as booking a hotel but will not cover regular transfers. This makes it difficult to rely on this derogation to cover day-to-day systematic exports of personal data.

Given the narrow application of the derogations, organizations should not turn to Article 49 of the GDPR too quickly as the availability of a derogation will require a careful and close assessment. 

6. What about the “B” word?!

Once the Brexit transition period ends, the UK will be considered a third country for the purpose of the GDPR and exports of personal data from the EU to the UK will be subject to the export provisions of Chapter V of the GDPR.

The UK is in dialogue with the EU and is hoping that the UK will be granted an adequacy finding pursuant to Article 45 of the GDPR. This will then enable the flow of data from the EU to the UK without relying on an export mechanism.

However, as part of the adequacy finding process, the European Commission is obliged to take into account the national security and surveillance laws of the UK, which must offer guarantees ensuring an adequate level of protection for personal data that are “essentially equivalent” to EU law.  Reaching this standard could be a challenge. Over recent years, privacy campaigners have taken legal action against the UK for its national security and surveillance laws, including one that reached the European Court of Human Rights (Big Brother Watch v United Kingdom), which found that the UK’s previous surveillance regime, the Regulation of Investigatory Powers Act, was incompatible with Articles 8 and 10 of the European Convention on Human Rights.

More recently, on January 15, 2020, a non-binding Opinion was published by the AG following an action brought by Privacy International to the CJEU relating to the conditions under which security and intelligence agencies in the UK can access communications data retained by telecommunications providers. The AG said that UK legislation does not comply with EU law because: “it involves general and indiscriminate retention of personal data that readily provides a detailed account of the life of the persons involved, for a lengthy period of time”.

In addition, the European Parliament published a resolution in February this year in relation to the Brexit negotiations whereby the Parliament directed the European Commission to pay particular attention to the legal framework in the UK in the fields of national security and the processing of personal data by law enforcement authorities; and stated that the UK’s mass surveillance programmes may not be adequate under EU law.

The timing and implications the Schrems II judgment and any negative judgment in the Privacy International case referred to above will likely result in increased scrutiny of the UK’s surveillance laws from the European Commission, and the Commission may be less forthcoming in finding adequacy given the risks of such findings being challenged and potentially invalidated by the CJEU.

Organizations in the UK should note that the CJEU’s judgment is binding on the UK during the Brexit transitional period, and our observations are therefore relevant for UK organizations that continue to transfer personal data outside of the UK and the EU.

Following the transitional period, the European Union (Withdrawal) Act 2018 and the European Union (Withdrawal Agreement) Act 2020 will implement existing EU law (including EU case law) into UK law.  However, it will be open to the UK Supreme Court or the UK Government to overrule or diverge from EU law, including the findings of the Schrems II judgment.

Given however the UK’s desire to be deemed adequate for the purpose of EU data transfers, there will be a high price to pay if the UK seeks to deviate too far from the principles established in this CJEU case.

As a post script on adequacy, it should also be noted that a possibility remains that other adequacy decisions are challenged in future (e.g. for Canada). EEA jurisdictions are the most immune from this issue. Although many of them have had their surveillance practices found wanting by the CJEU and the CJEU has never suggested that personal data may not flow within the EEA.