What did the CJEU say?
1. SCCs are valid, provided that additional assessments are undertaken
The CJEU held that the SCCs remain a valid export mechanism under Article 46 of the EU General Data Protection Regulation (GDPR).
To date, most organizations have simply assumed that the execution of SCCs alone are sufficient to meet the export requirements of the GDPR. This approach can no longer be taken in light of the judgment.
For the purpose of assessing the adequacy of the level of protection for transfers made pursuant to the SCCs, the CJEU confirmed that organizations must first undertake an “assessment” to ensure that, as required by Article 46(1) of the GDPR, data subjects are afforded appropriate safeguards, enforceable rights and effective legal remedies.
This assessment must involve both a consideration of the provisions of the SCCs, and the laws of the country in which the data importer is located, on a “case-by-case” basis.
Factors that are relevant to making this assessment include (but are not limited to) those same factors which the EU Commission considers when evaluating whether an adequacy decision should be made, as set out in Article 45(2) of the GDPR.
Some of the factors set out in Article 45(2) of the GDPR include: the rule of law; respect for human rights; access by public authorities to personal data; the existence of independent supervisory authorities; effective data subject rights; and redress avenues afforded to data subjects.
Many of these factors can be met through the data importer agreeing to the provisions in the SCCs. For example, the data importer can agree to process data subject rights requests to EU standards and gives enforceable third party rights to the data subjects. The problematic area is around factors that cannot be addressed through contracting with the data importer – principally (and this is where all the complaints have focussed) on mandatory laws applicable to the data importer (such as surveillance laws) that trump the contractual terms that the data importer has agreed with the data exporter in the SCCs.
As noted, the focus has been on surveillance laws applicable to the data importer. This judgment suggests that the assessment should at least evaluate and appraise the data importer’s legal system to the extent that it permits access by public authorities to personal data. It should include an assessment of: (i) the circumstances in which access is permitted; (ii) the oversight of the access; and (iii) redress available to data subjects (including EU data subjects). This may not be an easy task as the data importer’s laws in this area may be opaque and require specialist advice to interpret. Further, the standard that must be met is also not particularly clear. It is fair to say there will be considerable scope for differences in opinion between data exporters who want to export and will tend to read the data importer laws restrictively, and privacy activists who want rights to be protected and who will read them expansively.
Following this assessment, parties to the SCCs may also be required to “supplement” the SCCs with additional safeguards to remedy any shortcomings. For example, if the relevant surveillance can only take place in transit under the data importer’s law, then encrypting the personal data in transit might be an appropriate additional safeguard.
The CJEU’s judgment could be read as suggesting that the assessment should be based on the data importer’s legal system in this area alone, without specific regard to the nature and purpose of the personal data transferred. In contrast, the Advocate General’s (AG) Opinion in the case suggested that the assessment requires a consideration of the foreign legal system in the context of the characteristics of the particular transfer, including the nature of the personal data; the purpose of the processing; and how and why public authorities access personal data. The implication of this passage in the AG Opinion may have been that transfers where any harm from surveillance would be low or where the risk of surveillance was low might by justified with no or fewer safeguards. This passage was not repeated in the CJEU judgment and so it remains to be seen if deficiencies in the data importer’s legal system in this area would require the same safeguards to be deployed for all transfers to the data importer’s country using SCCs or whether the level of safeguards could be flexed depending on the risk of harm and surveillance actually happening. Clearly this latter view is more pragmatic.
In this context, many EU businesses are looking to their DPA for guidance as to what is required and how such an assessment should be made. The DPAs in turn should consult through their collective body, the EDPB, and produce guidance that applies across the EU Member States to help avoid divergence. However, it is clear that there are differences in opinion between DPAs as to how to proceed following the ruling and therefore, such guidance may not come until after the European summer holidays are over at the end of August.
2. Parties to the SCCs, and DPAs, need to view their obligations differently
It is clear that parties to the SCCs must now actively ensure compliance with the requirements – whilst this is not new under the SCCs, organizations have not (typically) given much thought to their specific obligations under the SCCs.
This will need to change, given that the CJEU now places an explicit obligation to assess the adequacy of the level of protection for transfers made under the SCCs and “supplement” the SCCs. The CJEU reiterates that data exporters are primarily responsible for this, working in collaboration with data importers. The judgment also stresses the obligation of data importers to satisfy themselves that their legal systems allow for them to comply with their obligations under the SCCs. This will need data exporters to explain what EU law actually requires of importers in clearer terms than the SCCs do today.
Where the data importer is unable to do this, it must inform the data exporter, who must consider suspending or terminating the transfer. The CJEU makes clear that this is an obligation, as opposed to merely a right. If the data exporter does not suspend or terminate the transfer following such notification from the data importer, the data exporter is required to inform the relevant DPA which must then undertake an investigation. DPAs are also required to check how compliance is achieved with “due diligence” where an individual lodges a complaint about transfers of personal data.
This means that DPAs will also need to familiarize themselves with foreign legal systems, in order to investigate such complaints effectively and take appropriate actions to remedy findings of inadequacy, such as suspending or prohibiting the transfer. The guidance discussed in the previous section is going to be necessary to keep the dispatch of these complaints consistent between the DPAs as they each separately assess the same importing jurisdictions’ laws and types of transfers. Divergence on this point would seriously undermine the unifying aim of the GDPR.
3. Privacy Shield is invalid
The CJEU reached this determination following a review of US surveillance laws (principally Section 702 of Foreign Intelligence Surveillance Act and Executive Order 12333) and the EU-US Privacy Shield decision itself.
The CJEU concluded that such laws do not limit or effectively oversee public authorities’ access to EU personal data; and the Privacy Shield does not grant EU individuals actionable and effective rights before the courts against such public authorities. To the latter point, the CJEU held that the Privacy Shield Ombudsman cannot effectively remedy these deficiencies.
For these reasons, the CJEU held that the Privacy Shield framework is incompatible with the protections afforded and required by EU law.
This means that the Privacy Shield can no longer be used as an export mechanism under Article 45 of the GDPR.
Notwithstanding the implications of the judgment on the SCCs, organizations that have relied on the Privacy Shield should at this point put in place SCCs as an alternative mechanism to cover the export of personal data. There may however be challenges associated with this, as discussed below.
US organizations that certified to Privacy Shield are still subject to Privacy Shield. In a statement, the US Department of Commerce said that it “will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List” and that “today’s decision does not relieve participating organizations of their Privacy Shield obligations.”
4. Has the assessment of laws already been made in respect of the US?
Section 702 Foreign Intelligence Surveillance Amendment Act (FISA) Amendment Act of 2008 authorizes the Attorney General and the Director of National Intelligence to jointly authorize targeting of persons reasonably believed to be located outside the United States, but is limited to targeting non-US persons for the purpose of collecting foreign intelligence information. The National Security Agency has used this authority to establish programs like PRISM and Upstream – the bulk collection of information from the Internet backbone (i.e. major underwater cables and switches). These collections include the personal information of EU data subjects.
The CJEU explicitly states that section FISA 702, and Executive Order 12333, as limited by Presidential Policy Directive 28, do not meet the minimum safeguards resulting, under EU law, from the principle of proportionality; and concludes that this, in conjunction with the lack of redress afforded to EU individuals, “makes it impossible to conclude…that United States law ensures a level of protection essentially equivalent to that guaranteed by Article 47 of the Charter of Fundamental Rights of the European Union.” However, these statements are made in light of the bulk collection of data outside the United States or at its borders, particularly in view of “mass” surveillance programs such as “UPSTREAM” and “PRISM”. The CJEU did not attempt to address all of the protections and limitations on US intelligence gathering inside the US. As such, the CJEU opinion does not necessarily mean that all transfers to the United States violate GDPR.
This suggests that any transfers to the US that are subject to FISA 702(d) will be not be acceptable without any additional safeguard that shields the transfer from these powers. It should be noted that it would not cover any transfers not subject to these rules (for example if personal data were physically sent on a hard drive to the US it would not be subject to PRISM or Upstream).
5. Are there any other export mechanisms or derogations that can be relied on as an alternative to Privacy Shield and / or the SCCs?
Article 46 of the GDPR sets out additional export mechanisms, which organizations could attempt to utilize in lieu of the SCCs or the Privacy Shield, such as BCRs or approved Codes of Conduct/Certification.
Whilst the CJEU does not directly address these alternative export mechanisms, it logically follows that the requirement to assess the compatibility of foreign legal systems against EU standards would equally apply to these additional mechanisms.
Unlike the SCCs, before BCRs can be relied upon they require approval from a DPA. This might bring a requirement in the future for organizations that rely on BCRs to disclose their assessments as part of the application process – a double-edged sword giving certainty on one side; and possibly preventing transfers on the other if the DPA becomes aware of the transfer and disagrees with a positive assessment or the efficacy of an additional safeguard. The availability of these alternative export mechanisms is also limited in practice. BCRs can take up to two years to approve, and the process is costly, administratively burdensome and often requires significant organizational changes. Further, there are currently no available approved Codes of Conduct/Certification.
Where an export mechanism is not available, an organization may seek to rely on a derogation to exempt it from the requirement to enter into an export mechanism.
These derogations are set out in Article 49 of the GDPR. The Article 29 Working Party’s Guidelines on Article 49 of the GDPR (WP29 Guidelines) make it clear that the derogations should be relied on in limited circumstances only, as an exception rather than the norm.
Most of the derogations will not be relevant for the “usual” day-to-day transfers of personal data. Of the derogations, those likely to be relevant are that the EU individual has provided explicit consent to the transfer (Article 49(1)(a) of the GDPR); or the transfer is necessary for the performance of a contract between the organization and the EU individual (Article 49(1)(b) of the GDPR).
With respect to explicit consent, the WP29 Guidelines state that the consent must be opt-in, specific for the particular transfer(s), and the individual should be informed of the risks resulting from the fact that the transfer will result in their data residing in a country that does not provide adequate safeguards. The consent must also specify all data recipients/categories of recipients and all non-EU countries [that the data will be exported to]. The high threshold for valid consent and the fact that consent can also be withdrawn at any time make it difficult to rely on as a long-term solution for data export.
With respect to contract necessity, Recital 111 of the GDPR states that this derogation may only be used where the transfer is occasional and necessary. The “necessity” threshold requires an objective link between the contract and the transfer, and will not cover ancillary uses of data. The “occasional” threshold is to be determined on a case-by-case basis and may include one-off activities such as booking a hotel but will not cover regular transfers. This makes it difficult to rely on this derogation to cover day-to-day systematic exports of personal data.
Given the narrow application of the derogations, organizations should not turn to Article 49 of the GDPR too quickly as the availability of a derogation will require a careful and close assessment.
6. What about the “B” word?!
Once the Brexit transition period ends, the UK will be considered a third country for the purpose of the GDPR and exports of personal data from the EU to the UK will be subject to the export provisions of Chapter V of the GDPR.
The UK is in dialogue with the EU and is hoping that the UK will be granted an adequacy finding pursuant to Article 45 of the GDPR. This will then enable the flow of data from the EU to the UK without relying on an export mechanism.
However, as part of the adequacy finding process, the European Commission is obliged to take into account the national security and surveillance laws of the UK, which must offer guarantees ensuring an adequate level of protection for personal data that are “essentially equivalent” to EU law. Reaching this standard could be a challenge. Over recent years, privacy campaigners have taken legal action against the UK for its national security and surveillance laws, including one that reached the European Court of Human Rights (Big Brother Watch v United Kingdom), which found that the UK’s previous surveillance regime, the Regulation of Investigatory Powers Act, was incompatible with Articles 8 and 10 of the European Convention on Human Rights.
More recently, on January 15, 2020, a non-binding Opinion was published by the AG following an action brought by Privacy International to the CJEU relating to the conditions under which security and intelligence agencies in the UK can access communications data retained by telecommunications providers. The AG said that UK legislation does not comply with EU law because: “it involves general and indiscriminate retention of personal data that readily provides a detailed account of the life of the persons involved, for a lengthy period of time”.
In addition, the European Parliament published a resolution in February this year in relation to the Brexit negotiations whereby the Parliament directed the European Commission to pay particular attention to the legal framework in the UK in the fields of national security and the processing of personal data by law enforcement authorities; and stated that the UK’s mass surveillance programmes may not be adequate under EU law.
The timing and implications the Schrems II judgment and any negative judgment in the Privacy International case referred to above will likely result in increased scrutiny of the UK’s surveillance laws from the European Commission, and the Commission may be less forthcoming in finding adequacy given the risks of such findings being challenged and potentially invalidated by the CJEU.
Organizations in the UK should note that the CJEU’s judgment is binding on the UK during the Brexit transitional period, and our observations are therefore relevant for UK organizations that continue to transfer personal data outside of the UK and the EU.
Following the transitional period, the European Union (Withdrawal) Act 2018 and the European Union (Withdrawal Agreement) Act 2020 will implement existing EU law (including EU case law) into UK law. However, it will be open to the UK Supreme Court or the UK Government to overrule or diverge from EU law, including the findings of the Schrems II judgment.
Given however the UK’s desire to be deemed adequate for the purpose of EU data transfers, there will be a high price to pay if the UK seeks to deviate too far from the principles established in this CJEU case.
As a post script on adequacy, it should also be noted that a possibility remains that other adequacy decisions are challenged in future (e.g. for Canada). EEA jurisdictions are the most immune from this issue. Although many of them have had their surveillance practices found wanting by the CJEU and the CJEU has never suggested that personal data may not flow within the EEA.