The ‘Schrems II’ decision: EU-US data transfers in question

On July 16, the Court of Justice of the European Union issued its long-awaited decision in the case Data Protection Commission v. Facebook Ireland, Schrems. That decision invalidates the European Commission’s adequacy decision for the EU-U.S. Privacy Shield Framework, on which more than 5,000 U.S. companies rely to conduct trans-Atlantic trade in compliance with EU data protection rules.

The decision also cast a long shadow over other personal data transfers from Europe to the U.S., given the CJEU’s statements about the nature of U.S. government access to private sector data. While the decision upholds the validity of standard contractual clauses, it requires companies and regulators to conduct case-by-case analyses to determine whether foreign protections concerning government access to data transferred meet EU standards.

This will impact companies in the U.S. and well beyond.

The decision reinforces the importance of data protection to global commerce and the critical role that privacy professionals play in implementing protections in line with foreign legal requirements. For privacy professionals today, though, there may be more questions than answers. Here is a quick initial breakdown of what the court said, what it might mean and affect, and how privacy professionals could begin to respond.

Privacy Shield invalidated

The CJEU found that European Commission’s adequacy determination for Privacy Shield is invalid for two main reasons. First, the court found that U.S. surveillance programs, which the commission assessed in its Privacy Shield decision, are not limited to what is strictly necessary and proportional as required by EU law and hence do not meet the requirements of Article 52 of the EU Charter on Fundamental Rights. Second, the court determined that, with regard to U.S. surveillance, EU data subjects lack actionable judicial redress and, therefore, do not have a right to an effective remedy in the U.S., as required by Article 47 of the EU Charter.

Here are some specific provisions of note with regard to the above findings.

[quote]Limitations on Surveillance

  1. …Neither Section 702 of the FISA, nor E.O. 12333, read in conjunction with PPD-28, correlates to the minimum safeguards resulting, under EU law, from the principle of proportionality, with the consequence that the surveillance programmes based on those provisions cannot be regarded as limited to what is strictly necessary.
  2. In those circumstances, the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to the United States, which the Commission assessed in the Privacy Shield Decision, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required, under EU law, by the second sentence of Article 52(1) of the Charter.

Effective Judicial Redress

  1. …[T]he Commission found…that ‘while individuals, including EU data subjects, … have a number of avenues of redress when they have been the subject of unlawful (electronic) surveillance for national security purposes, it is equally clear that at least some legal bases that U.S. intelligence authorities may use (e.g. E.O. 12333) are not covered’. Thus, as regards E.O. 12333, the Commission emphasised, in recital 115, the lack of any redress mechanism. In accordance with the case-law set out in paragraph 187 above, the existence of such a lacuna in judicial protection in respect of interferences with intelligence programmes based on that presidential decree makes it impossible to conclude, as the Commission did in the Privacy Shield Decision, that United States law ensures a level of protection essentially equivalent to that guaranteed by Article 47 of the Charter.
  2. Furthermore, as regards both the surveillance programmes based on Section 702 of the FISA and those based on E.O. 12333…neither PPD-28 nor E.O. 12333 grants data subjects rights actionable in the courts against the US authorities, from which it follows that data subjects have no right to an effective remedy.
  3. An examination of whether the ombudsperson mechanism which is the subject of the Privacy Shield Decision is in fact capable of addressing the Commission’s finding of limitations on the right to judicial protection must…start from the premiss that data subjects must have the possibility of bringing legal action before an independent and impartial court in order to have access to their personal data, or to obtain the rectification or erasure of such data.

195[T]here is…nothing in that decision to indicate that the dismissal or revocation of the appointment of the Ombudsperson is accompanied by any particular guarantees, which is such as to undermine the Ombudsman’s independence from the executive

  1. [T]here is nothing in that decision to indicate that that ombudsperson has the power to adopt decisions that are binding on those intelligence services and does not mention any legal safeguards that would accompany that political commitment on which data subjects could rely.
  2. Therefore, the ombudsperson mechanism to which the Privacy Shield Decision refers does not provide any cause of action before a body which offers the persons whose data is transferred to the United States guarantees essentially equivalent to those required by Article 47 of the Charter.

Invalidation

  1. In the light of all of the foregoing considerations, it is to be concluded that the Privacy Shield Decision is invalid.[/quote]

SCCs

The CJEU reaffirmed the validity of SCCs but stated that companies must verify, on a case-by-case basis, whether the law in the recipient country ensures adequate protection, under EU law, for personal data transferred under SCCs and, where it doesn’t, that companies must provide additional safeguards or suspend transfers. The ruling placed the same requirement on EU data protection authorities to suspend such transfers on a case-by-case basis where equivalent protection can not be ensured.

This is where it gets tricky, particularly in the U.S. context.

The CJEU itself assessed the sufficiency of protections with regard to U.S. government access to data and found them lacking. The question regulators and companies now face is whether the concerns raised by the court are applicable in the context of particular transfers and can be remedied through additional protections — again, not only in the U.S., but also in all countries without an adequacy determination.

Privacy professionals may need to consider whether relevant surveillance programs and authorities apply in particular contexts. If they do, they could then assess whether those authorities include proportional limitations in the given context, as well as whether effective judicial remedies exist. Alternatively, they might consider ways to limit the context itself through additional safeguards. Encryption, for instance, might be a consideration.

Some key provisions to review with regard to SCCs include but are certainly not limited to the following:

[quote]

  1. It is therefore, above all, for that controller or processor to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.
  2. Where the controller or a processor established in the European Union is not able to take adequate additional measures to guarantee such protection, the controller or processor or, failing that, the competent supervisory authority, are required to suspend or end the transfer of personal data to the third country concerned. That is the case, in particular, where the law of that third country imposes on the recipient of personal data from the European Union obligations which are contrary to those clauses and are, therefore, capable of impinging on the contractual guarantee of an adequate level of protection against access by the public authorities of that third country to that data.
  3. In the light of all of the foregoing considerations, …examination of the SCC Decision in the light of Articles 7, 8 and 47 of the Charter has disclosed nothing to affect the validity of that decision.[/quote]

The court pointed to two provisions in SCCs themselves of which privacy professionals should also take note.

First, the decision points to Clauses 5 and 12 of SCCs, noting that where the recipient of personal data in a third country can not provide essentially equivalent protections, it must return or destroy the data received. Second, the decision points to Clause 6 in the annex to the SCCs, which provides data subjects a right to receive compensation for damages where the clauses are breached. The relevant provision is cited below.

[quote]

  1. [I]f the recipient of personal data to a third country has notified the controller, pursuant to Clause 5(b) in the annex to the SCC Decision, that the legislation of the third country concerned does not allow him or her to comply with the standard data protection clauses in that annex, it follows from Clause 12 in that annex that data that has already been transferred to that third country and the copies thereof must be returned or destroyed in their entirety. In any event, under Clause 6 in that annex, breach of those standard clauses will result in a right for the person concerned to receive compensation for the damage suffered.[/quote]

How are government authorities responding?

The U.S. Department of Commerce quickly issued a statement that Secretary Wilbur Ross is “deeply disappointed� in the invalidation, but also that the department has “been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion (trans-Atlantic) economic relationship that is so vital to our respective citizens, companies, and governments.�

European Commission authorities echoed this interest in collaboration during a news conference held shortly after the ruling.

The Irish Data Protection Commission, which will soon be charged with acting on the guidance provided by the court, issued its own statement expressing appreciation for the clarity provided by the decision but also highlighting the questions that remain with regard to transfers of personal data to the U.S., in particular, using SCCs.

[quote][W]hile in terms of the points of principle in play, the Court has endorsed the DPC’s position, it has also ruled that the SCCs transfer mechanism used to transfer data to countries worldwide is, in principle, valid, although it is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable. This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis.[/quote]

What should privacy professionals do now?

Privacy professionals must now assess their trans-Atlantic and global data transfers in light of the court’s ruling. This is no small task.

Companies relying on Privacy Shield will need to look for an alternative legal basis to enable transfers under GDPR. In doing so, they should recall that existing commitments to the Privacy Shield remain enforceable by the U.S. Federal Trade Commission. The DOC statement makes this clear.

In terms of new legal bases for transfers, they can consider several options, outlined under the EU General Data Protection Regulation. These include SCCs, subject to all of the discussion above, binding corporate rules, which must be approved on a company-by-company basis by DPAs and, while left out of the decision, are presumably subject to similar limitations. Privacy professionals may also look to consent and other derogations outlined under Article 49 of the GDPR.

In considering such options, privacy teams should take careful note of EDPB guidance on the more limited instances in which their use is appropriate.   

Companies relying on SCCs will have to begin the case-by-case assessments of their transfers to determine whether the protections in the U.S. or any country without an adequacy determination meet EU standards in the context of the specific transfer.

What’s next?

The CJEU’s decision offers significant clarity in some areas and raises additional questions in others that will undoubtedly be hashed out by companies, regulators and policymakers in the days and perhaps even years to come. We will continue to share additional guidance and analysis to help privacy professionals grapple with the challenges ahead.

Photo credit: Image provided by the Court of Justice of the European Union.