The European Court of Justice issued a significant judgement on 16 July 2020 ruling, inter alia, that the EU-US Privacy Shield framework is invalid. This is a very important decision with respect to application of the EU General Data Protection Regulation (GDPR) and there are direct implications to the data transfer practices with the US organizations.
The case arose out of a dispute between Maximillian Schrems and Facebook Ireland Ltd.
EU residents are required, upon registration, enter into a contract with Facebook Ireland, a subsidiary of Facebook Inc. Some or all of the personal data of Facebook Ireland’s users who reside in the EU is transferred to servers belonging to Facebook Inc. that are located in the United States, where it undergoes processing.
On 25 June 2013, Mr. Schrems, an Austrian national and resident, filed a complaint with the Commissioner requesting that Facebook Ireland be prohibited from transferring his personal data to the US. Schrems claimed that the law and practice in force in the US did not ensure adequate protection of personal data against surveillance by public authorities. The complaint was rejected, inter alia, on the ground that the Commission had found in Decision 2000/520, also known as the US Safe Harbour Decision, that the US provided for an adequate level of protection.
Schrems brought a judicial review proceeding against the rejection of his complaint in the High Court of Ireland, which then requested a preliminary ruling, on the basis of which the CJEU declared the US Safe Harbour decision invalid (C‑362/14, Schrems). The rejection of Schrems’s complaint was annulled and the decision referred back to the Commissioner.
During the Commissioner’s investigation, Facebook Ireland explained that a large percentage of personal data was transferred to Facebook Inc. pursuant to the standard data protection clauses set out in the annex to the SCC Decision. On that basis, the Commissioner asked Schrems to reformulate his complaint. In his reformulated complaint lodged on 1 December 2015, Schrems claimed that US law requires Facebook Inc. to make the personal data transferred to it available to certain US authorities. Since that data was used in the context of various monitoring programmes in a manner incompatible with Articles 7, 8 and 47 of the Charter, the SCC Decision cannot justify the transfer of that data to the US. Schrems asked the Commissioner to prohibit or suspend the transfer of his personal data to Facebook Inc.
On 24 May 2016, the Commissioner published a draft decision summarising the investigation findings. According to the Commissioner, the personal data of EU citizens transferred to the US were likely to be consulted and processed by the US authorities in a manner incompatible with the Charter and that US law did not provide those citizens with legal remedies compatible with the Charter. The Commissioner found that the standard data protection clauses in the annex to the SCC Decision are not capable of remedying that defect since they confer only contractual rights which are non-binding on US authorities.
On 31 May 2016, the Commissioner brought an action before the High Court in order for the High Court to refer a question on the issue to the CJEU. By order of 4 May 2018, the High Court made a reference for a preliminary ruling to the CJEU.
First, the CJEU found that GDPR applies to the transfer of personal data for commercial purposes by an economic operator established in a Member State to another economic operator established in a third country, irrespective of whether that data is liable to be processed by the authorities of the third country in question for the purposes of public security, defence and State security.
Second, the CJEU noted that appropriate safeguards, enforceable rights and effective legal remedies required by GDPR must ensure that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses are afforded a level of protection essentially equivalent to that guaranteed within the European Union by that regulation, read in the light of the Charter. The assessment of the level of protection afforded in the context of such a transfer must, in particular, take into consideration both the contractual clauses agreed between the controller or processor established in the European Union and the recipient of the transfer established in the relevant third country and, with regard to any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country, in particular those set out, in a non-exhaustive manner, in Article 45(2) of GDPR.
Third, the CJEU found that unless there is a valid European Commission adequacy decision, the competent supervisory authority is required to suspend or prohibit a transfer of data to a third country pursuant to standard data protection clauses adopted by the Commission if, in view of that supervisory authority and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law cannot be ensured by other means, where the controller or a processor has not itself suspended or put an end to the transfer.
The CJEU also stated that nothing had been disclosed to affect the validity of the Commission Decision 2010/87/EU on standard contractual clauses for the transfer of personal data to processors established in third countries.
Lastly and most remarkably, the CJEU found that the Commission Implementing Decision (EU) 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield is invalid.
Naturally, this decision comes with significant implications as companies must re-asses their data transfers from EU Member States to US entities and companies that have been relying on the EU-US Privacy Shield must now look for another legal basis to enable data transfer to remain in compliance with GDPR. However, it should be kept in mind that the existing commitments to the Privacy Shield remain enforceable by the U.S. Federal Trade Commission.
The GRPR provides the following alternative legal bases for the data transfers:
1. Standard contractual clauses (SCCs);
2. Binding corporate rules (must be approved on a company-by-company basis with data protection authority and may be subject to certain limitations); and
3. Possibility for applying consent and other derogations provided under Article 49 of the GDPR.
In terms of relying on SCCs, companies must execute an assessment of the data transfers on a case-by-case basis to determine whether the protections in the United States meet the EU standards for a specific transfer. The same applies to any country without an adequacy decision. If the EU standards for a certain specific transfer are not met, additional safeguards must be put in place or the transfer must be suspended.
As the CJEU found the sufficiency of protections with regard to the U.S. government access to data lacking, natural question of possibility to apply SCCs as a legal basis for data transfers and suitable additional safeguards are raised. Effective judicial remedies, surveillance programs, context specific proportional limitations and case-by-case selected mechanisms, like encryption, may be the basis for acceptable solutions.