Data Privacy HubALINK TO THE FULL JUDGMENT CAN BE FOUND HERE.
In a request for a preliminary ruling by the Irish High Court, the CJEU found that the level of protection of personal data provided by US law cannot be considered to be essentially equivalent to that provided by the GDPR, due to the latitude given to US public authorities to engage in disproportionate collection and processing of EU citizens’ personal data, notably in the context of certain surveillance programmes, and because US law does not provide EU citizens with access to adequate redress.
The Court did not challenge the validity of Commission Decision 2010/87/EU on standard contractual clauses (SCCs) for the transfer of personal data to processors established in third countries. But the ruling highlights the degree to which such clauses cannot be used as a substitute for the Privacy Shield, since they create binding obligations only on the contracting parties, and not on the US Government (or any other third country government), and can therefore do nothing to mitigate the flaws in the Privacy Shield.
The provisions in the judgement relating to SCCs leave companies in a situation of uncertainty as to whether they have any practical means of ensuring that data transfers to the US comply with EU law. The ruling also puts DPAs under significant pressure to make assessments about law and practice in third countries that they will likely struggle to make, and may prompt large numbers of requests for suspensions of transfers that DPAs will either need to accede to or substantiate rejections of.
The judgment follows the CJEU’s annulment of the Commission’s Safe Harbour Decision in 2015 in case C-362/14, decided in the context of an earlier request for a preliminary ruling by the Irish High Court. Following the CJEU’s ruling on Safe Harbour, Max Schrems submitted a new complaint to the Irish Data Protection Commissioner challenging the legality of data transfers based on SCCs, on the basis that such clauses could also not ensure adequate protection of EU citizens’ personal data and suffered from the same inherent flaws as the Safe Harbour arrangement. The Irish Data Protection Commissioner was sympathetic to Schrems’s assessment and brought an action before the Irish High Court seeking to have that Court refer a question on the validity of the SCC Decision to the CJEU. In the event, the High Court referred a total of eleven questions to the CJEU. The detailed questions may be read in the English version of the judgment here.
In its decision, the CJEU found that the Privacy Shield Decision is incompatible with the requirements of Article 45(1) of the GDPR, read in light of Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union, and is therefore invalid.
On the other hand, the Court’s examination of the SCC Decision has, in its own words “disclosed nothing to affect the validity of that decision”, as far as it goes. However, data controllers seeking to leverage SCCs going forward will need to make their own assessment of whether those SCCs, potentially with additional provisions inserted, can in and of themselves ensure an adequate level of data protection. If they cannot, then the data transfers must be suspended or stopped.
In addition, the mere fact that personal data transferred for commercial purposes by an economic operator established in an EU Member State to another economic operator established in a third country may incidentally be the object of collection and processing by a public authority for the purposes of public safety, defence, or national security does not mean that such transfers fall outside the scope of the GDPR.
In the absence of a Commission adequacy decision pursuant to Article 45 GDPR, DPAs are required to suspend or prohibit a transfer of data to a third country covered by SCCs if, in their judgment, the SCCs are not, or cannot be, complied with in that third country and the protection of the data required under Articles 45 and 46 GDPR and by the Charter, cannot be ensured by other means, where the controller or a processor has not itself suspended or put an end to the transfer.
Finally, the annulment of the Privacy Shield Decision does not leave a legal vacuum, since the GDPR’s Article 49 prescribes other conditions under which transfers of personal data to third countries not covered by an adequacy decision (e.g. explicit consent of the data subject or performance of a contract).
This judgment has several far-reaching implications. First and foremost, data transfers to the US based on the current SCCs are now vulnerable to challenges, and DPAs will have to act on requests for suspensions or prohibitions of such transfers going forward if there are complaints against specific companies.
Additional contractual commitments may be added to existing SCCs, but as those of necessity are not capable of having binding effect on the US government, they will likely be incapable of ensuring that data transfers to the US are in compliance with the GDPR. This is because they are powerless to prevent indiscriminate collection and processing of EU citizens’ personal data by the US intelligence agencies or of providing sufficient means of redress if personal data is processed illegally.
The European Data Protection Board (EDPB) has confirmed that it is “looking further into what these supplementary measures could consist of and will provide more guidance” in due course (see FAQ document issued by the EDPB on 23rd July here.
The explicit consent and contract exceptions under Article 49 may be relevant alternatives to SCCs, although they are intended to apply under exceptional circumstances. The use of explicit consent is conditional on the consent being specific – that is, specific for a particular data transfer or set of transfers – and informed, e.g. users must be made aware of the specific risks resulting from the fact that data will be transferred to a country that does not provide adequate protection and that no adequate safeguards aimed at providing protection for the data are being implemented (see EDPB guidance from 2018 here).
The Court has formulated general guidelines detailing the assessment of the applicability of standard contractual clauses and other transfer grounds from Article 46(2) GDPR. In any case, the controller or processor will have to make an assessment (transfer impact assessment) of the standard of protection of personal data in the country of destination if they want to base the transfer on these instruments. This assessment will also need to take into account the target state's powers of oversight, its intelligence services or security authorities in terms of data access rules. This will need to include not only the existing legal provisions, but also the practice of applying them, the reality of how these authorities operate will need to be taken into account. This significantly changes the optics of the mechanisms for analysing the level of adequacy, which has so far been carried out in a centralised manner by the Commission. What is more, the entity that decides to transfer the personal data to the third country might be obligated to ensure additional technical and organisational measures to protect the transfer.
Controllers’ assessments are to be supervised by national data protection authorities, which are obliged to suspend or prohibit such data transfers if, in their opinion and in the light of all the circumstances of the transfer, the clauses cannot be properly respected in that third country and the protection of the transferred data is not as required by EU law.
For a simplified overview of the impact of this judgment on the industry, you can read our dedicated FAQs on the EU-US Privacy Shield here.
