The Court of Justice of the European Union (ECJ) has finally issued its decision on the validity of standard contractual clauses (SCCs) in the Irish Data Protection Commissioner’s referral to the ECJ for an opinion on the validity of data transfer mechanisms (known as “Schrems II” – Case C-311/18). The case determined that the EU-US Privacy Shield framework (the EU Privacy Shield) is invalid, because of US surveillance laws and the lack of adequate redress for individuals in Europe and the United Kingdom whose personal data is transferred to the United States.
The case also determined that SCCs for transfers to data processors in “third countries” remain valid, with certain requirements to assess that they can provide adequate protection for individuals’ privacy rights on a case-by-case basis. Such transfers are otherwise restricted unless a derogation, such as consent, applies. The decision does not affect the Swiss-US Privacy Shield framework (the Swiss Privacy Shield) but we expect that the Swiss Federal Data Protection and Information Commissioner will follow the ECJ’s approach and also deem that the Swiss Privacy Shield is invalid.
This is an important case, given that the SCCs (both for data transfers to controllers and to processors located outside Europe) are widely used by hundreds of thousands of organisations. Additionally, over 5,000 US organisations have certified their adherence to the Privacy Shield framework.
The main plaintiff in the case, the well-known privacy activist Max Schrems who launched the case that invalidated the former EU-US Safe Harbor framework, had argued that European data exporters should not be allowed to transfer users’ data to the United States, because that information could be turned over to US government agencies, including intelligence agencies, in certain cases without due process for the EU data subjects. In particular, he asked the Data Protection Commissioner of Ireland to suspend the transfer of his personal data to the United States because he claimed that his personal data would not be protected to an adequate standard.
The Opinion of the Advocate General (AG) of the ECJ in Case C‑311/18 on the use of the EU’s SCCs to legalise data transfers from organisations in Europe to organisations in countries like the US gave them a green light to proceed, but the AG Opinion is not binding on the ECJ, although often followed.
The ECJ noted a number of significant concerns regarding the protection of personal data in the United States, many of which have been repeated in the annual reviews of the Privacy Shield, because US authorities have stringent powers of ordering the collection of personal data from US organisations and have wide-ranging powers of surveillance under its Foreign Intelligence and Surveillance Act (FISA) and Executive Order 12333. These serve to undermine the protection of privacy rights for individuals whose personal data is transferred to the United States pursuant to the Privacy Shield. The ECJ also stated that it did not consider that there were adequate redress mechanisms for individuals if US organisations, despite this concern being reviewed and allayed during the annual Privacy Shield reviews.
Given that it is an election year in the United States and given the current administration’s inclinations, it seems unlikely that creating a replacement for Privacy Shield will be a priority. It took over a year to develop Privacy Shield after the invalidation of the Safe Harbor framework. The United States is also unlikely to abandon the surveillance powers granted by FISA and Executive Order 12333. So there may never be a viable replacement for the EU Privacy Shield. US Commerce Secretary Wilbur Ross has stated that the “Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. Today’s decision does not relieve participating organizations of their Privacy Shield obligations.”
SCCs for transfers to data processors remain valid and, in fact, their validity is somewhat strengthened from this decision as the current SCCs are still based on the old European Data Protection Directive that was superseded by the General Data Protection Regulation 2016/679 (GDPR). We are still awaiting the new versions, under the GDPR, but they have not yet been published. The European Commission has promised to expedite this process.
The caveat to the SCCs remaining valid is that data exporters do need to assess, on a case-by-case basis, that the data importer will be able to adhere to the contractual obligations and that the transfers will provide adequate protections for the privacy rights of individuals whose personal data is transferred pursuant to the SCCs. As the AG opinion noted, supervisory authority can decide to suspend the data transfers if there are concerns that the data importer may not be able to comply and a referral to the European Data Protection Board will be needed in this event for its determination of adequacy.
As the AG had stated in its December 2019 opinion, if one data protection authority (DPA) suspends the data flow to the United States or any other country without an adequacy determination it would create havoc. Data exporter organisations that use the SCCs will have to, on a case-by-case basis, analyse if the data importer can actually comply with the contractual obligations in the SCCs. This approach will be different to the often-used “sign and file” approach taken to date. This underlines the importance of the data transfers to third countries being “adequate” under the GDPR.
The ECJ said that “in the absence of an adequacy decision, a controller or processor may transfer personal data to a third country only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.” A review of all of the circumstances of the data transfer is needed and it may be that additional safeguards to those in the SCCs are required.
The ECJ emphasised that this was an obligation of the relevant European organisation: “It is therefore, above all, for that controller or processor to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.”
Organisations should suspend data transfers if they have concerns and they can also raise concerns with their applicable supervisory authority who may refer concerns to the European Data Protection Board for a determination.
The ECJ said that the “supervisory authority is required, under Article 58(2)(f) and (j) of that regulation, to suspend or prohibit a transfer of personal data to a third country if, in its view, in the light of all the circumstances of that transfer, the standard data protection clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law cannot be ensured by other means, where the controller or a processor has not itself suspended or put an end to the transfer.”
This power is pursuant to the GDPR and does not arise by reason of this decision. The decision does not, therefore, expand the supervisory authorities powers. It does, though, make clear that the burden on establishing that the transfers are lawful falls on the data exporter.
The data importer has obligations under the SCCs to notify the data exporter if it can no longer protect the personal data: “a recipient of personal data established in a third country undertakes, pursuant to Clause 5(a) [of the SCCs], to inform the controller established in the European Union promptly of any inability to comply with its obligations under the contract concluded. In particular, according to Clause 5(b) [of the SCCs], the recipient certifies that it has no reason to believe that the legislation applicable to it prevents it from fulfilling its obligations under the contract entered into and undertakes to notify the data controller about any change in the national legislation applicable to it which is likely to have a substantial adverse effect on the warranties and obligations provided by the standard data protection clauses in the annex to the SCC Decision, promptly upon notice thereof..” There are also notice obligations to data subjects themselves in the SCCs.
Privacy Shield Certified Organisations
For the more than 5,000 organisations who are certified under the EU Privacy Shield, an alternative means of transferring personal data needs to be found, whether it is the SCCs or relying on one of the permitted derogations under the GDPR. This is likely to be difficult, in the short-term, and we await hearing whether a grace period will be issued to remedy noncompliance, as was the case when the old Safe Harbor framework was invalidated.
Organisations that rely on EU Privacy Shield certified companies should ask these organisations for assurances that data transfers will be protected by the SCCs or another appropriate method.
Organisations Using SCCs
An audit of the use of SCCs should be undertaken, whether as a data importer or as a data exporter.
Data exporters will need to assess if the SCCs adequately protect personal data and refer areas of concern to their supervisory authorities. The decision that the SCCs are adequate should be documented. These concerns may well take some time to resolve, as we expect supervisory authorities will be inundated with such requests.
Data importers will need to prepare themselves for audits by the data exporters, and should start to obtain compliance information from their sub-processors and other subcontractors who receive personal data under onward data transfer mechanisms. If data importers consider that they are unable to protect adequately personal data, such concerns should be promptly raised with data exporters and, as necessary, data subjects should be informed.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
 Third countries are countries outside Europe, such as the United States, that have not received a determination of having adequate data protection laws to the European standard.