Today the CJEU has rendered its judgement in the Schrems II case (C-311/18). The judgement determines the Commission Decision 2016/1250, commonly referred to as the EU-U.S. Privacy Shield Decision, to be invalid. The judgement further determines the Standard Contractual Clauses (SCCs), established by the Commission in Decision 2010/87/EU, to be valid.
In 2013 the Austrian Facebook user Max Schrems, lodged a complaint with the Irish Data Protection Commissioner (“Irish DPA”), regarding data transferred from Facebook Ireland to Facebook Inc., based on the circumstances that personal data is stored on servers located in the U.S.
The complaint was rejected on the basis of Decision 2000/520/EC, in which the Commission established that, under the ‘Safe Harbour’ scheme, the U.S. ensured an adequate level of protection of the transferred personal data. As the case was appealed, The High Court (Ireland) referred the question to the CJEU, which in the Schrems judgement found that ‘Safe Harbour’ scheme was invalid.
Following the initial Schrems case, Mr. Schrems reformulated an additional complaint that was brought to the Irish DPA contesting the validity of the SCCs and the EU-U.S. Privacy Shield framework.
Facebook Ireland referred to a data transfer processing agreement between it and Facebook Inc. as the legal basis for the data transfer, which relied on Decision 2010/87/EU.
Mr. Schrems claimed that the agreement was not consistent with the SCCs and secondly that, even if it was, the SCCs did not ensure sufficient protection of privacy rights for EU citizens as data subjects, as required by the Charter of Fundamental Rights, the main argument being that they are not binding on the local authorities.
The High Court requested a preliminary ruling asking the CJEU several questions, including the question regarding the validity of the SCCs.
The CJEU has rendered its decision in the Schrems II case today, in which it finds that the SCCs remain valid. The CJEU has considered the following in support of its decision on the validity of the SCCs:
- Although the SCCs being contractual by nature do not bind the authorities of a third country, the CJEU finds that because the SCCs include effective mechanisms to ensure compliance with the level of protection required by EU law in practice, and that transfer should be suspended or prohibited in the event the SCCs are not honoured, the SCCs themselves remain valid.
- The CJEU particularly points to the requirement on the data exporter and data importer to verify, prior to any transfer, that the level of protection is respected in the third country and to the obligation to suspend the transfer and/or to terminate the SCCs, if the data importer is not able to comply with SCCs.
In determining whether the level of protection required by EU law, as a prerequisite for the validity of the SCCs, the CJEU has noted the following considerations:
- Any subsequent processing by an authority of a third country does not preclude the transfer of personal data for commercial purposes from a data exporter within the EU to a data importer in a third country from the scope of the GDPR.
- Regarding the level of protection, the CJEU interprets the requirements of the GDPR concerning appropriate safeguards, enforceable rights and effective legal remedies to mean that data subjects whose personal data is transferred to a third country pursuant to SCCs must essentially be afforded the same level of protection equivalent to the within the EU.
- The CJEU considers that in assessing the level of protection for transfers to third countries, the contractual clauses agreed between the data exporter and the data importer, as well as any access by public authorities in the third country and relevant aspects of the legal system, must be taken into account.
- Essentially, the CJEU reaches the conclusion, that where the SCCs, in light of the circumstances of the transfer, are not or cannot be complied with because the protection of the transferred data as required by EU law is not ensured by the third country, the transfer of personal data to that country must be prohibited or suspended.
As for the CJEU’s decision to render Commission Decision 2016/1250 invalid, the CJEU has considered the following in support thereof:
- In light of the requirements arising from the GDPR, read in light of the provisions of the Charter guaranteeing respect for private life and family life, the CJEU notes that the U.S. requires U.S. national security, public interest and law enforcement to have primacy over the fundamental rights of data subjects whose personal data is transferred to the U.S.
- By condoning interference by U.S. authorities under domestic laws of the U.S. to access and use personal data, the CJEU finds that the EU-U.S. Privacy Shield fails to satisfy a level of protection essentially equivalent under EU law, due to the principle of proportionality, insofar as the surveillance programmes rooted in the U.S. domestic laws are not limited to what is strictly necessary.
- The CJEU further points out that the U.S. for certain surveillance programmes do not indicate any limitation on their powers to implement such programmes on non-U.S. data subjects and have failed to provide guarantees hereof. The CJEU therefore find that data subjects are not granted actionable rights before the courts against U.S. authorities according to the provisions of the surveillance programmes.
The significance of the judgement
To the extent companies are basing current transfers on the EU-U.S. Privacy Shield, the Schrems II decisions now entails that such companies must enter into SCCs for the transfer to remain compliant.
Further, the decision emphasizes that companies relying on SCCs for the transfer of personal data outside the EU, must assess the specific risks associated with the transfer to a third country, including the risks based upon which the CJEU has rendered the EU-U.S. Privacy Shield invalid.