The CJEU Declares the EU-US Privacy Shield Invalid and SCCs Valid

Taking pundits by surprise, the CJEU declared the Privacy Shield invalid but validated SCCs, albeit with a number of conditions attached.  Here, we provide you with the background leading up to the judgements, a high-level summary of the judgements themselves and highlight the potential implications and next steps for UK organisations.

What was the Background to these Judgements?

The case that triggered the CJEU judgements is often referred to as ‘Schrems II’.  In summary, Maximillian Schrems, an Austrian privacy activist, brought a complaint against the Irish Data Protection Commission (DPC), Ireland’s data protection authority, arguing that the US does not provide sufficient security and redress mechanisms to protect transferred privacy data of people in the EU.  In Schrems’ case, the privacy data related to his personal Facebook data, which he claimed Facebook Ireland transfers and processes wholly or partially on servers of Facebook Inc., based in the US.  These transfers between Facebook Ireland and Facebook Inc. took place using the then-applicable SCCs (these have since been replaced, in June 2021 by the EU, with more ‘Schrems-compliant’ SCCs).  Schrems claimed that the former SCCs did not provide an ‘adequate’ level of protection for EU data subjects, as U.S. legislation does not explicitly limit interference with an individual’s right to protection of personal data in the same way as EU data protection law, i.e., the intrusive nature of US surveillance activities.  Following the complaint, the Irish DPC brought proceedings against Facebook in the Irish High Court, which referred a number of questions to the CJEU for a preliminary ruling.  The preliminary questions primarily focussed on the validity of the SCCs, but also related to the EU-U.S. Privacy Shield framework.

What was the Judgement on SCCs?

The CJEU’s judgment on SCCs was that they provide sufficient protection for EU personal data to be transferred to third countries (including the US).  The Court, however, noted that any EU organisation relying on them is obliged, prior to any transfer, to adopt a proactive role to ensure there is an ‘adequate’ level of protection for personal data in the respective third country.  The CJEU also added that organisations may implement additional (unspecified*) safeguards, over and above those contained in the SCCs, to ensure the adequacy of protection.  In addition, the responsibilities don’t just end with the data exporter.  Under the CJEU judgement, there are also obligations on the third country organisations importing data that they must inform EU data exporters of any inability to comply with the SCCs.  When a data importer is unable to comply with the SCCs, and there are no additional safeguards in place to guarantee the necessary level of protection, there is a requirement on the EU data exporter to suspend the transfer of data and/or terminate the contract.

The Court also took the opportunity to clarify that EU data protection authorities (DPAs) have a duty to take action.  The Court highlighted that a DPA is “required to execute its responsibility for ensuring that the GDPR is fully enforced with all due diligence”.  This includes assessing and, if necessary, suspending and prohibiting transfers of personal data to a third country where they believe that the SCCs are not being, or cannot be, complied with and where they assess them as being unsafe according to EU data protection requirements.

* The European Data Protection Board (EDPB) issued Recommendations in June 2021 containing a long list (at Annex 2) of what these additional safeguards or measures could consist of.

‍

What was the Judgement on the Privacy Shield?

In declaring the Privacy Shield invalid, the CJEU concluded that the Privacy Shield did not provide adequate protection of personal data in the US that is ‘essentially equivalent’ to that under the GPPR and EU law.  The key reason behind this decision was the intrusive nature of the surveillance programmes undertaken by the US government and intelligence agencies allowed by Section 702 of FISA (Foreign Intelligence Surveillance Act) and Executive Order 12333 (which sanctions bulk collection of personal data not limited to information that is ‘strictly necessary’ and is, therefore, viewed as disproportionate under the GDPR).

The CJEU also highlighted the lack of redress EU citizens have in the US under the Privacy Shield.  This lack of redress had been flagged up previously by many privacy lawyers and the European Commission had set up the office of The Privacy Shield Ombudsman in response to these.  However, its decisions were not binding on US intelligence services and its impartiality was widely questioned.

What are the Implications and Next Steps for UK Organisations?

Review data flow

If your organisation, or your third-party suppliers, currently transfer (or enable routine access to) personal data processed in the EU to the US under the Privacy Shield, then a data flow review should be carried out.  This will help identify the scope of the data being transferred to the US, particularly that which falls under Section 702.  It is worth noting that the UK’s Information Commissioner’s Office (ICO) indicated that “If you are currently using Privacy Shield, please continue to do so until new guidance becomes available”, at the same time as saying “Please do not start to use Privacy Shield during this period.”

Review existing SCCs

The CJEU judgement had implications for all EU personal data transfers to jurisdictions not currently covered by an adequacy decision.  If your organisation relies on the June 2021 SCCs (or intends to start relying on them) in order to transfer EU people’s data to third countries (including the US), it is essential that you review these and ensure they are enforceable in that third country.  You also need to work out how to resolve any conflicts that may arise where the destination of data has laws that are incompatible with the GDPR.  It may also pay to keep a ‘watching brief’ on any further protection measures which the EDPB may impose around the use of the SCCs.

The effect of Brexit

Because the Schrems II ruling was delivered in July 2020 i.e., during the Brexit transition period, it is part of the ‘acquis’ or common law of the EU, which is still binding in the UK.  However, as Brexit happened only a few months later on 1 January 2021, the UK regulator, the ICO, issued its own Schrems-compatible SCCs (called the International Data Transfer Agreement or ‘IDTA’) in March of 2022, which British businesses must use instead of the June 2021 EU ones.  However, there is bit of a catch with the ICO IDTA – it is only good for transfers of data out of the UK which is subject to the Brexit-amended version of the GDPR, the ‘UK GDPR’ (which basically covers the processing of UK people’s personal data).  If the UK exporting organisation is going to include in its transfer out of the UK to a non-adequate third country data for which the unamended ‘EU GDPR’ is also engaged (so UK and EU people’s data), then that transfer has to be done using the June 2021 EU SCCs as adjusted by an additional ICO document called an ‘Addendum’, which basically changes the language of the EU SCCs to bring it into line with UK data protection terminology.

Consider other options for transferring personal data to the US?

The CJEU identified certain derogations under the GDPR that provide options to allow personal data transfers to the US.  For instance, any situation where the data subject has allowed their data to flow abroad remains legal under GDPR, as this can be based on the informed and freely given consent of the data subject.  However, even in such a case, extra safeguards and controls need to be in place.

Also, if a data transfer is ‘necessary’ to fulfil a contract, it can still occur under the GDPR.  Expert advice needs to be sought in this respect, because transfers under this option are likely to be interpreted narrowly.

‍