The European Court of Justice (the “Court”) issued today the long-awaited “Schrems II” decision. (see Facebook Ireland Ltd. v. Maximillian Schrems).
In its decision, the Court (1) struck down the Privacy Shield program that authorizes data transfers under certain conditions between the EU and the United States and (2) preserved the option of standard contractual clauses as a data transfer mechanism, but added additional requirements for companies relying on these standard clauses to ensure appropriate protection of personal data of EU citizens and others whose data is subject to the General Data Protection Regulation.
For the Privacy Shield component of the decision, the court again focused on the US government’s access to personal data that is received in the US from the EU. According to the decision (¶ 168), “the referring court harbours doubts as to whether US law in fact ensures the adequate level of protection required under Article 45 of the GDPR, read in the light of the fundamental rights guaranteed in Articles 7, 8 and 47 of the Charter. In particular, that court considers that the law of that third country does not provide for the necessary limitations and safeguards with regard to the interferences authorised by its national legislation and does not ensure effective judicial protection against such interferences.” The Court was particularly concerned with Section 702 of the Foreign Intelligence Surveillance Act (FISA) program, as it indicated in ¶ 180: “It is thus apparent that Section 702 of the FISA does not indicate any limitations on the power it confers to implement surveillance programmes for the purposes of foreign intelligence or the existence of guarantees for non-US persons potentially targeted by those programmes.”
The approach for the standard contractual clauses was a little different. According to the Court (in ¶ 132), “Since by their inherently contractual nature standard data protection clauses cannot bind the public authorities of third countries. . . it may prove necessary to supplement the guarantees contained in those standard data protection clauses. In that regard, recital 109 of the regulation states that ‘the possibility for the controller … to use standard data-protection clauses adopted by the Commission… should [not] prevent [it]… from adding other clauses or additional safeguards’ and states, in particular, that the controller ‘should be encouraged to provide additional safeguards … that supplement standard [data] protection clauses’.” In addition, in ¶ 133, the court said: “It follows that the standard data protection clauses adopted by the Commission on the basis of Article 46(2)(c) of the GDPR are solely intended to provide contractual guarantees that apply uniformly in all third countries to controllers and processors established in the European Union and, consequently, independently of the level of protection guaranteed in each third country. In so far as those standard data protection clauses cannot, having regard to their very nature, provide guarantees beyond a contractual obligation to ensure compliance with the level of protection required under EU law, they may require, depending on the prevailing position in a particular third country, the adoption of supplementary measures by the controller in order to ensure compliance with that level of protection.”
Accordingly, while the standard contractual clauses to this point have been “automatic” in their authority to permit data transfers, the Court has now concluded (in ¶ 134) that “It is therefore, above all, for that controller or processor to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.” In addition, in ¶ 135, the court states: “Where the controller or a processor established in the European Union is not able to take adequate additional measures to guarantee such protection, the controller or processor or, failing that, the competent supervisory authority, are required to suspend or end the transfer of personal data to the third country concerned.”
Not for the first time, the European courts have fundamentally disrupted these data transfer regimes. For any company who relies on the transfer of personal data from the EU as a component of its business, this will be a time of significant uncertainty. Understanding this landscape will be critical to planning for the short and long term future of data transfers. In the short term, it is critical for companies to be thinking about (1) if they participate in the Privacy Shield program, what personal data (and what business operations) rely on this program; (2) when they rely on standard contractual clauses as a data transfer mechanism. Companies will need to consider short term options for alternative means of transfers (including consent where appropriate and where necessary for the performance of a contract, along with other options) and may wish to consider a Binding Corporate Rules program in the longer term. Please let us know if we can be helpful on both this data mapping exercise and in assessing and evaluating your options going forward on these issues. We expect both significant uncertainty in the short term and ongoing pressure to provide appropriate protections for personal data being transferred from the European Union.
To learn more about the effect that the Schrems II decision may have on your business, sign up for our webinar on July 20, 2020, where we will further discuss the decision in detail.