On 16 July 2020, the Court of Justice of the European Union (CJEU) delivered its highly anticipated judgment in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Schrems II), ruling that:
As the UK Information Commissioner’s Office (ICO) stated, ‘international data transfers, that are so vital for the global economy, suddenly became open to question’.
The true ramifications of this landmark decision are yet to be seen but Schrems II makes clear that reliance on SCCs without further diligence will not be an acceptable approach.
The decision has an impact on any organisations transferring personal data outside the EU (and not just to the US) in reliance on the SCCs, including transfers using SaaS solutions or other technologies and intra-group transfers.
The EU General Data Protection Regulation restricts transfers of personal data to third countries outside the EU unless the transfer satisfies certain limited conditions, including for onward transfers of personal data from that third country to any other third country. The conditions under which a transfer is permitted include transfer to a country with data protection laws that the EU has deemed to be adequate; or transfers carried out under appropriate safeguards such as binding corporate rules or under the terms of EU-approved standard data protection clauses (namely the SCCs). There are also other specific situations where transfers can occur, for example with an individual’s explicit consent, or where the transfer is necessary to perform a contract with that individual. Prior to this decision, EU-US transfers could also be justified on the basis of the EU-approved EU-US Privacy Shield. However, SCCs are commonly used as the condition justifying transfer of personal data.
As a result of a case brought by Austrian data protection activist Max Schrems against Facebook challenging the use of SCCs as a mechanism to transfer data from the EU, the CJEU was asked by the Irish High Court to consider the validity of the SCCs as well as the EU-US Privacy Shield.
The CJEU confirmed that SCCs may provide adequate protection and ruled that the EU-US Privacy Shield does not.
The CJEU’s decision means that organisations which had been relying on the EU-US Privacy Shield as a valid mechanism to comply with UK/EU data protection requirements when transferring personal data from the UK/EU to the United States can no longer do so. Interestingly, the court did not bring the principles of the EU-US Privacy Shield under scrutiny but rather focused on the level of access that US governmental agencies have to the data during and after transfer.
The US laws in question are identified as firstly section 702 of the US Foreign Intelligence Surveillance Act (FISA), which permits the surveillance of individuals who are not US citizens, located outside the US, in order to obtain foreign intelligence information. ‘702 requests’ compel ‘electronic communication service providers’ in the US to offer up the mails/communications of its foreign customers, without a warrant. Secondly, US Executive Order 12333 (EO12333) allows the National Security Agency (NSA) to access, unencrypted data in transit to the US by accessing transatlantic underwater cables. The rationale behind these requests is that they aid the prevention of terrorism although the law states that they can be used for any non-US person for a ‘significant reason’.
According to the CJEU, the use of personal data in US Government surveillance programmes is not proportionate since it is not limited to what is strictly necessary. If an individual objected to the use of their data in this way, there were insufficient means of redress available against US authorities. The Privacy Shield’s ombudsperson mechanism was not enough to counteract the insufficiencies. For these reasons, the EU-US Privacy Shield is no longer a valid method of international data transfer, effective on the date of the Schrems II judgment.
The decision does not relieve participants of the EU-US Privacy Shield of their obligations under it. An announcement made by the US Department of Commerce clarified that the EU-US Privacy Shield is still enforceable, although those that relied upon it must now find an alternative method to transfer personal data to the US. There is no ‘grace period’ provided by the CJEU. However, looking at similar events in the past such as when Safe Harbour was invalidated, data protection authorities provided for about three months before strictly enforcing the decision, allowing time for parties to make alternative arrangements. If your organisation is transferring personal data based on the EU-US Privacy Shield, alternative arrangements must be made as soon as possible as a grace period is not guaranteed.
Thankfully, Schrems II reinforced the validity of standard contractual clauses (SCCs). However, a new case-by-case requirement to assess the use of SCCs has been introduced on both parties to the transfer, in part to ensure that the recipient of the data is able to comply with SCCs in a practical sense, particularly with regard to their obligations under the laws applicable in their jurisdiction. If there is anything in the domestic law of the recipient which conflicts with the obligations of SCCs and cannot be resolved, then SCCs will be an invalid mechanism to transfer data to that country. As mentioned, this decision has a wider impact than purely in relation to transfers to the US.
If there is a conflict, meaning that the recipient cannot comply with the SCCs in full due to its obligations under domestic laws:
Further guidance on what additional supplementary measures to consider in safeguarding personal data when using the SCCs is expected to be issued by the European Data Protection Board (EDPB). This will be particularly important to ensure that a consistent approach is taken by member states in relation to the use of SCCs to enable transfers to particular third countries.
The EDPB guidance is eagerly anticipated, and the EU Commission has also stated that it is working on updating the SCCs. In the meantime, the following are some key takeaways to consider from the recent judgment:
Questions to consider
This article has been co-written with Ebi Oni, a trainee solicitor in the commercial, IP and IT team.
 Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Schrems II)
 Until the end of the transition period (being 31 December 2020 at the time of publication), EU law applies to the UK.
 Updated ICO statement on the judgment of the European Court of Justice in the Schrems II case https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/07/updated-ico-statement-on-the-judgment-of-the-european-court-of-justice-in-the-schrems-ii-case/
 Regulation (EU) 2016/679, Article 44 (General Principles for Transfers)
EU Commission Statement https://www.europarl.europa.eu/doceo/document/E-9-2020-001120-ASW_EN.html