On 16 July 2020, the CJEU finally issued its long-awaited judgement on Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (called “Schrems II”).
This judgment struck down the EU-US Privacy Shield and upheld Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs).
In this blog post, we’ll discuss the background of the case, where we stand now, and what’s next for international transfers.
To understand the background of this case, we need to take a look at what was in place before EU-US Privacy Shield – Safe Harbor. Safe Harbor was a self-regulatory framework to allow organisations to satisfy the requirements of EU data protection law with regards to transatlantic data transfers. It was accepted by the European Commission on 26 July 2000.
However, the Safe Harbor Framework was fraught with challenges from the get-go. Some of the criticisms included that Safe Harbor participants did not perform annual compliance checks and that the Federal Trade Commission (FTC) did not enforce the framework as compared to other domestic cases.
Then in 2013, the Edward Snowden disclosures alerted the world about the mass surveillance operations carried out by the NSA under US law FISA 702. In light of this, allegations were raised that companies participating in the Safe Harbor scheme may have been involved in US surveillance activities. Despite this, the EU Commission was reluctant to strike down Safe Harbor because of the importance of the EU-US data flows for commerce, law enforcement and national security on both sides of the Atlantic.
Maximilian Schrems, then an Austrian law student, lodged a complaint with the Irish Data Protection Commissioner requesting the termination of data transfers by Facebook Ireland to the US, based on the wide access to data by US intelligence agencies, as highlighted by Snowden’s disclosures. This argument was raised to the Court of Justice of the European Union (CJEU) and on 6 October 2015, the CJEU declared Safe Harbor invalid.
EU-US Privacy Shield
On 29 February 2016, the European Commission released its draft decision on the adequacy of the EU-US Privacy Shield Framework. This framework was significantly more detailed than Safe Harbor with more specific and exacting measures imposed on organisations who wished to join the framework, and it was accepted on 12 July 2016.
However, the Privacy Shield Framework was also criticised from the start. Though the framework included additional checks and balances to protect the privacy of EU individuals and though US government officials provided assurances regarding the legal limitations affecting access to personal data by US government agencies, there were concerns that the redress mechanisms for EU individuals could prove too complex, and it did not prevent US intelligence agencies from collecting massive and indiscriminate collection of personal data of EU individuals.
In 2015, Max Schrems was notified by the DPC that the invalidation of Safe Harbour was irrelevant for his original complaint against Facebook, as it has in fact always relied on Standard Contractual Clauses (SCCs) to transfer data.
SCCs are a standard set of contractual terms and conditions created by the European Commission that are agreed to by the sender (exporter) and receiver (importer) of the personal data. They are another mechanism to transfer data to countries that do not have adequate data protection laws.
The DPC filed a lawsuit against Facebook Ireland and Max Schrems with the view that SCCs were not a valid mechanism for Facebook to use to transfer data, as the US has surveillance laws that are in conflict with the SCCs and in conflict with the EU Charter of Fundamental Rights. Facebook argued that if Privacy Shield was valid despite these laws, SCCs must also be valid.
This led to the decision on 16 July 2020, where the CJEU invalidated EU-US Privacy Shield on the back of US laws, such as FISA 702, and overnight this meant that any company that relied on EU-US Privacy Shield for international transfers had to either stop transfers or use an alternative mechanism. CJEU did uphold SCCs and BCRs, but this does not mean that SCCs can now be adopted by all companies.
Where do SCCs stand now?
SCCs can only be adopted by companies that are not subject to laws that contradict European data protection law and the EU Charter of Fundamental Rights. This means that companies that are subject to US surveillance laws cannot adopt SCCs.
Under FISA 702, US-based “electronic communication service providers” can be forced to allow US intelligence agencies access to non-US person’s data. This law does not require this request to be specific to an individual but allow for blanket surveillance programs.
Electronic communication service providers include companies that provide remote computing services, electronic communication services, telecommunications carriers, and any other communication service provider who has access to wire or electronic communications. This includes companies like Amazon, including AWS, Apple, Facebook, Google, Microsoft and Dropbox.
What's Next for EU-US Data Transfers?
The latest round of EU-US negotiations has begun, with the aim of creating Privacy Shield 2.0 (or Safe Harbor III, depending on how you look at it). However, the ability of yet another Privacy Shield to reconcile the fundamental differences between US surveillance laws and EU Human Rights laws is slim. As Schrems says, “it’s like basically two trains colliding, and then you add a third train, but that will be smashed, as well.”
The EU is not going to relax human rights laws, and the US is not going to roll back surveillance laws. It is difficult to see a solution to this fundamental opposition, and any new “Privacy Shield” will be closely examined by the CJEU, and it’s likely to be short-lived.
What does this mean for non-US countries?
The US is not the only country that has mass surveillance. Under Five Eyes, Australia, Canada, New Zealand, the United Kingdom and the United States conduct and share mass surveillance information in an effort to fight “the war on terror”. Russia and China have mass surveillance laws to identify dissidents. India, Iran, Malaysia, and Turkey are examples of other countries that have mass surveillance laws, and the world is trending to more, not less, surveillance. This means that though Schrems II focused on US surveillance, transfers to all non-EU/EEA countries will be a hot topic from now on.
On 31 January 2021, the UK will officially be out of the EU and will be categorised as a third country. While the UK hope to receive an adequacy decision from the Commission, and the GDPR is already reflected in the UK Data Protection Act (2018), there are still some challenges, such as it will not incorporate the EU Charter of Fundamental Rights into UK law. Articles 7 and 8 of this Charter constitute the fundamental rights to privacy and data protection, which are the basis of the GDPR. Not only this but as mentioned above, the UK also conducts mass surveillance, which infringes on this right to privacy.
While the discussions remain underway, it is not a certainty that the UK will receive an adequacy decision and this should be considered if you or any of the companies that you work with are going to be affected by Brexit.
What Should You Be Doing?
So where we stand is that EU-US Privacy Shield is no longer valid, while SCCs and BCRs are valid as long as you only transfer data to companies that are not subject to the US’s FISA 702 or similar third country data protection laws.
The following steps should be taken to ensure that your company remains compliant with European data protection law regarding international transfers:
- Create a list of data processors, if you haven’t already. This is a list of any companies that you use to process your data.
- Collect Data Processing Agreements for each processor. Also known as a Data Processing Addendum or DPA, it is a contract between you and your processor that details your respective roles when processing data.
- Review each DPA. While you should review each DPA against the requirements of Art 28 of the GDPR, you should also review what mechanisms processors use to transfer data internationally. These can include EU-US Privacy Shield, SCCs or BCRs.
- If the processor relies solely on EU-US Privacy Shield, you should contact the processor to ask what mechanism they are using now that Privacy Shield has been invalidated.
- If the processor relies on SCCs or BCRs, you must find out if they are subject to US surveillance laws or other third country surveillance laws. Max Schrems’ company, NOYB (None of Your Business) have created a questionnaire that you can use and adapt for this purpose.
If any processors are subject to surveillance laws and other mechanisms cannot be used to mitigate this, such as data localisation within the EU, transfers to these companies is no longer valid and is a violation of the GDPR.
You then have a choice, depending on your risk appetite. You can continue to use these processors and wait for Privacy Shield 2.0, or you can look for an EU company to meet your needs.
If you have any concerns about your company’s compliance in a post-Schrems II world, you are not alone! Apex Privacy is here to help your company in navigating the world of international transfers.