Yesterday, the European Court of Justice handed down its eagerly anticipated judgment in Data Protection Commissioner v Facebook Ireland and Max Schrems (Case C-311/18). The decision will come as a surprise to many because despite the fact that the Court has held that the European Commission’s Standard Contractual Clauses (the “SCCs”) are valid, the EU-US Privacy Shield has been invalidated.
What did the Court decide?
In broad terms, the GDPR provides that the transfer of personal data to a third country may only take place if the third country has an adequate level of data protection. Transfer of personal data to countries that do not enjoy an “adequacy decision” from the EU Commission may only take place in accordance with appropriate safeguards, such as SCCs or Binding Corporate Rules (“BCRs”).
The EU Commission’s ‘Safe Harbour’ decision had previously purported to provide an adequate level of protection for some EU personal data being transferred to the US. However, that decision was struck down by the CJEU in 2015 (“the Schrems 1 judgment”).
In the interceding years, the EU Commission adopted the EU-US Privacy Shield which again purported to provide adequate protection. In yesterday’s judgment, the Court considered the validity of SCCs and the EU-US Privacy Shield. The former more or less withstood scrutiny but the EU-US Privacy Shield was invalidated.
What were the Court’s reasons?
On SCCs, the Court emphasised the importance of ensuring that data subjects whose personal data are transferred to a third country pursuant to SCCs must be afforded an equivalent level of protection as that guaranteed to them under GDPR. In this regard, the Court noted that the SCCs contain such mechanisms to make it possible, in practice, to ensure compliance with the level of protection required by EU law and ensure that transfers of personal data pursuant to such clauses are suspended or prohibited in the event of the breach of such clauses or it being impossible to honour them.
However, on the EU-US Privacy Shield, the Court had concerns about the limitations on the protection of personal data in US domestic law by virtue of the access that is available to US public authorities. The Court explained that it could not be satisfied that the Privacy Shield provides protections that are “essentially equivalent” to those required by EU law, particularly as collection by US surveillance programmes is not limited to what is strictly necessary.
Why is this judgment a surprise?
Although a lot of commentary has suggested that this decision is surprising, the substance of the decision invalidating the Privacy Shield can hardly be described as such. Given the invalidation of “Safe Harbour” in 2015 and the fact that critics of the Privacy Shield had described it as simply a repackaging of Safe Harbour, it makes sense that the Court would alight upon these concerns.
However, the judgment did come as a surprise to Court watchers because the Advocate General, whose Opinions are followed by the Court in the vast majority of cases, suggested that the Privacy Shield issue did not need to be resolved in the context of this case. Many commentators expected the Court to follow a similar route.
There has been widespread reaction to the decision from many of the major stakeholders involved in transatlantic personal data transfers. Emphasising the importance of the “$7.1 trillion transatlantic economic relationship”, the US Department of Commerce has said it is “deeply disappointed” with the decision and has emphasised that it will remain “in close contact with the European Commission and European Data Protection Board on this matter.”
The ICO has said that “we stand ready to support UK organisations and will be working with UK Government and international agencies to ensure that global data flows may continue and that people’s personal data is protected.” This is a clear indication that the ICO is not going to swoop in and take immediate action against controllers who are relying on the Privacy Shield.
However, what is not yet clear is how soon those controllers relying on the Privacy Shield may need to change their approach. There is likely to be a grace period for them to move to BCRs, SCCs, or even, as a last refuge, Article 49 derogations where appropriate. But we do not yet know how long such a grace period will be. Those using cloud computing services which involve transfer of data out of the EU may also need to revisit their arrangements.
Controllers rushing into the arms of SCCs should also be cautious in doing so. The Irish Data Protection Commission (one of the parties to the proceedings) has noted that following the invalidation of the Privacy Shield, while the Court upheld the SCCs, “…in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable.”
Looking to the longer term, the robust approach by the CJEU in relation to mass surveillance when assessing adequate levels of data protection in third countries represents a serious setback to any future steps towards an adequacy decision with the US and will mean it is difficult to negotiate a revised framework to replace the Privacy Shield. Looking closer to home, and bearing in mind the UK also has an extensive surveillance regime, the decision is likely to have serious consequences for the UK’s attempts to secure an adequacy decision at the end of the Brexit Transition period.
As always, the Information Law Team at Cornerstone Barristers is ready and able to assist you with any data protection issues arising in light of this case.