... is causing widespread aftershocks for international personal data transfers to the US…and elsewhere!
At the end of last week, the European Court of Justice (CJEU) provided the 'Schrems II’ judgment. It is something which is already causing widespread shudders - not only for those involved in transferring personal data to the US, but also to those allowing personal data to be accessed in other countries outside the European Economic Area (EEA) – whether this arises from international group company use, or even non-international organisations which are using service providers (such as Cloud Service Providers for IT or data services) in non-EEA countries.
For life science businesses, the kinds of data that may be affected could be data about individual patients and their treatment, clinical trial data and information about staff, research colleagues and physicians. Organisations have become so used to working digitally that they may not even fully appreciate when international data transfers are taking place.
Five years ago, Austrian privacy campaigner, Maximillian Schrems, successfully brought about the demise of the EU Commission’s ‘Safe Harbor’ regime. Up until then, it was a mechanism used by many organisations to allow transfers of personal data from the European Union (EU) to the US. Now, Schrems has successfully brought about the demise of Safe Harbor’s successor, the European Commission’s ‘Privacy Shield’.
However, what is particularly interesting about the judgment is that it has given rise to concerns about transferring data to the US in general, due to the rationale for bringing down the Privacy Shield. In addition, it has put a spotlight on the need for due diligence and accountability when seeking to use other mechanisms, such as Standard Contractual Clauses, for any transfers of personal data, whether to the US or other non-EEA countries.
Europe’s pro-privacy stance and the impact on data transfers
The EU takes a strong pro-privacy stance on the protection of individuals’ personal information. Given this stand-out position on privacy, international transfers of personal data out of the EEA are strictly controlled. Transfers are permitted where the destination country ensures an adequate level of data protection, assessed by the EU Commission and culminating in an ‘adequacy decision’. Where the destination country does not benefit from an adequacy decision, there are other tightly-specified appropriate safeguards stipulated by the EU Commission for permitting international transfers outside the EEA.
The US is not currently considered by the EU to provide enough safeguards for protecting the rights of individuals with regard to their personal data. The powers of the national security and intelligence authorities to access and use data go too far to permit a positive adequacy assessment under the rigours of the GDPR. The important flows of data between the EEA and the US rest on other GDPR data transfer mechanisms instead.
After a marathon legal campaign on Schrems’s part, the CJEU has ruled on the validity of two of these mechanisms, namely Privacy Shield and Standard Contractual Clauses (Case C-311/18, Data Protection Commissioner v Facebook Ireland, Schrems).
The Privacy Shield
The 2016 Privacy Shield was created to replace the Safe Harbor, once that fell victim to Schrems’ earlier court action. This enabled participating US-based organisations to be entered on the Privacy Shield List held by the US Department of Commerce, and receive personal data from the EU without other international transfer mechanisms being required from a data protection legal perspective.
The CJEU has now ruled the Privacy Shield invalid. Why?
The Court considered that the Privacy Shield gives primacy to US national security, public interest and law enforcement requirements over EU principles of private and family life, personal data protection and the right to effective judicial protection. Consequently, the Court felt that Privacy Shield self-certified US organisations receiving EU personal data could not uphold these EU principles where they were in conflict. Furthermore, the Privacy Shield Ombudsperson, set up to provide an independent oversight of privacy protection under the scheme, was found to lack the power to require any perceived failings to be corrected. The Court was also not satisfied about the independence of the ombudsperson role from the US State Department.
In view of the above, the Court found that the requirements for Privacy Shield ensuring an ‘adequate level of protection’ for GDPR purposes were not fulfilled.
Standard Contractual Clauses (SCCs)
Standard Contractual Clauses have been used for many years to legitimise the transfer of personal data outside the EEA. They set out obligations of the parties to treat the transferred data in a manner consistent with EU standards.
Schrems also attempted to invalidate the use of the SCCs. However, they survived the challenge. Although the SCCs are contractual in nature, and so cannot bind the hands of intelligence and national security authorities within the destination country, the CJEU was satisfied that they can offer adequate protection. This was qualified, however, by the overriding requirement to ensure the level of protection was consistent with EU standards.
National data protection regulators (supervisory authorities) are obliged to investigate promptly any complaints about international data transfers, and must suspend or prohibit transfers under SCCs where these cannot be complied with in the destination country, and where protection of the data cannot be ensured by other means.
Both the controller of the data (being the EEA data exporter) and non-EEA recipient (whether another controller or processor) are obliged to monitor the level of protection in the destination country prior to any transfer and throughout the duration of any processing. Controllers are obliged to suspend transfers and terminate the contract with non-EEA recipients where adherence to the SCCs no longer remains possible.
Consequently, the judgment makes it clear that SCCs cannot simply be used as a ‘rubber stamp’ to legitimise international transfers, whether to the US or elsewhere.
The judgment has given rise to a number of questions for organisations going forward:
- What should they be doing now if they were relying on Privacy Shield?
- Is there a ‘grace period’ or are ICO regulatory fines likely to arise from inaction?
- Are Standard Contractual Clauses the answer going forward?
- What are the implications for other non-EEA transfers and Brexit?
We invite you to join our webinar on Thursday 30 July 2020, where our International & UK Head of IT Law, Jagvinder Singh Kang (CIPP/E, CIPM), will be discussing the above and other aspects further.