Today (16 July 2020) the Court of Justice of the European Union ("CJEU") delivered its long awaited decision on the validity of the European Commission's Standard Contractual Clauses ("SCCs") and the EU-US Privacy Shield ("Privacy Shield").
Summary of the decision
Firstly, the CJEU has decided that SCCs are a valid mechanism for transferring personal data outside of the European Economic Area ("EEA"). Businesses can continue to rely on SCCs for transferring personal data from the EEA to controllers and processors based in countries that are not deemed by the European Commission to offer an adequate level of protection of personal data provided that the level of protection of the transferred data is adequate. When deciding whether the level of protection is adequate, businesses have to take into account the wording of the SCCs and the legal system of the non-EEA country, in particular, with regards to access by public authorities of that country to the transferred data.
Secondly, the CJEU has ruled that the use of the Privacy Shield for transfers of personal data from the EEA to the United States of America ("US") is invalid with immediate effect. Business can no longer rely on the Privacy Shield to transfer personal data from the EEA to US-based businesses certified under the Privacy Shield. As a result, businesses that previously relied on the Privacy Shield should find an alternative mechanism that would allow the transfer of personal data to the US, for example the SCCs, binding corporate rules ("BCRs"), or one of the derogations specified in Article 49 of the EU General Data Protection Regulation ("GDPR").
Safeguards for transferring personal data outside of the EEA
The GDPR seeks to ensure that the level of protection of personal data is not undermined when personal data is transferred from the EEA to controllers, processors and other recipients in non-EEA countries. The GDPR prohibits the transfer of personal data from the EEA to non-EEA countries unless the transfer meets specific safeguards detailed in Chapter 5 of the GDPR, such as:
- Adequacy decision: the transfer is to countries recognised by the European Commission1 as offering an adequate degree of protection for personal data (the level of which is in line with that of the GDPR). The Privacy Shield was one of such adequacy decisions adopted by the European Commission in 2016 which used to allow personal data transfers between EEA-based businesses to US businesses in specific sectors if they had self-certified under the Privacy Shield framework;
- BCRs: the transfer is subject to approved BCRs under Article 47 of the GDPR which may be used for transfers of personal data from the EEA to non-EEA entities within the same corporate group;
- SCCs: the transfer is subject to SCCs which act as an enforceable contract between the data exporter and the data importer imposing prescriptive obligations on the parties and offering data subjects direct recourse against the data exporter and data importer in case their personal data is not adequately protected;
- Code of conduct: the transfer is subject to an approved code of conduct under Article 40 of the GDPR together with binding and enforceable commitments of the controller or processor in the non-EEA country to apply the appropriate safeguards, including as regards data subjects' rights;
- Certification: the transfer is subject to an approved certification mechanism under Article 42 of the GDPR together with binding and enforceable commitments of the controller or processor in the non-EEA country to apply the appropriate safeguards, including as regards data subjects' rights; or
- Derogations: the transfer is for one of the specific situations listed in Article 49 of the GDPR and is limited to one-off transfers rather than ongoing data flows.
Of those safeguards contained in the GDPR, the SCCs have proved the most popular means for the transfer of personal data from the EEA.2 The current SCCs were adopted by the European Commission before the GDPR came into force in May 2018. It has been acknowledged that the SCCs should be updated to ensure legal certainty in light of the GDPR and to take note of the different data transfer scenarios which are not currently captured by the three sets of SCCs currently in existence (for instance, no SCCs exist for processor-to-processor data transfers, nor a transfer from an EEA-based processor to a non-EEA controller)3.
Validity of the SCCs for transfers of personal data to non-EEA countries
In today's decision, the CJEU considered whether SCCs are a valid means for transferring personal data to non-EEA countries. In particular, the CJEU was asked whether a transfer, which is subject to the SCCs, of personal data to the US ensures an adequate level of protection for data subjects given that the US legislation does not explicitly limit interference, for example by US intelligence authorities, with an individual's right to protection of personal data unless "strictly necessary" (a concept recognised in the EU data protection law).
The CJEU has decided that SCCs can be a valid mechanism for the transfer of personal data from the EEA to non-EEA countries. In this, the CJEU has followed the non-binding opinion of the CJEU's Advocate General from December 2019 who advised the court to uphold the validity of the SCCs.
The court has added that the validity of the SCCs depends on the effective mechanisms that make it possible to: (i) ensure compliance with the level of protection required by EU law and (ii) suspend or terminate the transfer of personal data in the event that it is impossible to honour the SCCs. The CJEU has noted that the SCCs require the data importer to inform the data exporter where a conflict exists between the SCCs and local laws (such as national security laws). The data exporter is subsequently entitled to suspend the transfer of the personal data and / or terminate the SCCs. However, this obligation essentially asks data importers to interpret whether their own legal systems conflicts with EU law.
The SCCs are often considered a "tick-box" exercise when entering into contractual documentation with non-EEA based companies that process EEA personal data without much attention being paid to their particular provisions. However, the judgment suggests that data exporters and data importers should carefully consider whether the SCCs might be in conflict with local laws and whether it is possible to continue with the proposed data transfer to a third country in light of the wording of the SCCs and any applicable local laws, especially relating to any access by public authorities (including intelligence agencies) of that third country to the personal data transferred.
The CJEU has also confirmed that national data protection authorities are required to suspend or prohibit transfers of data to a third country pursuant to SCCs if, in the view of the data protection authority, the SCCs are not, or cannot, be complied with in that third country and the protection required by EU law of the data transferred cannot be ensured by other means. However, there is a risk of inconsistent approach by different national data protection authorities. It will therefore be important for the national data protection authorities and the European Data Protection Board to work together to ensure a consistent approach to the assessment of the legal frameworks of non-EEA countries.
Invalidation of the Privacy Shield
The CJEU has also considered the validity of the Privacy Shield and decided to overturn the adequacy decision because it fails to protect unnecessary and disproportionate access to EU personal data by US intelligence agencies. This is the second CJEU judgment which invalidates an adequacy decision in relation to the US following an invalidation of the EU-US Safe Harbour by the CJEU in October 2015.
The Advocate General raised some concerns about the ongoing validity of the Privacy Shield in its non-binding opinion but recommended to the CJEU not to rule on its validity in this judgment. However, the court took the opportunity to consider the validity of the adequacy decision and held that the Privacy Shield provisions do not grant data subjects protections equivalent to those required under EU law or actionable rights before the courts against US public authorities (including intelligence agencies).
In particular, the CJEU held that the Privacy Shield Ombudsperson mechanism does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law, such as to ensure the judicial independence of the Ombudsperson and the existence of rules empowering the Ombudsperson to adopt decisions binding on the US intelligence services.
As with the Safe Harbour decision in 2015, it is likely that EEA businesses that transfer personal data to the US under the Privacy Shield framework will be given a grace period in which to adjust to today's decision. However, it is currently unclear if, and for how long, any grace period might be applicable. Businesses should keep monitoring announcements from the national data protection authorities on the implications of the decision. For example, the UK's Information Commissioner's Office released a statement confirming that it is considering the impact of the decision and will work "with UK Government and international agencies to ensure that global data flows may continue and that people's personal data is protected".
Key Takeaways and Practical Implications
- Businesses that rely on the Privacy Shield should find an alternative mechanism for transferring personal data to the US as soon as possible. Alternative mechanisms include, for example, the SCCs, BCRs for intra-group transfers, or the derogations specified in Article 49 of the GDPR. While the CJEU has left open the possibility for the European Commission and the US Government to negotiate a new adequacy framework which addresses CJEU's concerns, it is unlikely that a new framework will be in place in the nearest future.
- Businesses relying on SCCs for personal data transfers outside the EEA have to consider whether the SCCs are in conflict with local laws. Although the CJEU upheld the validity of SCCs for transfers of personal data to countries outside of the EEA, businesses should consider whether local laws in a particular jurisdiction make the obligations in the SCCs on the data exporters and data importers impossible to enforce. If local laws conflict with SCCs binding obligations, businesses might need to suspend the transfer of personal data to that jurisdiction. Similarly, national data protection authorities may suspend or prohibit such transfers. Therefore, it is important for businesses to make their own assessment regarding the compatibility of the SCCs with local laws in the non-EEA country as well as keep monitoring announcements from the European Commission and national data protection authorities in relation to international transfers of personal data.
- Businesses should monitor announcements from the European Commission regarding a new set of SCCs. The European Commission has announced that it will shortly introduce a modernised set of SCCs in collaboration with the European Data Protection Board and EU Member States with an updated GDPR language and take into account the requirements of the CJEU's decision.
- Businesses preparing for the end of the Brexit transition period should assess what mechanisms to rely on for data flows between the UK and the EEA. In the current absence of the European Commission recognising UK as offering an adequate level of protection of personal data after the end of the Brexit transition period, the CJEU's decision offers some certainty to businesses that have been planning to rely on SCCs for transfers of personal data from the EEA to the UK once the Brexit transition period ends. For transfers of personal data from the UK to the EEA, the UK Government has said that such transfers will be permitted but that it will keep this "under review".
1 List of adequacy decisions by the European Commission is available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
2For example, 88% of respondents in IAPP's 2019 survey stated that they rely on SCCs for personal data transfers outside the EU. <https://iapp.org/store/books/a191P000003Qv5xQAC/>
3European Data Protection Board, "Contribution of the EDPB to the evaluation of the GDPR under Article 97" <https://edpb.europa.eu/our-work-tools/our-documents/other/contribution-edpb-evaluation-gdpr-under-article-97_en>