On 16th July, the Court of Justice of the EU delivered a ruling in the case known as Schrems II by which it invalidated EU-US Privacy Shield and confirmed the validity of Standard Contractual Clauses, with caveats.
After the CJEU’s Advocate General Henrik Saugmandsgaardøe published his opinion in the so-called ‘Schrems II’ in January, now the CJEU has delivered their judgement, pursuant which Privacy Shield is declared invalid and SCC remain valid but can only be used under strict conditions.
What did the Court say?
Two important outcomes derive from the judgement issued by the CJEU:
1.The EU-US Privacy Shield is no longer a valid mechanism for international data transfers from the EU to the US.
It is important to note that it was invalidated with immediate effect. The main reason are US surveillance programmes. According to the CJEU, US surveillance programs are not limited to what is strictly necessary and proportional as required by EU law, plus there are no effective legal remedies in the US to ensure compliance with provisions of EU law when EU data subjects’ data is used for national surveillance programs.
2.SCC but with some important caveats.
It is no longer sufficient for a data exporter and data importer to just sign the agreement, the exporting party must do a factual assessment of whether the contract can actually be complied with in practice. Companies must verify, on a case-by-case basis, whether the law in the recipient country ensures adequate protection for personal data transferred under SCC. Where this is not the case, as it happens in the US, supplementary measures and additional safeguards should be implemented in order to attain the required level of protection; otherwise the transfer should be ceased.
National Data Protection Authorities may suspend or prohibit transfers to third country if appropriate safeguards cannot be ensured. Based on the CJEU findings in respect of the Privacy Shield, it is difficult to see how supervisory authorities would be able to avoid such a conclusion in the case of transfers to the US. National Data Protection Authorities responses to this decision are yet to be seen.
What does the EDPS say?
On 17th July and following the CJEU ruling, the EDPS, which together with the EDPB had previously expressed their criticisms of the Privacy Shield, released their statement where they welcomed the Court reaffirmation of the importance of maintaining a high level of protection of personal data transferred from the European Union to third countries. However, they trust that “the United States will deploy all possible efforts and means to move towards a comprehensive data protection and privacy legal framework, which genuinely meets the requirements for adequate safeguards reaffirmed by the Court”.
What does the UK Government say?
The UK government intervened in the case, arguing in support of the validity of standard contractual clauses. In their response, they point out their commitment to ensuring “high data protection standards and supporting UK organisations on international data transfer issues”. They have announced that they are working alongside the ICO and international counterparts with the purpose of addressing the impacts of the judgment and ensuring that updated guidance on international data transfers will be provided soon.
EU Data Protection Authorities like Irish Data Protection Commissioner and three in Germany (Federal DPA, DPA of Hamburg and DPA of Rheinland-Pfalz) have also issued their statements. Other European DPAs are expected to do it soon.
What should I do now when transferring data from the EU to the US?
Where relying on the Privacy Shield:
- Do not enter into any new agreement governed by the Privacy Shield.
- Review all your current contracts, especially legacy ones, with your providers, clients or third-party processors and identify those that rely on the Privacy Shield. They should be amended to add SCC or any other valid safeguard covered by the GDPR for international data transfers.
Where relying on SCC:
Although the ICO and other national Data Protection Authorities are expected to produce detailed guidance soon, according to CJEU, when transferring personal data to third countries relying on SCC you should:
- Make sure that security and technical measures which provide an adequate level of protection of personal data are actually implemented. You may need to review or at least ask for further information about the data importer’s technical and security measures plus consider whether additional measures should be specified to strengthen security, like tokenization and encryption.
- Reinforce your accountability processes. Do not simply sign an appendix to your contracts including SCC, rather but have a closer look at the actual security measures and other mechanisms used by the importer, plus the actual situation in the importing country, especially regarding surveillance.
What can we expect in the near future?
It is expected that guidance will be issued from the European Commission as well as the European Data Protection Board. Apart from that, the EU may decide to renegotiate a new version of Privacy Shield that gives EU data subjects stronger privacy rights under US surveillance laws. Likewise the US came up with the Privacy Shield ten months after the Safe Harbor was declared invalid, so one could now hope for them to put in place a new mechanism which to address the CJEU’s concerns. On another note, SCC may be updated for GDPR soon.