The Court of Justice of the EU (CJEU) has today (16 July 2020) issued a much anticipated judgment in a case about whether and how personal data can be transferred to countries outside of the UK / EU. The case was referred from the High Court in Ireland to the CJEU in relation to complaints lodged with the Data Protection Commissioner in Ireland by Max Schrems, a well-known privacy activist about his data being transferred to the USA.
The CJEU has confirmed the validity of one of the most popular legal mechanisms permitted under the GDPR to allow personal data to be legally transferred outside of the UK/EU – the European Commission-approved "Standard Contractual Clauses" (also known as "Model Clauses").
However, the more immediately significant development for businesses is that the CJEU has – in part – gone against the Opinion of the Advocate General from 19 December 2019 and invalidated the EU-US Privacy Shield, the mechanism used by businesses across the UK, EU and the U.S. to legitimately transfer personal data to the U.S.
Why did the CJEU invalidate the EU-US Privacy Shield?
Put very simply, the CJEU invalidated the EU-US Privacy Shield because there are insufficient limitations on the access to, and use of, personal data transferred from the EU to the U.S. by U.S. public authorities, especially the intelligence services. The CJEU concluded that the Ombudsman mechanism referred to in the EU-US Privacy Shield doesn't do enough to counter that, because the decisions of the Ombudsman are not binding on the U.S. intelligence services.
Can transfers still be made on the basis of the Standard Contractual Clauses?
Yes, the CJEU has ruled that the Standard Contractual Clauses are still valid, because there are sufficiently sound mechanisms to ensure that transfers based on them can be suspended or prohibited in circumstances where those clauses are breached or impossible to honour.
The mechanisms in the Standard Contractual Clauses consist of:
- Rights for the exporter to suspend or terminate transfers if the importer is unable to honour its obligations under the Standard Contractual Clauses
- The power granted to national data protection authorities to suspend transfers on a case-by-case basis if they think the Standard Contractual Clauses cannot be complied with.
The CJEU has highlighted that the onus is on businesses and national data protection authorities to scrutinise transfers, and the parties' ability to comply with the Standard Contractual Clauses, on a case-by-case basis.
What do businesses need to do now?
When Safe Harbor was invalidated, the national data protection authorities granted businesses a grace period for getting themselves sorted out. We expect the same will happen this time, but we don't know that for sure yet.
For UK/EU based businesses, the most immediate action is to quickly get a grip on the extent to which they (or their processors) transfer personal data to the U.S. on the basis of the EU-US Privacy Shield, and look at what alternative arrangements can be put in place instead.
In the short term, businesses will likely turn to the Standard Contractual Clauses, though as ever they will need to assess whether the Standard Contractual Clauses are appropriate in each case. Businesses may also turn to:
- Binding Corporate Rules, for intra-group transfers.
- Consent, though valid consent is going to be practically very difficult to obtain.
- Certification mechanisms, which have yet to get much traction (and are not available in the UK), but that is likely to change.
- Ad hoc decisions adopted by national data protection authorities authorising data transfers based on tailored versions of the Standard Contractual Clauses.
Alternatively, they may explore whether there are solutions available which avoid transfers of personal data to the U.S. at all. Already, we have seen a move in that direction, though those options often come at a cost.
What do businesses need to do in the medium to long term?
The CJEU's decision is a stark reminder to business that it is not enough to simply put Standard Contractual Clauses in place without carrying out a detailed assessment of the circumstances surrounding each transfer of personal data outside the UK/EEA. Businesses exporting personal data need to get much better at identifying what transfers they make, and properly scrutinising the basis on which they are made, the types and volume of personal data being transferred, the nature of the processing activities and whether they can still provide adequate protection of individuals' privacy rights. Those assessments need to be built into procurement processes, data protection questionnaires and data privacy impact assessments.
Going forward, businesses also need to make sure that, should they or a data protection authority suspend or terminate a particular transfer, they have provisions in their contracts which would allow them to modify the contract or exit it, together with a comprehensive exit plans in place to minimise the impact on the business.
It can't all be left to businesses, though. The European Data Protection Board, the UK's ICO, and other national data protection authorities will need to support businesses in carrying out these assessments.
What are the risks of not complying?
The primary risk for many organisations will be the possible disruption to business if their personal data transfers are not handled compliantly. There is also the risk of regulatory sanctions. As is now well-known, fines for breaching data protection legislation can run up to Euro 20 million in some cases, and there is also the potential costs and disruption of investigations by the regulators, and the imposition of other non-financial sanctions.
As Mr Schrems has ably demonstrated, there is the possibility of action from pro-privacy campaigners and organisations, and there is also the risk of actions against companies or complaints to the regulators, by individual data subjects.
How does this affect the UK post-Brexit?
The implications of this decision on transfers of personal data from the EU to the UK post-Brexit are wide-ranging, and we will cover them in more detail in a separate note.
Suffice it to say, for now, that the CJEU's decision to invalidate the EU-US Privacy Shield is a reminder that it is far from safe to assume that the UK will quickly benefit from an adequacy decision post-Brexit. The CJEU took issue with the lack of limitations in U.S. law on the access and use by U.S. public authorities of data transferred from the EEA to the U.S., and the UK will face similar questions about its practices.
The CJEU's decision to invalidate the EU-US Privacy Shield is surprising to say the least and will have a huge impact not just on US tech giants, but on businesses across the UK, EU and the US.
There is a sense of history repeating itself. Five years ago, the CJEU invalidated Safe Harbor, and now it has scuppered the successor regime, the EU-US Privacy Shield. Many businesses currently relying on that mechanism to legitimise transfers of personal data to the US will now move quickly to the Standard Contractual Clauses or other mechanisms instead.
When Safe Harbor was invalidated, businesses were given a grace period to look at their transfers of personal data to the U.S., and put other arrangements in place – let's hope they're afforded the same this time around.