The European Union’s (hereinafter referred to as “EU”) Charter of Fundamental Rights protects the rights of their citizens by protecting their data and using the same only for specific reasons, and with their consent.
The General Data Protection Regulation (hereinafter referred to as “GDPR”) emphasises on this right by laying down significant safeguards and creating a balance to protect EU citizens’ personal data. It also lays downs that data transferred to third countries are contingent on those countries providing an appropriate degree of data security.
Till 2015, the US Department of Commerce and the EU had a Safe Harbour Agreement, which regulated the data flow between both the Countries. It was said that the Agreement meets the level of ‘adequate protection’ required by GDPR.
However, this agreement was challenged in 2013 by Max Schrems, (an Austrian privacy rights activist) in Maximillian Schrems v. Data Protection Commissioner [C-362/14], (hereinafter referred to as “Schrems- I”). In the said case, transfer of personal data by Facebook to its server in the US was challenged. The case was finally heard in the European Court of Justice (hereinafter referred to as “ECJ”), wherein the ECJ held that the Safe Harbour Agreement is insufficient in protecting the data of the EU Citizens and thus made the Agreement invalid.
Even after Schrems I, Facebook continued to transfer its data outside the EU using Standard Contractual Clauses (hereinafter referred to as “SCCs”), authorised by the EU Regulatory to secure data transfers between EU and Non-EU Countries.
The European Commission and the USA’s Department of Commerce later opted for an alternative framework, the EU-US Privacy Shield, to replace the safe harbour agreement.
The EU-US Privacy Shield was implemented to ensure compliance with the EU Legislation; however it was heavily criticised by privacy advocates and data protection experts. The shield provided an unchecked access to personal data without any protection for national security purposes.
Max Schrems, further, challenged Facebook’s use of SCCs to transfer EU citizens’ data to the US. In 2015 again, he claimed that the EU-US shield is not adequate to protect the interests of EU-based data subjects and it violates Article 7, 8, and 47 of the Council of Foreign Relation (hereinafter referred to as “CFR”).
In 2018, the case was referred to the Court of Justice European Union (hereinafter referred to as “CJEU”), a decision was requested on issue related to the legality of the privacy shield and SCCs, and the level of protection required to be enforced to personal data transferred to Non- EU countries.
SCHREMS II JUDGMENT
The CJEU stated that, legality of EU-US Privacy Shield will depend on that level of protection provided under the laws of the third country is “essentially equivalent” to what is provided under the EU Law. The CJEU examined the US’s Foreign Intelligence Surveillance Act and the surveillance programmes and concluded that it did not satisfy the “essentially equivalent” requirement.
According to the Privacy Shield provisions, the surveillance programmes which are authorized under the law are neither proportional nor “mandatory”.
The CJEU stated that the provisions of the US Laws do not comply with the requirements that are “essentially equivalent” to those required under the EU Law. Moreover, the use and access of EU data by the US public authorities are not restricted by the principle of proportionality and the Ombudsman mechanism does not provide data subjects with any cause of action before any other body that provides guarantees substantially equivalent to those as required under the EU law.
It means that the EU-US Privacy Shield is not valid and further cannot be used to export data to third countries under Article 45 of the GDPR. The CJEU ruled that SCCs are valid for data transfers under Article 46 of the GDPR, but that merely executing SCCs is insufficient, and that organisations relying on SCCs for data transfers to foreign countries must reach a data protection standard similar to GDPR.
The “essentially equivalent” requirement will still have to be fulfilled, and the adequacy of the SCCs will be based on the law of the third county on a case-to-case basis.
Article 45(2) of the GDPR lays down some of the relevant factors for such assessments. Additionally, it considers right to redressal in public authorities’ access to personal data and data subjects. If it is not sufficient, then additional measures to compensate for it are needed to incorporate in the SCCs.
The Supervisory Authorities have to check and prohibit transfers to third countries where data subjects do not have “essentially equivalent” protection. This specifically applies for a country like the US because the CJEU has previously held that the laws regarding data protection are insufficient. Thus, data transfer through SCCs can be permitted only if additional remedies can meet the requirements for equivalent protection.
The CJEU also stated that if the recipient of the data transfer cannot provide the necessary protection in a third country, the data must be returned or destroyed. CJEU further opined that data subjects have the right to seek compensation for damages if the clauses are violated.
IMPLICATIONS OF THE JUDGEMENT
Since the CJEU ruled that the Privacy Shield is invalid, it is no longer a valid mechanism for third-country data transfers. While the Privacy Shield was only applicable to the US companies, the effects of this ruling will also apply to other countries. All companies that use SCCs to transfer data to third countries must ensure that the laws in those countries do not conflict with EU privacy laws.
However, there was confusion among the companies understanding the ruling of the Court, and then the European Data Protection Board (hereinafter referred to as “EPBD”) came out with a Frequently Asked Questions document. It clarified, that the Schrems II ruling is applicable not only to the Privacy Shield and SCCs but also to the additional data transfer mechanisms like Binding Corporate Rules (hereinafter referred to as “BCR”).
Article 49 of the GDPR highlights alternative methods of data transfer. It later issued guidelines laying down the steps that data exporters must take when transferring data outside the jurisdiction of the EU.
While the guidance and FAQ were meant to provide clarity, the organisations transferring data are still facing ambiguity in determining the legality of the transfer and the proper procedure to follow. This was primarily due to the fact that the Supervisory Authority was “required to suspend or prohibit such a transfer,” and each member state has a different supervisory authority that may interpret these provisions differently.
Similar to the European Data Protection Supervisor’s (“EDPS”) request to avoid any processing operations that include the transfer of any personal data to the US, any data transfer to the US is also unlawful. The EDPS has called for a study to determine which “ongoing contracts, procurement procedures, and other types of cooperation” involve data transfers.
The US Secretary of Commerce and the US Secretary of State expressed their deep disappointment with the ruling and suggested possible adverse effects on the US$7.1 million transatlantic economic relationship. Both highlighted the importance of data flows for economic development as well as for the post Covid-19 recovery and pledged to work closely with the EU.
The European Commission Vice-President and Commissioner Didier Reynders committed to joint efforts, and suggested modernising the SCCs. Max Schrems and the EDPS urged the US to modify surveillance laws and comply with the Court’s instructions.
The rationale of this ruling will particularly impact those third countries which conduct extensive surveillance for national security. This might become relevant for the United Kingdom, as it will be treated as a third country post Brexit.
Some commentators suggest that this ruling promotes a world fractured into data spheres of influence. Conversely, the judgment might bolster the European Commission’s objective to ‘promote convergence of data protection standards at international level’, as a way to facilitate data flows and thus trade.
The CJEU has raised the stakes and increased the obligations for organisations involved in data transfers outside the EU. However, the uncertainty is still attached to the Regulation after the judgment, and the EPBD guidance is a concern and needs to be rectified.
Following the guidelines and mapping, documenting, and being accountable for data transfers is the best way forward for organisations. Most importantly, they should actively engage in ongoing re-assessment of the third country’s laws where data is to be transferred to ensure compliance with the adequacy requirement and can make changes to the data transfer mechanism, if necessary.
The holdings of the Schrems II judgment are not unexpected as strengthening the standard of protection for data transfers and the role of Data Protection Agreements fits with the Court’s strong affirmation of data protection rights in the recent years, hence invalidating the use of SCCs would have been an extreme step that the Court was unlikely to take.
As a result, the judgment represents a continuation of the Court’s approach to the regulation of international data transfers rather than a radical departure from it.
– Team AMLEGALS assisted by Mr. Vinay Sachdev (Intern)
For any queries or feedback, please feel free to get in touch with email@example.com or firstname.lastname@example.org.