“Schrems II”: A Second Wave of Impacts Across the EU-U.S. Privacy Landscape
August 6, 2020
In a landmark decision affecting international data transfers from the European Union (the “EU”) to the United States, the Court of Justice of the European Union (in essence, the European Union’s Supreme Court) (the “CJEU”) in Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (the “Schrems II” case): 1) upheld the validity of standard contractual clauses (“SCCs”) for the transfer of personal data to recipients established in third countries; but 2) invalidated the adequacy of the protection provided by the EU-U.S. Privacy Shield Framework (the “Privacy Shield”).
Broadly, the Charter of Fundamental Rights of the European Union (the “Charter”) lays out the fundamental rights bestowed upon EU citizens. Articles of the Charter specific to the arguments made in the Schrems II case include Article 7 (“Respect for private and family life”), Article 8 (“Protection of Personal data”), and Article 47 (“Right to an effective remedy and to a fair trial”).
The General Data Protection Regulation (the “GDPR”) is a privacy and data protection law that the EU first implemented in May of 2018. According to the GDPR, an adequate level of data protection must be provided for the transfer of personal data from the EU to third countries, including the United States. This requires “a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of the [GDPR], read in light of the Charter.”1 “Adequacy” decisions by the European Commission (the “Commission”) ensure compliance with EU law and are implemented pursuant to several mechanisms, including: 1) the strength of a third country’s domestic privacy laws or international commitments to privacy; or 2) a company’s agreement to appropriate privacy safeguards, such as binding corporate rules or standard contractual clauses. The mechanisms of lawful data transfers at issue in the Schrems II case were standard contractual clauses and the now-invalidated EU-U.S. Privacy Shield. SCCs are provisions in a contract through which a company agrees to comply with EU privacy law and defer to the supervision of an EU supervisory authority.2 The Privacy Shield is an adequacy agreement created in 2016 between the U.S. Department of Commerce and the European Commission “to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union . . . to the United States in support of transatlantic commerce.”3 Before the Schrems II case, both of these mechanisms were determined by the Commission to be adequate levels of data transfer according to EU law.
Background of Case
The Schrems II case arose from Case C-362/14 Maximillian Schrems v Data Protection Commissioner, wherein Mr. Schrems filed a complaint with the Data Protection Commissioner (Ireland) (the “Commissioner”) requesting that Facebook Ireland, a subsidiary of Facebook Inc., be prohibited from transferring his personal data to servers belonging to Facebook Inc. which are located in the United States. Mr. Schrems filed his complaint on the basis that the U.S. did not ensure the adequate protection of his personal data against the surveillance activities of U.S. public authorities. That complaint was rejected on the basis that the U.S. ensured an adequate level of protection pursuant to the U.S.-EU Safe Harbor Framework, an adequacy mechanism that was a precursor to the Privacy Shield and was approved by a previous Commission decision. The CJEU, before which the High Court (Ireland) had referred questions for a preliminary ruling after an appeal by Mr. Schrems, reversed the Commission’s decision and declared the U.S.-EU Safe Harbor Framework invalid.
Following that judgment and its referral back to the Commissioner, Facebook responded that a large portion of its personal data transfers were valid pursuant to SCCs. Mr. Schrems amended his complaint to address that claim, arguing that SCCs could not justify the transfer of personal data because U.S. law required Facebook to make such data available to U.S. public authorities for monitoring in a manner incompatible with Articles 7, 8, and 47 of the Charter. Given Mr. Schrems’s amended complaint, the Commissioner brought an action before the High Court (Ireland) for that Court to refer the SCC question to the CJEU for another preliminary ruling. After the initiation of that proceeding, the Privacy Shield was formally adopted by the Commission as an adequacy mechanism. Recognizing the Privacy Shield’s impact on that proceeding, the High Court (Ireland) included the question of the Privacy Shield’s validity into its referral of the SCC question for a preliminary ruling.
CJEU’s Decision as to SCCs
Concerning whether SCCs ensured an adequate level of protection for personal data transfers to a third country, the CJEU first explored the level of protection required by the GDPR, read in light of the fundamental rights provided by the Charter. Specifically, the CJEU emphasized that if a third country’s privacy laws and international commitments did not ensure an adequate level of protection for said transfers, SCCs must do so through “appropriate safeguards,” “enforceable data subject rights,” and “effective legal remedies for data subjects.”4 Such an assessment of SCCs includes not only the contractual clauses agreed between the parties but also “any access by the public authorities of that third county to the personal data transferred . . . [and] the relevant aspects of the legal system of that third county.”5 The CJEU then examined how supervisory authorities in the EU are required to suspend or prohibit transfers of personal data if said authorities determine that SCCs are not or cannot be in compliance with the GDPR and the Charter. These determinations consider factors such as their capabilities to pursue complaints or conduct investigations relating to activities in third countries and handle complaints lodged by data subjects.
Against this backdrop, the CJEU analyzed the validity of SCCs with Articles 7, 8, and 47 of the Charter. Said analysis narrowed in on the question of whether SCCs can ensure adequate levels of protection for personal data transfers to third countries, given that SCCs do not bind the public authorities of those third countries. The CJEU first stated that when the Commission decided to adopt SCCs as a valid mechanism for adequacy, it did not base that decision on the adequate level of protection provided by the third country in which the personal data was transferred. Instead, this protection is based on appropriate safeguards put into place by the controller or processors established in the EU and the U.S. Thus, it is the responsibility of data processors to verify that the personal data being transferred is in compliance with EU law, including ensuring that the law of the third country to which the personal data is being transferred provides adequate protection. If those data processors discover that the personal data being transferred is not in compliance with EU law, e.g., that legislation in a third country has a substantial adverse effect on the warranties and obligations of a SCC, they or their applicable EU supervisory authority are required to, among other remedies, suspend or end the transfer. Concerning the safeguards put into place by legislation of third countries for security purposes, the CJEU specifically noted that in the Commission’s decision to adopt SCCs, the Commission stated that “mandatory requirements of that legislation which do not go beyond what is necessary in a democratic society to safeguard, inter alia, national security, defence and public security are not in contraction with [SCCs].”6 However, that determination concerning a SCC and whether particular legislation goes beyond what is necessary for security purposes will remain a question moving forward.
Given the above, the CJEU concluded that SCCs are valid and provide for effective adequacy mechanisms.
CJEU’s Decision as to Privacy Shield
The CJEU also analyzed whether the U.S., pursuant to the Privacy Shield, ensured an adequate level of protection for personal data transfers under the GDPR, read in light of the fundamental rights provided by the Charter. The CJEU set up the analysis by acknowledging that the Commission previously decided that the U.S. ensured an adequate level of protection for personal data transferred from the EU to the U.S. pursuant to the Privacy Shield. However, the CJEU then began to criticize the Privacy Shield, starting with the U.S.’s adherence to the principles of the Privacy Shield allowing to be limited to “the extent necessary to meet national security, public interest, or law enforcement requirements.”7 This limitation, the CJEU concluded, may be used by self-certified U.S. organizations to circumvent EU law and interfere with the fundamental rights of EU citizens. Also, the CJEU examined various surveillance programs in the U.S. and how there are no requirements limiting the acquisition of foreign intelligence information within these programs in proportion to that information which is necessary and genuinely meets objectives concerning the rights and freedoms of those in the EU as required under the Charter. Thus, U.S. programs’ broad power to gather information on non-U.S. persons and lack of guarantees to curtail such information gathering did not ensure a level of protection required by the Charter. Furthermore, the U.S. Government acknowledged that the limitations imposed on the surveillance programs pursuant to a presidential decree do not include granting data subjects standing before the courts against the U.S. public authorities, resulting in another failure to meet the level of protection required under the Charter.
Concerning the right of EU citizens under Article 47 of the Charter to an effective remedy before an independent and impartial tribunal, the CJEU added onto the above-stated criticism of the surveillance programs the authority, or lack thereof, of the Privacy Shield Ombudsperson. This oversight and redress mechanism independent from the U.S. Intelligence Community was found by the Commission in the decision validating the Privacy Shield to ensure an adequate level of protection consistent with Article 47 of the Charter. However, the CJEU cast doubt on the Ombudsperson’s independence from the U.S. Intelligence Community, given that: 1) the Ombudsperson is appointed by and reports directly to the Secretary of State; and 2) the dismissal or revocation of the appointment of the Ombudsperson is not accompanied by any guarantees. Also, the Ombudsperson does not have any authority to adopt decisions that are binding on the U.S. Intelligence Community or accompanying legal safeguards on which data subjects could rely.
Given the above, the CJEU concluded that the Privacy Shield did not ensure an adequate level of protection for personal data transferred from the EU to the U.S., thus invalidating it.
Implications of the Schrems II Case
The implications of the Schrems II case are far-reaching and affect many companies around the world. U.S. companies that have strictly relied on the Privacy Shield as an adequacy mechanism to import personal data from the EU must now put into place another adequacy mechanism to become compliant with EU law. Also, although the Privacy Shield has been invalidated by the EU, the U.S. Department of Commerce and Federal Trade Commission still consider the Privacy Shield a valid enforcement mechanism for personal data transfers and will continue to administer it and expect companies to comply with it. 8,9 Concerning the SCC-portion of the Schrems II case, the decision affects importers of personal data located in all countries outside of the EU. Thus, companies located in countries with less adequate protections of personal data transfers than the U.S. such as China and Russia should have a harder time making the case that the SCCs they have in place comply with EU law. Overall, these decisions seem to solidify the idea that the GDPR is the gold standard regarding data privacy and security, meaning that the most effective and efficient approach will be for U.S. companies to get compliant with the GDPR in the first instance and then to grow out their data privacy and security infrastructure and framework from there.
1 Chapter V of the GDPR; Paragraph 94 of the Schrems II case.
2 Standard Contractual Clauses (SCC) (July 25, 2020), https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.
3 Privacy Shield Program Overview (July 25, 2020), https://www.privacyshield.gov/Program-Overview.
4 Paragraph 91, the Schrems II case.
5 Paragraph 104, the Schrems II case.
6 Paragraph 141, the Schrems II case.; see also the footnote to Clause 5 of Annex, Commission Decision 2010/87/EU of 5 February 2010.
7 Paragraph 164, the Schrems II case (quoting Paragraph I.5. of Annex II, Commission Implementing Decision (EU) 2016/1250 of 12 July 2016).
8 Privacy Shield Program Overview (July 25, 2020), https://www.privacyshield.gov/Program-Overview.
9 Privacy Shield (July 25, 2020), https://www.ftc.gov/tips-advice/business-center/privacy-and-security/privacy-shield.