Important Ruling on International Data Transfers

Friday 7th August, 2020

Key points

Following a recent decision from the Court of Justice of the European Union (“CJEU”), the rules on transferring personal data outside the European Economic Area (“EEA”) are now more uncertain and onerous for businesses in the UK and EU.

On 16th July 2020, the CJEU ruled in the Schrems II case that:

  • the ‘Privacy Shield Framework’, one of the lawful mechanisms for transferring personal data to the US, is invalid; and
  • the European Commission’s ‘Standard Contractual Clauses’ (“SCCs”), the most widely used lawful mechanism for transferring personal data outside the EEA, are subject to the additional requirement that the data exporter, in conjunction with the data importer, must consider the laws and practices of the data importer’s country and, where appropriate, must implement supplementary measures to protect the data.

We recommend businesses review their international data transfer arrangements (including data transfers carried out by their outsourced service providers such as hosting providers). Where the Privacy Shield Framework is used, businesses should move over to other lawful transfer mechanisms (e.g. the SCCs). Where the SCCs are used, businesses should carry out and document risk assessments to work out whether the SCCs provide sufficient protection or whether supplementary measures are needed to protect the data.

The European Data Protection Board (“EDPB”) and the UK Information Commissioner’s Office (“ICO”) will issue guidance so businesses should be ready to act quickly once it is published.

The CJEU decision will continue to apply in the UK after Brexit.

Background to the case

Under the General Data Protection Regulation (“GDPR”), UK and EU organisations are prohibited from transferring personal data outside the EEA unless:

  • the transfer is to a country or territory covered by an EU Commission ‘adequacy decision’. There are full adequacy decisions in place for Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. There are partial adequacy decisions in place for Japan and Canada and, prior to Schrems II, the US under the Privacy Shield Framework;
  • the transfer is subject to ‘appropriate safeguards’. By far the most common safeguards used by organisations are the SCCs; or
  • the transfer is covered by an exception in the GDPR. The exceptions are narrow and rarely used.

Max Schrems used Facebook since 2008. Facebook Ireland transfers personal data to Facebook Inc in the US. Facebook Inc originally self-certified under the ‘Safe Harbor Framework’ to lawfully receive personal data from Facebook Ireland.

In 2013 Mr Schrems made a complaint to the Irish Data Protection Commissioner that, due to the surveillance activities carried out by the US intelligence agencies, the US did not provide adequate protection for his personal data. The complaint was referred to the CJEU which declared the Safe Harbor Framework invalid in 2016.

Following the CJEU decision, Facebook Ireland confirmed that it transferred significant amounts of personal data to Facebook Inc under the SCCs. In 2015 Mr Schrems reformulated his complaint and asked the Irish Data Protection Commissioner to prohibit or suspend the transfer of his personal data to Facebook Inc on the grounds that US law was incompatible with the SCCs. However, rather than prohibiting or suspending the transfer, the Commissioner asked the CJEU to consider whether the SCCs themselves were invalid.

In 2016 the European Commission approved the Privacy Shield Framework in place of the Safe Harbor Framework for EU – US data transfers. The Privacy Shield Framework was made part of Mr Schrems’ complaint and was referred for consideration to the CJEU.

The decision

On 16th July 2020, the CJEU ruled that:

  • the Privacy Shield Framework does not adequately protect EU personal data from access and use by US public authorities, so it is invalid; and
  • whilst the SCCs are valid, there is an additional obligation on the data exporter, in conjunction with the data importer, to decide whether, considering the laws and practices of the data importer’s country, the SCCs alone are sufficient or whether supplementary measures are needed to protect the personal data and the rights and freedoms of the individual data subjects.

Future use of SCCs

With the Privacy Shield Framework declared invalid, for most businesses the SCCs are now the only realistic way to lawfully transfer personal data outside the EEA.

However, following the decision in Schrems II, using the SCCs will be far more complicated in the future and businesses will need to obtain appropriate advice.

Businesses will need to carry out and document risk assessments on the laws and practices of the data importer’s country for each data transfer. Where those laws and practices are incompatible with the SCCs, and in particular where they allow public authorities such as intelligence agencies access to the data, the data exporter must implement appropriate supplementary measures to protect the data (the EDPB has confirmed it will issue guidance on what is meant by ‘supplementary measures’).

Whilst the Schrems II case focussed on transfers of data to the US, these requirements will apply to all international data transfers made using the SCCs.

Transfers to the US

It is difficult to see how any transfers of personal data to the US will be lawful following the decision in Schrems II. As the CJEU has declared the Privacy Shield Framework invalid because US laws are incompatible with the GDPR, it seems inevitable the same applies to transfers to the US under the SCCs.

Given the importance of data transfers between the UK and US, and the expected closer relationship following Brexit, businesses need clarity on data transfers to the US as soon as possible.

 

This article is current as of the date of its publication. The information and any commentary contained in this article is for general information purposes only and does not constitute legal or any other type of professional advice.  Marriott Harrison LLP does not accept and, to the extent permitted by law, excludes liability to any person for any loss which may arise from relying upon or otherwise using the information contained in this article.