Legal briefing | Data Protection, IP & Technology, Commercial & Technology |

Here we go again: CJEU issues its judgment in Schrems II

Overview

The CJEU has released its judgment in the long running Max Schrems/Facebook Ireland story. We explain what the case is about and why it's important.

Background

To recap (and as set out in our briefing following the Advocate General's preliminary opinion at the end of last year), Max Schrems objected to the transfer by Facebook of his personal data from the EU to the US, following revelations made by one Mr Edward Snowden about access by US surveillance authorities to personal data. The initial case resulted in the downfall of the US "Safe Harbor" regime, which had been put in place as a mechanism for allowing personal data to be transferred from the EEA to the US in a way which complied with EU data protection laws requiring destination countries outside the EEA to keep the data safe and to the same standards as set out in the EEA. This decision of the CJEU, is important because it examined the ongoing validity of two important mechanisms, mandated by the General Data Protection Regulation 2016 (GDPR), for transferring personal data outside the EEA in such as a way as to maintain the safety of that data in the destination country:

  1. The EU-US Privacy Shield, which was put in place to replace the US "Safe Harbor" regime, and which supposedly addressed the privacy concerns with the "Safe Harbor" so that EEA based businesses could continue to transfer personal data to their US counterparts which had signed up and complied with the new regime; and

  2. Standard contractual clauses, which are a set of European Commission approved clauses which data exporters and importers sign up to, obliging them to keep personal data exported outside the EEA, safe. There are two sets of clauses – clauses for use between data controllers, and clauses for use in respect of transfers from data controllers to data processors. The CJEU decision examined the latter set of clauses, but the reasoning could also be applied to controller to controller clauses. 

KEY TAKEAWAYS FROM THE LATEST SCHREMS JUDGMENT

  1. The EU-US Privacy Shield is no better than the US "Safe Harbor" regime (albeit for different reasons). Therefore businesses will no longer be able to rely on it as a valid mechanism for transferring personal data to the US. This leaves a lacuna, but for the fact that:

  2. Standard contractual clauses, are still, thankfully for the many businesses which rely on them, valid for transfers of personal data to countries outside the EEA which have not been whitelisted by the EU as having adequate data protection regimes for keeping EU personal data safe. However – there are important caveats – see below.

Impact on business

Whilst the judgment is going to be a big headache for those businesses, many of which are in the tech sector, which did rely on the EU-US Privacy Shield to govern their data transfers, standard contractual clauses can still, for now, provide a fall back for them, as they did in the immediate aftermath following the initial decision about the US "Safe Harbor" regime – and, out of a range of transfer mechanisms which GDPR provides, such as BCRs (binding corporate rules), and specific derogations such as consent, they are the still often the most practical tool available for large scale, ongoing data transfers. In addition, many contracts will already deal with this issue (i.e. by stating that the parties will put in place an approved mechanism in the event that another falls away). For those businesses which haven't used them, and relied instead on the Privacy Shield, additional papering and due diligence (see below) will be required, but at least standard contractual clauses do provide another possible option.

Standard contractual clauses: some points to note 

Although the court's ruling on standard contractual clauses is likely to be welcomed by many businesses, the following points are worth noting:

IT'S NOT JUST ABOUT PAPERWORK

The CJEU's observations about standard contractual clauses were similar to the Advocate General's: businesses shouldn't just assume that once you've signed the paperwork the job is done; the parties need to do their due diligence to ensure that any data being transferred will in fact be kept safe by the data importer, and the clauses themselves do impose obligations on the data importer to put in place technical and organisational measures to keep the data safe and to verify and inform the data exporter if there are any local laws which might compromise the safety of the data, so that the transfer can then be suspended. The judgment also highlighted the role which supervisory authorities have to play too in stepping in to suspend or prohibit data transfers where they take a view that standard contractual clauses cannot be complied with in a particular country, and that the protection of the data cannot be ensured by other means. In a sense, none of this is new – much of the judgment and the conclusions on why standard contractual clauses are still a valid mechanism, was based on wording contained in the clauses which has always been there. However, the judgment does shine a spotlight on the fact that there needs to be a genuine assessment by the parties in any given situation of all the risks associated with the transfer of personal data to a third country, taking into consideration the nature of the data that is being transferred, the volume, and how it will be used by the data importer in the third country.

THE BREXIT DIMENSION

The CJEU's decision on standard contractual clauses will be very welcome to UK businesses which rely on data flows from the EEA, if the UK is unable to persuade the EU to grant it an adequacy decision, as part of a trade deal or otherwise, before the expiry of the transition period at the end of the year. In this situation the main mechanism which EEA businesses will rely on to transfer personal data to the UK, will be standard contractual clauses and we recommend that you make contingency plans for that eventuality now. Read our guidance on preparing for Brexit. Having said this, the ruling does potentially have wider political ramifications, in terms of the UK's position post transition vis-à-vis data flows to the United States, and in terms of any assessment of the adequacy of the UK's own data protection regime, and the way these ramifications play out remains to be seen.

What next for EU-US data transfers?

There is a now a job to be done on what precisely will replace the EU-US Privacy Shield, and EU Justice Chief, Didier Reynders has already said that the EU will look at ways to boost data transfers to the US. How quickly and effectively that can be achieved in the current climate, remains to be seen. The CJEU's comments on how standard contractual clauses work to protect personal data, coupled with its conclusion about the US data protection regime (and the resulting decision to invalidate the Privacy Shield), mean that whilst they are likely to be the best (and in many cases the only) alternative mechanism for businesses to work with if they want to transfer data, their use in respect of transfers to the US, is not without risk – though for the reasons set out above, it could be said that this has always been the case. The European Commission's recent Evaluation Report into GDPR implementation, did highlight the fact that standard contractual clauses are being modernised to cover all relevant transfer scenarios and better reflect modern business practices, however, we do not as yet have an indication of when a new version will become available for use, and in any event, it is difficult to see, given the CJEU's comments, how the clauses can be reconciled to apply in some situations where the data protection regime of a third country simply does not come anywhere near the standards set by the EU for protection of personal data. Meanwhile, we await the reaction of supervisory authorities. We will continue to monitor any guidance which is issued by such authorities over the coming weeks,as to whether the use of standard contractual clauses in respect of data transfers to the US, or indeed, any other jurisdiction, is problematic.

Get in touch

Read Vivien Halstead 's Profile
Read Dan Reavill's Profile