European Union Court Invalidates Privacy Shield, Throwing GDPR Conformity into Doubt

Under the EU-U.S. Privacy Shield, more than 5,300 American companies that were registered had benefited from the self-certification process with the Department of Commerce. Participants guaranteed adherence to the corresponding national provisions adopted pursuant to Directive 95/46/EC (later replaced by the General Data Protection Regulation (GDPR)) for the transfer of personal data of EU data subjects. In return, a cost-effective alternative to the Standard Contractual Clauses (SCC, also referred to as Standard Data Protection Clauses) for the transfer of personal data, especially for medium-size companies, had been established. However, four years after its inception, the Court of Justice of the European Union (CJEU) in its Decision C-311/18 (Schrems II Decision) has declared the Privacy Shield Implementing Decision 2016/1250 as invalid.

The origin of the dispute can be traced back to Maximilian Schrems, an Austrian national and active Facebook user since 2008, who filed a complaint with the Irish Data Protection Commissioner (DPC) in 2013, alleging that Facebook Ireland should be prohibited from transferring his personal data to Facebook Inc. servers located United States for processing. His complaint was dismissed due to the DPC view that Schrems lacked evidence of the NSA accessing his personal data and based on the then-current Safe Harbor Decision 2000/520, in which the DPC had found that the United States ensured an adequate level of protection. Upon preliminary ruling of the CJEU, initiated by the High Court of Ireland, the Safe Harbor Decision was invalidated (Schrems I Decision). Schrems had to reformulate his complaint as Facebook Ireland stated that a large part of the personal data was transferred to Facebook Inc. pursuant to the decision validating the use of SCC.

In the new complaint, Schrems alleged that Facebook Inc. was required to make the personal data that was transferred accessible to U.S. authorities such as the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI). Particularly called into question was Section 702 of the FISA and Executive Order 12333. Schrems argued that since the personal data was used in the context of various monitoring programs in a manner incompatible with Article 7, 8, and 47 of the Charter, the SCC Decision cannot justify the transfer of that data to the U.S.

“Article 7 of the Charter states that everyone has the right to respect for his or her private and family life, home and communications. Article 8(1) of the Charter expressly confers on everyone the right to the protection of personal data concerning him or her.” (C-311/18). Both these articles are used to establish the scope of protection intended by the GDPR, such as Chapter V, which focuses on the “transfer of personal data to third countries or international organisations”. The conformity of the transfer of personal data to a third country is, according to Article 45 of the GDPR, dependent on the Commission’s decision that an adequate level of protection is ensured. In the absence of a decision, Article 46 of the GDPR stipulates that the transfer of personal data may only occur if the controller or processor has provided appropriate safeguards, and on the condition that enforceable data subject rights and effective legal remedies for the data subjects are available. The appropriate safeguards may be provided for, without requiring a specific authorization or form, by a legally binding and enforceable instrument between public authorities or bodies, binding corporate rules, or SCC adopted by the Commission.

The High Court of Ireland decided to stay the proceeding of Schrems’ new complaint and forwarded several questions to the CJEU for preliminary ruling. The court inquired about the level of protection required by Article 46 of the GDPR with respect to a transfer of personal data to a third country based on SCC; the validity of the SCC Decision; and to what extent the Privacy Shield Decision is valid under the GDPR and in light of the Charter.

Following a similar argument as used in the Schrems I Decision, the court held “that the term ‘adequate level of protection’ must, […], be understood as requiring the third country in fact to ensure […] a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of the regulation read in the light of the Charter [specifically Article 7 and 8])”. It should also be noted that “in the absence of an adequacy decision, the appropriate safeguard to be taken by the controller or processor in accordance with Article 46 of the GDPR must ‘compensate for the lack of data protection in a third country’ in order to ‘ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union’”.

For the validity of the SCC the court addressed the question of “whether the SCC Decision [Decision 2010/87] is capable of ensuring an adequate level of protection of the personal data transferred to third countries given that the SCC provided for in that decision do not bind the supervisory authorities of those third countries.” The court found that the SCC may provide the required safeguards of Article 46 of the GDPR. However, not all safeguards must be provided by the Commission decision (SCC Decision). It is, therefore, important to note that if the SCC cannot guarantee compliance with the “level of protection required under EU law, they may require, depending on the prevailing position in a particular third country, the adoption of supplementary measures by the controller in order to ensure compliance with that level of protection.” The court found that it is the responsibility of the controller or processor to verify, on a case-by-case basis in collaboration with the data recipient when appropriate, “whether the law of the third country of destination ensures adequate protection under EU law” and providing, where necessary, additional safeguards to those offered by the SCC Decision. Further, where the controller or a processor fails to establish additional measures to guarantee such plus-protection, they or “the competent supervisory authority, are required to suspend or end the transfer of personal data to the third country in concern.” The court also finds that the SCC Decision establishes “effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by the EU law.”

Lastly, the court evaluated the Privacy Shield decision and whether it provides an adequate level of protection. The decision was “called into question, inter alia, on the ground that the interference arising from the surveillance programs based on Section 702 of the FISA and on Executive Order 12333 ” are not covered by the principle of proportionality, specifically that they are not limited to actions strictly necessary (see Article 52 of the Charter). The court stated that the United States Foreign Intelligence Surveillance Court (FISC) is responsible for authorizing surveillance programs on the basis of annual certifications prepared by the Attorney General and the Director of National Intelligence. However, the FISC is not responsible for whether individual targeted surveillance operations are proper. “It is thus apparent that Section 702 of the FISA does not indicate any limitation on the power it confers to implement surveillance programs.” Further, due to a lack of actionable right against U.S. authorities, “it follows therefore that neither Section 702 of the FISA, nor Executive Order 12333, read in conjunction with PPD-28, correlates to the minimum safeguards” required by EU law, and specifically the GDPR in light of the Charter. In addition, the court also found that the Privacy Shield Ombudsperson mechanism failed to have remedial power to adopt decisions that are binding to the U.S. intelligence services and thus neglect the possibility of a data subject to bring legal action before an independent or impartial court in order to have access to their personal data. Based on these grounds, the Court declared Decision 2016/1250 as invalid.

In reaction to the Schrems II Decision, U.S. Secretary of Commerce Wilbur Ross issued a statement in which he expressed, “The Department of Commerce is deeply disappointed that the court appears to have invalidated the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield, we are still studying the decision to fully understand its practical impacts”. Similarly, Secretary of State Mike Pompeo, said that “The United States shares the values of rule of law and protection of our democracies with our partners in the European Union (EU). Therefore, we are deeply disappointed that the Court of Justice of the European Union (“ECJ”) has invalidated the EU-U.S. Privacy Shield Framwork.”

In essence, the Schrems II Decision is analogous to the issues discussed during the Scherms I decision concerning safe harbors and part of a chain of fundamental decisions to the protection of personal data. The transfer of personal data to the U.S. is still possible through the SCC; binding corporate rules; or explicit consent of the data subject. It should, however, be noted that the SCC, with some of the clauses dating back to 2001, is not current and without the plus-protection mentioned above, will likely not withhold the case-by-case evaluation of the DPC.

The European Commission is currently preparing an updated version of the SCC that should be available soon. Until then, law firm Hogan Lovells, in a post titled “Schrems II: Privacy Shield invalidated and Standard Contractual Clauses under scrutiny” recommends that companies should prepare by taking the necessary precautionary measures to become compliant with the GDPR and the CJEU ruling. Specifically, the firm suggests the switch from the Privacy Shield to an alternative safeguard; verifying levels of protection of international data flows; providing assistance to EU customers; monitor statements from the European Data Protection Board; and monitor activities on updated SCC. Suggested ‘alternative safeguard’ measures can be the SCC in addition to further clauses, to provide adequate protection in the third country; approved “ad hoc clauses”; or binding corporate rules.

For now, the migration of data servers for the processing of the personal data of EU subjects from the U.S. to another jurisdiction seems farfetched. However, without the current administration and European Commission coming to an agreement and enforcement actions commencing against individual SCCs, it could become a viable scenario for businesses in the near future.