Schrems II: Privacy Shield Declared Invalid by the CJEU
16 July 2020
Authors: Caroline Sundberg, Elisabeth Vestin, Jesper Nevalainen and Erkko Korhonen
In the decision issued in case Schrems I (C-326/14) on 6 October 2015, the Court of Justice of the European Union (“CJEU”) invalidated the Safe Harbour arrangement, which governed data transfers between the EU and the U.S. On 16 July 2020, the long-awaited decision in case Schrems II (C-311/18) was issued by the CJEU concerning the validity of the so-called Standard Contractual Clauses (“SCCs”) used by Facebook and many other companies to lawfully transfer personal data to the U.S. from Europe, as well as the validity of the Privacy Shield. These two landmark cases address one of the most significant conflicts of the digital time — U.S. surveillance laws versus EU privacy and data protection regulations.
Schrems I and the Introduction of the Issue of Personal Data Flows to the U.S.
Schrems I arose from a complaint by Max Schrems, an Austrian PhD student and privacy advocate, which was brought to the Irish Data Protection Commissioner (“DPC”) regarding the transfer of Mr Schrems’s personal data from Facebook’s legal entity in Ireland (Facebook Ireland) to servers owned by Facebook’s legal entity in the United States (Facebook Inc.). Mr Schrems argued that U.S. laws do not offer an adequate level of protection for personal data transferred from the EU, especially in the light of the activities of U.S. intelligence agencies, such as the National Security Agency, as was revealed in connection with the Edward Snowden affair. The Irish DPC rejected the complaint, arguing that the transfer of personal data to the U.S. was compliant with the then-applicable Safe Harbour decision of 26 July 2000 and that the DPC did not have the authority to question its validity.
Mr Schrems appealed the decision of the Irish DPC to the Irish High Court, which in turn referred the case to the CJEU for a preliminary ruling. The outcome was that Safe Harbour was declared invalid by the CJEU owing to the inadequate protection of personal data in the U.S. and the violations of the EU’s fundamental rights to privacy and judicial remedy. The CJEU also ruled that national data protection authorities (“DPA”) have the authority to question the validity of third-country data transfers.
Developments Leading to Schrems II
With regard to Mr Schrems’s original complaint about Facebook, the Irish DPC found that the judgment by the CJEU on the Safe Harbour decision was irrelevant, since Facebook claimed to be relying on the SCCs, not the Safe Harbour, to make its data transfers. To support its argument of the validity of the SCCs, Facebook also referred to the Privacy Shield, which is a new scheme established in the aftermath of Schrems I to enable transfers of personal data to the U.S.
Mr Schrems updated his complaint to include the SCCs and any other legal bases for data transfers that Facebook could rely on, including the Privacy Shield. The issue was once again referred to the CJEU for a preliminary ruling, but this time regarding the validity of the SCCs and whether data can be transferred at all considering the issue of U.S. surveillance.
On 19 December 2019, the Advocate General (“AG”) issued his advisory opinion, which generally aligned with the position of Mr Schrems. The AG held that U.S. surveillance legislation is incompatible with the EU’s fundamental rights. The AG criticised the Privacy Shield but found that the question of its validity was not directly relevant in the context of the present case.
On 16 July 2020, the CJEU issued its judgment in case Schrems II, announcing the ground-breaking news that the Privacy Shield is invalid, which differs from the views expressed in the AG’s advisory opinion. The CJEU concluded that U.S. authorities’ surveillance capacities are in conflict with the EU fundamental rights and that the Privacy Shield Decision is thus invalid in its entirety. The decision will affect a vast number of companies, as their basis for secure personal data transfers to the U.S. has been invalidated. However, the invalidation of the Privacy Shield does not mean that data flows to the U.S. cannot take place at all, but rather that one previously valid basis for such transfers can no longer be used.
With regard to the SCCs, the CJEU held that the use of SCCs is valid as such. However, the CJEU clarified that personal data transferred to a third country on the basis of the SCCs must be afforded a level of protection which is, in essence, equivalent to the protection provided under the GDPR and the EU’s Charter of Fundamental Rights. The assessment must consider, in particular, the clauses agreed upon between the parties and the relevant aspects of the legal system in the third country (for instance, any access by public authorities to personal data). Considering the contractual nature of the SCCs, it is primarily for the data controller or processor, in collaboration with the recipient, to verify on a case-by-case basis whether the third country ensures an adequate level of protection.
The CJEU also held that DPAs are required to suspend or prohibit transfers of personal data to a third country if the DPA finds that the SCCs cannot be complied with in that country and that the level of protection provided in the GDPR cannot be ensured by other means. Thus, the suspension of such personal data flows is not a discretionary matter – the DPAs are obligated to take action.
Given the decision and the current U.S. surveillance legislation, it is uncertain what measures can be taken to make it possible to transfer personal data to the U.S. However, relying on the SCCs alone may no longer be sufficient.