17 July 2020

Schrems II – Implications for your organisation

On July 16 the Court of Justice of the European Union (‘CJEU’) delivered its long-awaited ruling on the validity of the controller–to-processor standard contractual clauses (‘SCCs’). SCCs are a transfer mechanism used by numerous organisations to facilitate the cross-border transfer of personal data to countries outside the EEA that do not provide an adequate level of protection. In the so-called Schrems II case, the CJEU, somewhat unexpectedly, declared Privacy Shield invalid. This framework regulates transfers of personal data between the EU and the US. The SCCs remain valid, but they may require implementation of supplementary measures in order to ensure a level of protection that is essentially equivalent to that guaranteed within the EU. In this alert we will provide you with a first analysis of what this ruling means for cross-border data transfers of your organisation. Please see below for the background and a summary of the case.



What does the ruling mean for your organisation?

Questions Answers
Our organisation transfers personal data from the EU to a US based supplier on the basis of Privacy Shield. Do we need to take action? Yes, as of today organisations can no longer rely on the Privacy Shield framework for transfers of personal data from the EU to the US. Some suppliers, such as Microsoft, provide customers with overlapping protections under both the SCCs and Privacy Shield frameworks for data transfers but this may still be insufficient after today’s ruling (see below). If you are unsure whether your supplier relied on Privacy Shield, you can check here which companies are self-certified.
Can we still use SCCs to facilitate
transfers to non-adequate countries outside the EEA?
Yes, SCCs remain a valid instrument to transfer personal data to processors located in countries outside the EEA, but you need to take further action (see below).
What action do we need to take? EU controllers can no longer simply rely on SSCs and they must now take a pro-active role. The CJEU ruled that controllers, together with data importers, have to assess on a case-by-case basis whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred under the SCCs. In that assessment the controller must take all the relevant aspects of the legal system of that third country into consideration. This will include in any event the following elements: the rule of law, the existence and effective functioning of one or more independent supervisory authorities and the international commitments of that third country (see article 45(2) GDPR).                                                                              The outcome of the assessment may require that your organisation and the supplier will have to implement additional safeguards, such as end-to-end encryption or possibly even that your organisation suspends the transfer of personal data or terminates the contract with the supplier. Needless to say, making such assessment will be a very complex exercise. We expect that the EDPB or the Dutch DPA will provide further guidance soon. In essence the problem is political and requires a political solution. This problem should not be left to organisations to fix. In the meantime, we recommend keeping an eye on your supplier’s website and communications or ask your suppliers to provide you with the required information.
Given the invalidation of Privacy Shield, is it likely that we can use SCCs to transfer data to US suppliers? If you use SCCs to transfer personal data to your US suppliers, you have to take into consideration the level of protection afforded by US law. The CJEU invalidated Privacy Shield because certain US surveillance powers do not provide an adequate level of protection to EU data subjects. If we extend the Court’s reasoning to the SCCs, this would imply that US law as such does not provide an adequate level of protection. This would mean that SCCs can only be used for transfers of personal data to the US if substantial additional measures are adopted. At this stage it is unclear what form those additional safeguards would have to take.
Does the ruling only apply to future SCCs? The ruling from the CJEU applies to existing and future transfers of personal data. Your organisation must therefore also assess if current transfers of personal data to non-adequate countries require additional safeguards.
What are the alternatives for SCCs? There are alternatives, at least on paper, such as BCRs and approved ad-hoc clauses but these may not be appropriate for your organisation and implementation is time-consuming. Alternatively, your supplier may have approved processor BCRs in place, which may eliminate the need for reliance on SCCs. However, arguably, today’s ruling will affect BCRs as well.Data transfers may still be allowed under one of the derogations in art. 49 GDPR, although some of these derogations are not intended for systematic and repeated transfers. Transfers based on valid, informed user consent are still legal, although users should be able to withdraw their consent at any time.
The European Commission is working on new SCCs. Will these provide a solution? It is expected that the European Commission will adopt the updated SCCs relatively soon. It is not yet clear if and how these SCCs will address today’s ruling.

Background to the case

The origins of the case go back to 2013, when Max Schrems, an Austrian citizen and privacy advocate, filed a complaint against Facebook with the Irish Data Protection Commissioner (‘DPC’).  As a Facebook user, Schrems’ personal data was transferred by Facebook Ireland to servers belonging to Facebook Inc. that are located in the US. Schrems claimed that the law and practices in the US did not ensure adequate protection of his personal data against US surveillance activities. He therefore requested the DPC to prohibit transfers of personal data by Facebook Ireland to servers belonging to Facebook Inc. in the US. The DPC, however, rejected his claim, mainly by referring to the ‘Safe Harbour Decision’, in which the European Commission had found that the US ensured an adequate level of protection. In the landmark Schrems I judgment, the CJEU sided with Schrems and invalidated the Safe Harbour decision.

Following this invalidation, Facebook turned to SCCs as a mechanism for its data transfers from Facebook Ireland to Facebook Inc. Schrems reformulated his complaint and again claimed that the US do not offer sufficient protection of personal data transferred to that country. Schrems requested the DPC again to prohibit or suspend the transfer of his personal data to Facebook Inc. Instead of taking action upon the request of Schrems, the Irish DPC brought proceedings against Facebook in the Irish High Court, challenging the validity of the SCCs. The High Court in turn referred 11 questions to the CJEU for a preliminary ruling.

Summary of the case

The CJEU sees no reason to invalidate SCCs. According to the CJEU, the SCCs provide for sufficient mechanisms to ensure compliance with the level of protection required by EU law. The SCCs foresee in the possibility to suspend or prohibit the transfers of personal data pursuant to such clauses in the event of the breach of such clauses or it being impossible to honour them. The fact that SCCs do not bind the authorities of third countries to which data are transferred, is in itself no reason to invalidate the SCCs.

The CJEU emphasizes that EU controllers cannot merely rely on the SCCs and must take a proactive role. Together with data importers, EU controllers must assess on a case-by-case basis whether there is in fact an adequate level of protection for personal data in the importing jurisdiction. Regarding the level of protection required in respect of transfers to non-adequate countries outside the EEA, the CJEU rules that data subjects must be afforded a level of protection that is essentially equivalent to that guaranteed within the EU by the GDPR. The assessment of the level of protection must take into consideration both the SCCs and all the relevant aspects of the legal system of the third country of destination.

If the SSCs cannot ensure the required level of protection, the controller will have to adopt supplementary measures over and above those contained in the SCCs in order to ensure an adequate level of protection. If there are no additional safeguards available that would ensure an adequate level of protection, the EU data controller is required to suspend the transfer of personal data or to terminate the contract.