On 16th July 2020 the Court of Justice of the European Union (CJEU) delivered the landmark judgment in Case C‑311/18 Data Protection Commissioner v Facebook Ireland Ltd., and Maximillian Schrems, also known as “Schrems II”. This case will have a seismic impact on the transfer of personal data outside the European Economic Area (EEA) under GDPR.
It would be quite easy to dismiss the importance of this case. For starters, it involves a social media Data Controller. Secondly it was decided under the ‘old’ 1995 Data Protection Directive rather than the General Data Protection Regulation (GDPR) 2016. Thirdly it is a ruling of the CJEU, that may be thought to have no relevance post 31 December when the Brexit Transition Period ends and the UK GDPR comes into force.
Firstly some basic observations:
- The case is not just about Facebook. It concerns international transfers of personal data between organisations in the EEA and third countries, particularly the USA. Many public authorities do this too. For example, universities may share personal data of staff and students who teach or study abroad. Some NHS Trusts, using clinical devices sourced from the US, may transfer diagnostic and monitoring data back to the States.
- Although the litigation started when the 1995 Data Protection Directive was in force, the CJEU makes it clear that the questions it had to consider must be answered in the light of the GDPR rather than the Directive.
- The end of the Brexit Transition Period, on 31st December 2020, does nothing to invalidate the decision of the CJEU in this case. The UK GDPR contains the same provisions about international transfers as GDPR.
The International Transfer Regime
To understand the judgment, it is worth recalling how the GDPR regulates the transfers of personal data from organisations within the EEA to those outside it. GDPR Article 44 lays down the general principles. Essentially, international transfers can only take place if they comply with the provisions of Articles 45-48 of GDPR. For the purpose of this blog the important provisions are Articles 45, 46 and 49.
Under GDPR Article 45, the European Commission can make a decision that a third country affords an adequate level of protection for personal data. To date 13 countries are the subject of an adequacy decision. The USA is on the list provided the company or organisation to whom personal data is transferred has signed up to the Privacy Shield Framework. The Commission adopted the EU-US Privacy Shield Decision following the CJEU’s decision in “Schrems 1” (Case-362/14) which ruled that its predecessor, the “Safe Harbour Decision” (2000/520/EEC) was invalid.
In the absence of an adequacy decision, a Data Controller (and Data Processor) can only make an international transfer if they have in place “appropriate safeguards”. These include the use of standard contractual clauses which have been adopted by the European Commission. The Commission issued the Standard Contract Clauses (SCC) Decision in 2010 which was amended in 2016.
Where a Data Controller is transferring personal data to a third country that is not covered by an adequacy decision and appropriate safeguards are not in place, then it may still be able to make the transfer, if the transfer is covered by one of the “derogations” listed in Article 49. These include (but are not limited to) where the data subject has explicitly consented to the transfer; the transfer is necessary for important reasons of public interest; or where the transfer is necessary for the performance of a contract between the data subject and the controller. For example, a local authority organising a visit to its twin city in China, may rely on the consent of the councillors and officers before transferring their personal details to the Chinese organisers.
Where none of the derogations apply then a transfer may only take place where it is not repetitive, concerns only a limited number of data subjects and is necessary for purposes of compelling legitimate interests of the Data Controller, which are not overridden by the interests or rights of the data subject. In addition to these hurdles the Data Controller must assess all the circumstances of the transfer and put suitable data protection safeguards in place. The European Data Protection Board (EDPB) has issued guidelines about the Article 49 derogations.
Max Schrems, an Austrian national, is a well-known campaigner against Facebook and its data processing activities. In 2013 he complained to the Irish Data Protection Commissioner requesting her to prohibit Facebook Ireland (a subsidiary of Facebook Inc, in the USA) from transferring his personal data to the USA. That complaint resulted in the Irish High Court referring the case to the CJEU, which ruled in “Shrems 1” that the EU-US Safe Harbour arrangement was invalid.
In 2015 Mr Schrems reformulated his complaint to the Irish Commissioner claiming that under US law, Facebook Inc was required to make the personal data (that had been transferred to it from Facebook Ireland) available to certain US law enforcement bodies and that this personal data was used in the context of various monitoring programmes in a way that violated his privacy. He also argued that US law did not provide EU citizens with legal remedies and so the transfers was not lawful under GDPR. Facebook Ireland argued that the transfer complied with the SCC Decision (i.e. they had standard EU clauses in place) and that was sufficient to make the transfers lawful. At the time, the EU-US Privacy Shield had not been adopted.
The Irish Commissioner agreed with Mr Schrems but she asked the High Court to refer various questions to the CJEU for a “preliminary ruling” on the validity of the SCC Decision. Although the case was primarily about the SCC Decision, the Court considered it had the right to consider the validity of the Privacy Shield Framework too.
The judgment is an extremely important one for both private and public sector organisations despite the fact that reading it is a bit like wading through treacle! Here are the key points:
- The CJEU declared that the EU-US Privacy Shield Decision (Decision 2016/1250) was invalid in its entirety and so the Privacy Shield Framework for transferring data to the US could not be used. The Court held that any communication of personal data with a third party (such as the relevant security organisations in the US) was an interference with fundamental privacy rights which was neither lawful nor proportionate. The relevant US legislation did not provide any limits on the powers of US authorities to process the personal data for surveillance purposes. It also decided that the availability of a Privacy Shield Ombudsperson was not sufficient to guarantee that data subjects in the EU had a right to an effective legal remedy as required by GDPR.
- The Court confirmed that the use of standard contractual clauses for international transfers was still lawful. Organisations can continue to incorporate these into the contractual arrangements with third country recipients. However, the point about standard contract clauses is that they are inherently contractual in nature and therefore only bind the parties to the contract. They cannot bind the public authorities, including law enforcement agencies, in third countries. The clauses may require, depending on the situation in the country concerned, the adoption of further supplementary measures to ensure compliance with the level of protection required by the GDPR.
- The Court was clear that the responsibility in paragraph 2 above lies with Data Controllers in the EU and the recipient of the personal data to satisfy themselves, on a case by case basis, that the legislation of the third country enables the recipient to comply with the standard data protection clauses before transferring personal data to that third country. If they are not able to guarantee the necessary protection, they or the competent supervisory authority (in the UK the Information Commissioner’s Office) must suspend or end the transfer of personal data.
- If a country, like the USA, has legislation in place that obliges recipients to share personal data with public authorities, then Data Controllers must assess, on a case by case basis, whether that mandatory requirement doesn’t go beyond what is necessary in a democratic society to safeguard national security, defence and public security.
Organisations, including those in the public sector, that transfer personal data to the US can no longer rely on the Privacy Shield Framework. They must now consider using the Article 49 derogations or the standard contractual clauses. If using the latter, whether for transfers to the US or other countries, the onus is on the Data Controllers to make a complex assessment about the recipient country’s data protection legislation, and to put in place “additional measures” to those included in the clauses. At time of writing it is not clear how to make this assessment and what additional measures will be needed. The European Data Protection Board (EDPB) has announced it will be looking into this.
The ICO has posted a general statement to the effect that organisations that are currently using the Privacy Shield should continue to do so until further notice. It seems likely that they will grant a grace period during which organisations can implement alternative transfer mechanisms.
In our next webinar, The Schrems 2 Judgement: Implications for the Public Sector, we will cut through the legal jargon to explain the decision and its implications specifically for the public sector.