The Schrems II decision of the CJEU: Privacy Shield invalidated, but the EU Standard Contractual Clauses remain valid

| Insight

On July 16, the Court of Justice of the European Union issued a landmark judgement regarding the transfer of personal data to the US, the so-called Schrems II case. The court states that EU-U.S. Privacy Shield framework is invalid. The EU Standard Contractual Clauses are still valid, but presupposes that the entity transferring data conducts an assessment regarding the level of protection offered in the receiving country.

Case background
The background of the case is a complaint from the Austrian privacy advocate, Maxilliam Schrems, to the Irish Data Protection Commissioner, regarding stopping transfers of his personal data from Facebook Ireland to Facebook Inc. in the US. Schrems substantiated his claim with the lack of an adequate level of protection, especially due to American mass surveillance. The main rule according to the GDPR is that it is forbidden to transfer, or make available personal data to someone outside the EU/EEA, unless there is a so-called legal basis for transfer that protects the data. Facebook is self-certified under the EU-U.S. Privacy Shield framework and has also based transfers on the EU Standard Contractual Clauses when transferring personal data to the US. Through the Schrems II decision, the Court of Justice of the European Union has taken a final position on whether this is sufficient in order to ensure an adequate level of protection in compliance with the requirements set out by the GDPR.

What does the decision imply?
The Court of Justice of the European Union determines that the EU-U.S. Privacy Shield framework is invalid as a legal basis for transfer. The Court substantiates its decision with the fact that the Privacy Shield framework does not offer sufficient legal safeguard guarantees against American governments’ monitoring and access to the personal data being transferred. At the same time, the Court of Justice of the European Union states that the EU Standard Contractual Clauses contain adequate security mechanisms, given that they are used correctly.

The decision implies that all businesses who base their transfers of personal data to the US on the Privacy Shield framework must find another legal basis for such transfer. In practice, this is relevant for a large number of Norwegian and European businesses where suppliers, sub-suppliers or wholly/partly owned subsidiaries in the US receive, or have access to personal data.

The Court states that the EU Standard Contractual Clauses are still valid. It is however important to note that the use of the standard clauses is not in itself sufficient to make transfers legal. According to the Court, the exporting party must conduct an assessment regarding whether the standard clauses will be respected by the receiving country. It shall in particular be considered whether local legislation, which impose the recipient to disclose data to public authorities, offers adequate legal safeguard guarantees.

What should businesses do now?

  1. Map all transfers that are happening with a basis in the Privacy Shield framework and the EU Standard Contractual Clauses (particularly transfers to the US)
  2. Regarding all transfers previously based on the Privacy Shield framework, consider:
  • whether the transfer can continue on another basis, e.g. the EU Standard Contractual Clauses or Binding Corporate Rules (BCR)
  • whether it is appropriate to move the processing within the EU/EEA
  1. Regarding all transfers based on the EU Standard Contractual Clauses, please note:
  • it presupposes an assessment regarding the level of protection in the receiving country and a suspension of data transfers should the level of protection be inadequate.
  • for larger businesses, it will be natural to establish routines regarding «transfer due diligence».
  • consider the need for further safeguards, such as encryption
  • if the receiving entity is familiar with conditions that indicate that the data are not adequately protected, the data exporter must be notified. The data exporter must then suspend the transfer, or notify the Norwegian Data Protection Authority that it does not consider it necessary to suspend the transfer.

Clarifications from data protection authorities and the Commission
It is expected that the Norwegian Data Protection Authority, the European Data Protection Board and the EU Commission will issue guidance that further state how businesses shall proceed with regards to the decision. There is a particular need for practical guidance regarding assessing the level of protection in the receiving country. When the predecessor of the Privacy Shield framework, Safe Harbor, was invalidated in 2015, data protection authorities acknowledged that there was a need for guidance, as well as reasonable time, so that businesses could adjust to the new requirements accordingly. Hopefully, the supervisory authorities will choose a similar approach this time around, especially in light of the possible sanctions under the GDPR being much stricter compared to earlier legislation. The Norwegian Data Protection Authority has so far issued a statement saying that all businesses who, up until now have transferred personal data to the US, must ensure that a new legal basis for transfer is put in place if the transfer is to continue.

The EU Commission has worked on updating the EU Standard Contractual Clauses, as the current clauses are drafted with a basis in repealed legislation. This work has been put on hold while waiting for the Schrems II decision. As soon as the updated standard clauses are available, businesses should replace previous versions with the new ones.