The Court of Justice of the European Union (“ECJ“) issued its judgment in the Schrems II case on 16 July 2020. The ECJ declared the EU-US Privacy Shield invalid. As a result, personal data of EU residents can no longer be lawfully transferred into the US based on the Privacy Shield.
At the same time, the ECJ confirmed that the Standard Contractual Clauses (“SCC”) remain valid, while emphasizing the need for companies involved in a transfer of personal data to check whether an adequate level of data protection can be maintained. If this cannot be guaranteed, the data exporter might need to suspend the data transfer.
The ECJ’s decision has its roots in a complaint filed by in 2013 Max Schrems, an Austrian data protection activist, with the Irish Data Protection Commission (DPC). Schrems requested the DPC to prohibit the transfer and processing of personal data of European users of the US social network “Facebook” to Facebook Inc.’s servers in the USA. He argued that US law did not adequately protect the rights of data subjects from the surveillance activities of US authorities. In October 2015, the ECJ eventually ruled that the “safe harbor” agreement, on which the transfer was originally based, was invalid. A few months later, the “Privacy Shield” was born, a similar mechanism that allowed US companies to self-certify that they complied with a set of rules regarding the protection of personal data, and permitting European data exporters to transfer personal data to these US companies. At the same time, many companies switched to use SCC as legal basis for cross-border data transfers.
The Irish High Court, deciding on Schrems’ complaint, referred several questions on the validity of the SCC and the Privacy Shield to the ECJ, these questions essentially asked whether data transfers under SCCs and the Privacy Shield violated Articles 7, 8, 47, and 52 of the EU Charter of Fundamental Rights.
Standard Contractual Clauses remain valid
The ECJ ruled that the SCC are valid. The SCC contain effective and adequate mechanisms to protect EU data subjects whose personal data would be transferred to third countries.
However, the court adds that before any transfer of personal data to a third country takes place, the parties should verify whether the EU data subjects whose personal data are transferred enjoy a level of protection equivalent to that guaranteed in the EU. Therefore, the parties concerned would have to assess on a case-by-case basis whether the data importer in the third country is able to comply with the SCC at all or whether the legal system of the third country does not enable the required level of data protection, for example in the case of certain access rights by public authorities that go beyond what is deemed permitted under the SCC. If the legal system of the third country does not provide for an adequate level of protection, the data exporter would be obliged to suspend the transfer or terminate the contract with the data importer.
At the same time, the ECJ also obliges the competent data protection authorities of the EU member states to intervene and prohibit data transfer to specific countries on a case-by-case basis if they consider that the SCC are not (or cannot be) respected in such countries. The examination by the authorities is only waived if the EU Commission has issued an adequacy decision for the target country.
Privacy Shield is Invalid
The ECJ determined that the Privacy Shield is invalid. As a result, personal data transfers to the US that were based on the Privacy Shield now lack a valid legal basis.
The Court found that US national laws which regulate access and use by US authorities of personal data imported from the EU into the US do not provide protections “essentially equivalent” to those required under EU law. Instead, US laws provides its public authorities with far reaching surveillance powers which in the Court’s determination go beyond what is “strictly necessary” (including in respect of non-US individuals) and do not give data subjects the adequate rights to challenge the relevant authorities and assert their rights before the courts.
In this respect, the ECJ also held that the Ombudsperson mechanism provided under the Privacy Shield does not actually guarantee data subjects the same protections that they would be afforded under EU law (for example, the Ombudsman does not have the power to make decisions that are binding on the US intelligence services).
Consequences and recommendations for action for Israeli businesses
The ECJ’s decision is relevant also for Israeli businesses that are active in the EU. They will need to closely examine their data transfers to third countries, in particular to the USA.
To the extent that companies have so far justified a data transfer from the EU to the US on the basis of the EU-US Privacy Shield, companies will need to act quickly, as this data transfer is now illegal. While it might be tempting to simply sign SCC with data importers in the US, the ECJ’s decision has made it clear that the parties need to examine very carefully whether the SCC are still a sufficient alternative for transfers to the US and to other countries. In general, the parties signing SCC have to ensure whether or not they can comply with the (rather strict and burdensome) requirements of the SCC. If they, in particular the data importers, find that they cannot fully comply with both the obligations under the SCC and the laws of the country in which they are located, then the SCC are not a suitable legal basis.
In addition, statements from some of the European supervisory authorities following the Schrems II ruling raise the question of how data transfers to other non-EEA countries should be conducted. Any country where authorities have more extensive surveillance powers or individuals have fewer protections of their privacy rights might be subject to scrutiny. In this context, several commentators have raised the question of whether past adequacy decisions can be upheld. While Israel currently still enjoys the status as an “adequate jurisdiction” and personal data can thus be freely transferred from the EU, the extensive surveillance activities conducted by authorities for national security may be considered running afoul of the standards set out in the Schrems II decision. Businesses in Israel that currently rely on the country’s adequacy status might be advised to assess if a transfer of personal data from the EU to Israel can qualify on a different legal basis.
The European Data Protection Board (EDPB) has published an initial set of FAQ on the Schrems II decision, which is expected to be further developed. Several European data protection authorities have already issued statements and guidelines on the legality of data transfers to certain countries on basis of SCC. In parallel, the EU Commission confirmed working on alternative instruments for international transfers of personal data, including by reviewing the existing SCC.
In light of the continued uncertainties around data transfers to the US, it is to be expected that some organisations will move away from transferring data across the Atlantic and will instead move to data processors in the EU and EEA.