Data transfers to third countries: Schrems II

by Emma Rigby Trainee Solicitor, Cyber Security & Data Protection, PwC United Kingdom

Email +44 (0)7483 434643

by Richard Hall Senior Associate, Data Protection Strategy, Legal and Compliance Services

Email +44 (0)7483 407825

Summary

On Thursday 19 December, the Advocate General (“AG”) Saugmandsgaard Øe of the Court of Justice of the European Union (“CJEU”) delivered his opinion on the Schrems II case. The case considers the transfer of data outside of the European Economic Area (“EEA”) to third countries. More specifically, the case related to the use of Standard Contractual Clauses (“SCCs”), which are widely used as a mechanism for organisations to transfer data out of the EEA, through the use of contractual obligations requiring similar levels of protection as the General Data Protection Regulation (“GDPR”), from the receiving country.

Background

The opinion is the latest update following a long and complex legal dispute which has been ongoing for six and a half years. The issue first arose in 2013, when a complaint was made against a social media company, to the Irish Data Protection Commission (“DPC”), by an Austrian user of the social media platform, named Max Schrems, alleging that they had unlawfully transferred his data to their servers in the United States (“US”). The complaint was brought on the basis that the US allowed surveillance by public authorities through Section 702 of the Foreign Intelligence Surveillance Act and Executive Order (EO) 12,333, and this breached Mr. Schrems fundamental right to privacy and was in conflict with the protections afforded to him by data protection laws in the European Union (“EU”).

Initially, the social media company justified the transfer through reliance on the Safe Harbour Framework (the predecessor to the EU-US Privacy Shield (“Privacy Shield”) which allowed for the transfer of personal data), asserting that this ensured an adequate level of protection to European citizens’ personal data in the US, and the DPC rejected Mr. Schrems’ complaint.

Subsequently, Mr. Schrems appealed the DPC’s decision before the Irish High Court. This case was ultimately brought before the European Court of Justice (“ECJ”) for a preliminary ruling ('Schrems I') and resulted in the invalidation of the Safe Harbor Framework. Following this, the Privacy Shield was approved and adopted in 2016, as the mechanism for the safe transfer of data between the EU and the US; however, the US surveillance laws remained unchanged. During this time the social media company also adopted the use of SCCs, as its legal bases for the transfer of data between the EEA and the US.

As a result of the adoption of SCCs, in 2015, Mr. Schrems reformulated his data protection complaint to the DPC, arguing that the "adequate protection" required under the SCCs and GDPR, could not be achieved due to US surveillance laws. Whilst the DPC agreed, they did not take action, and in order to gain clarity, instead brought proceedings before the High Court to request a preliminary ruling by the ECJ on the validity of the use of SCCs for data transfers by the social media company.

The case was subsequently brought back before the ECJ ('Schrems II') on July 9, 2019. The outcome of this hearing has not yet been delivered, however the AG on December 19, 2019, announced his non-binding opinion on which direction the he believes the ECJ should make it’s judgement. It is important to note, that only in rare circumstances does the ECJ deliver a judgement that is substantially different to the AG’s opinion. As such, it is likely (but not a foregone conclusion) that the ECJ will deliver a judgement in line with the AG’s opinion.

AG’s Opinion

In summary, the AG announced that his opinion was that the mechanism of “standard contractual clauses for the transfer of personal data to processors established in third countries is valid (emphasis added).

SCCs offer an adequate level of protection

The opinion noted that, even where the European Commission has not reached a decision confirming the adequacy of a third country’s data protection levels, it is still possible for the data controller to proceed with the transfer on the premise that the appropriate safeguards are put in place. Such appropriate safeguards could include a contractual arrangement between the transferor and transferee of the data, that contains particular standard protection clauses that have been established in a European Commission decision. Both mechanisms achieve the aim of data protection legislation in the EU, namely; ensuring “the rights of the persons whose data are transferred benefit, as in the context of a transfer based on an adequacy decision, from a level of protection essentially equivalent to that which follows from the GDPR”.

It was noted in the opinion, that the SCCs adopted by the European Commission, provide an important mechanism “applicable to transfers irrespective of the third country of destination and the level of protection guaranteed there”, and the fact that these SCCs are not binding on third country authorities, does not render SCCs, as a data transfer mechanism, invalid.

Nonetheless, data controllers still have an obligation

The AG noted that despite the SCCs, in his opinion, being a legitimate mechanism for transferring data, there must be “sufficiently sound mechanisms” to ensure that there is the possibility to suspend or prohibit transfers, when clauses of the SCCs are breached or compliance with them is infeasible, such as where third countries local legislation is in direct conflict with EU privacy laws.

Consequently, the AG stated that there is an onus on data controllers, in this case the social media company, to ensure that transfers are prohibited or suspended in the instance of conflicting obligations; such as, where data is being sent to a destination where it cannot be adequately protected in accordance with the SCCs. The AG went on further to note that, in the absence of action being taken by the data controller, the obligation lies with the Supervisory Authorities, in this instance the DPC, to ensure this mechanism is being utilised appropriately, and if necessary, suspend and/or prohibit the data transfers in question if it is not.

Will this affect the Privacy Shield?

The AG noted that the dispute in the Schrems II case does not necessitate the ECJ to look at the validity of the Privacy Shield system. Nonetheless, the AG details his reasons for questioning the validity of the Privacy Shield system that has developed from case law. The AG noted how such a system was difficult to align with the “right to respect for private life and the protection of personal data” and “the right to an effective remedy”, owing in part, to the surveillance legislation in place in the US, which conflicts with those rights.

On the horizon

As previously noted, although the AG’s opinion is not binding on the ECJ, the opinion is often followed by the Court and therefore, the opinion of the AG, as an influential advisor of the Court, could be construed as a strong indication of the probable outcome. If the AG’s opinion is followed, it will be up to the DPC to suspend the social media company’s use of SCCs. It is likely that this will have ramifications for the social media company’s operations, along with a staggering number of other organisations who, as part of their integral business functions, rely on SCCs as the mechanisms by which to conduct data transfers outside of the EU to destinations, where local legislation may be in direct conflict with those protections.

Alternatively, although unlikely, the ECJ may rule that the SCCs are in fact legally invalid. This would, in all likelihood, cause extensive issues given the widespread reliance on the SCCs for data transfers to the US and other third countries. The response to this could mirror the invalidation of the Safe Harbour Framework and could signal the need for a new mechanism to be devised. Further, whilst the Privacy Shield was not the mechanism adopted by the social media company in the Schrems II case, and therefore the AG’s position on the matter does not have an impact on the case at hand; if the view of the AG is taken into account in other proceedings, for example, those brought by French organisation La Quadrature du Net before the General Court of the EU, then the ramifications for data transfers between the EU and the US could be widespread.

There is a disparity between the level of protections afforded to data and data privacy throughout the world and so far, international contracts and agreements have been utilised to bridge the gap between these varying standards. The invalidity of such international contracts and agreements as data transfer mechanisms to third countries could have substantial effects and cause a great degree of disruption. Organisations would be left without a mechanism to legitimise data flows on an international scale; as such, these data flows which may be integral to the successful operation of their business’, may be impacted by temporary suspensions, until a resolution is found.

It remains to be seen how the ECJ decide this long standing dispute, however it would be wise for organisations who may be affected by the ECJ’s ruling, if they haven't already, to identify data flows that may be impacted if the ECJ make a ruling of invalidity and consider whether alternative data transfer mechanisms are available.

by Emma Rigby Trainee Solicitor, Cyber Security & Data Protection, PwC United Kingdom

Email +44 (0)7483 434643

by Richard Hall Senior Associate, Data Protection Strategy, Legal and Compliance Services

Email +44 (0)7483 407825