In a landmark judgment delivered on 16 July 2020, the Court of Justice of the European Union (CJEU) upheld the validity of Standard Contractual Clauses (SCCs) as a way for companies to transfer personal data to non-EU ‘third countries’, subject to important caveats on their use in practice.
However, it declared that the EU-US Privacy Shield (the Privacy Shield) which facilitates the transfer of personal data between Europe and the United States to be invalid.
In October 2015, Maximillian Schrems successfully challenged the validity of the EU-US safe harbour arrangement as a legal basis for transferring personal data from Facebook Ireland to servers belonging to Facebook Inc located in the US. Following this, the European Commission adopted the Privacy Shield for EU-US personal data flows. Mr. Schrems reformulated his complaint to the Irish Data Protection Commissioner (DPC) claiming that the US did not offer sufficient protection for personal data transferred to the US and sought the suspension or prohibition of the transfer of his personal data from the EU to the US, which Facebook Ireland had carried out pursuant to the (controller to processor) SCCs. Following legal action by the DPC, the Irish High Court referred a number of questions to the CJEU.
What are SCCs?
SCCs are model data protection clauses that have been approved by the European Commission. They contain contractual obligations on the company transferring the data (data exporter) and the non-EU recipient of the data (data importer) and rights for the individuals whose personal data is transferred. Individuals can directly enforce those rights against the data importer and the data exporter. There are two sets of SCCs for transfers between an EU controller and a non-EU controller, and one set between an EU controller and a non-EU processor.
Key points of judgment
- The CJEU held that the (EU controller to non-EU processor) SCCs establish effective mechanisms that make it possible to ensure compliance with the level of protection required by EU law. It also pointed out that the SCCs imposed an obligation on the data exporter and the data importer to verify, before any transfer takes place, whether the non-EU country meets the level of protection required by EU law. If the data importer informs the data exporter of any inability to comply with the SCCs, the data exporter must suspend the data transfer or terminate the contract.
- Regarding data protection authorities' obligations, the CJEU held that, unless there is a valid European Commission adequacy decision, data protection authorities are required to suspend or prohibit the transfer of personal data to a non-EU country where they consider that SCCs are not, or cannot be, complied with in that country and the level of protection required by EU law cannot be ensured by other means.
- In relation to the validity of the Privacy Shield, the CJEU held that the limitations on the protection of personal data arising from US domestic law on the access and use by US public authorities of such data transferred from the EU are “not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary”.
- Although the Privacy Shield provided an Ombudsperson mechanism to satisfy the requirement of judicial protection, the CJEU held that this was insufficient as the provision did not provide individuals whose data is transferred to the US any cause of action before a body which offers guarantees substantially equivalent to those required by EU law, so as to ensure the independence of the Ombudsperson and the existence of rules empowering the Ombudsperson to adopt decisions that are binding on US intelligence services.
What should companies do now?
If companies transfer personal data to a non-EU country based on SCCs (or plan to do so), while they remain valid, companies will need to assess whether the level of protection for personal data as required by EU law is respected in that non-EU country. Companies that currently rely on the Privacy Shield to transfer personal data to the US will need to find alternative transfer mechanisms such as the use of Binding Corporate Rules or seek to rely on the derogations for specific situations, such as individuals' consent.
While we await guidance from the Irish data protection authority and/or the European Data Protection Board, companies should immediately review their data transfer mechanisms and consider what steps they may need to take in light of the CJEU judgment.
To discuss how the above will impact your business, please contact Maureen Daly or your usual Beauchamps contact or your usual Beauchamps contact.