The European Court of Justice (ECJ) has given its preliminary ruling on the questions raised in the Schrems case (C-311/18)1, which was referred up by the High Court in Ireland.
The ECJ determined that previous rulings on the adequacy of controller to processor standard contractual clauses (SCCs) were indeed valid.
However, previous rulings on the adequacy of the protection afford by the EU-US Privacy Shield are now invalid.
Under the GDPR (General Data Protection Regulations), the transfer of personal data from within the EU to a third country (or a country outside the EU) is prohibited, unless certain requirements are met.
Generally, the transfer may only take place where one of the following applies:
- The transfer is to a country where a European Commission decision has been made as to the adequacy of that country’s data protection provisions (sometimes known as an ‘adequacy decision’)
- Sufficient safeguards are in place, such as SCCs (but only to the extent that data subjects have enforceable rights and legal remedies under those safeguards)
- A derogation applies for that specific situation – for example, the data subject has given their explicit consent to the processing
(Article 45-49 GDPR)
In 2015, an Austrian lawyer (Mr M Schrems) successfully challenged the validity of the EU-US ‘Safe Harbour’ agreement as a basis for transferring personal data from within the EU to the US. The European Commission adopted a replacement in 2016, known as the EU-US Privacy Shield, allowing such cross-border transfers within this adequacy decision.
Mr Schrems, still not convinced, re-submitted his complaint to the Irish DPC (Data Protection Commissioner), arguing that the new Safe Harbour agreement still didn’t go far enough in protecting the rights of the data subject whose personal data had been exported to the US. The complaint was referred to the High Court which in turn referred 11 questions up to the ECJ, on the topics of both SCCs and the EU-US Privacy Shield.
In relation to SCCs, the ECJ ruled that the validity of previous decisions on this matter was not called into question by the fact that SCCs do not bind public authorities in third countries. An assessment should be carried out in each case of a cross-border transfer outside the EU, to confirm that the third party country does indeed have adequate protections in place for the SCCs (without any further safeguards in place) to be sufficient.
However, in relation to the EU-US Privacy Shield, the ECJ ruled that the limitations which are imposed by US domestic law (specifically in relation to surveillance for the purposes of national security and law enforcement), take precedence in the US in such a manner as to interfere with the rights of data subjects under the GDPR.
The limitations on the protection afforded to personal data processed within the US, the ECJ found, did not satisfy the requirements under the GDPR.
Whilst controller- processor SCCs do remain valid, there is an additional requirement to now assess whether there are appropriate safeguards in the third country which the data is being transferred to. If there are not appropriate safeguards, it may be that further contractual obligations need to be put in place with your third country processor.
In all cases, the data controller will need to carry out an assessment of their data processing activities, where those activities see data transferred to the US, to confirm that the SCCS in place are indeed sufficient, or whether additional protective mechanisms for securing personal data need to be put in place.
There is no grace period for this ruling and as such, if the EU-US Privacy Shield has been relied on as your sole basis for cross-border personal data transfers from the EU to the US, now is the time to review your data protection position and ensure that you are compliant with the GDPR going forwards.
The UK is currently in talks with the EU in relation to its own adequacy status, which will be relevant when the Brexit transition period comes to an end on 31 December 2020. The transfer of data from the UK to the US for global industries such as travel looks to be an area of significant future discussion
- Confirm by reference to your supplier/agency/wholesale agreements how your customers’ personal data is being processed and on what basis.
If you have any questions about GDPR, including the changes brought about by this decision;
Contact firstname.lastname@example.org or call 0113 258 0033.
1Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (case C-311/18) EU:C:2020:559 (16 July 2020)