On the 11th July 2020, the European Court of Justice (ECJ) delivered its judgement in the case - Data Protection Commissioner v Facebook Ireland Limited. One of its main findings was that the EU-US ‘Privacy Shield’, a means of transferring personal data from the EU to the US is invalid with immediate effect, as it does not meet the standard of protection guaranteed by the GDPR.
Original Complaint by Max Schrems
In June 2013, Edward Snowden revealed the extent to which surveillance was carried out by the US National Security Agency (NSA) which allowed it access to data collected by many of the leading technology companies. Following these revelations, an Austrian student, Max Schrems, lodged a complaint against Facebook with the Irish Data Protection Commissioner, regarding the transfer of his personal data to the US.
The Irish Data Protection Commissioner argued that any data gathered and transferred to the US by Facebook (headquartered in Ireland) was lawful by virtue of the Safe Harbour Convention, which was the EU’s adequacy agreement in place with the US, at that time.
This contention was challenged by Mr Schrems in the Irish High court and the case was referred to the ECJ (‘Schrems I’) which ultimately ruled in 2015 that ‘Safe Harbour’ was unfit for purpose.
Subsequently, a new regime - the EU/US ‘Privacy Shield’ - was approved by the EU Commission and came into effect on the 12th July 2016. It required the US to more robustly monitor and enforce EU privacy rules and to deepen cooperation with European regulators.
‘Privacy Shield’ Adequacy Decision
The GDPR imposes specific obligations on data controllers when transferring personal data from the EEA to a third country. The first consideration is to determine if there is an adequacy decision (Article 45) in place in respect of that country. An adequacy decision means that the European Commission has decided that a third country or an international organisation ensures an adequate level of data protection and can be trusted to receive the data of EU citizens.
The effect of such a decision is that personal data can flow from the EEA to that third country without any further safeguard being necessary. In other words, the transfer is the same as if it was carried out within the EU. The EU/US ‘Privacy Shield’ adequacy decision of 2016 fulfilled that GDPR requirement for 4 years, up to its invalidation by the ECJ (Schrems II) in July 2020.
Standard Contractual Clauses
Prior to the Privacy Shield’ coming into force in July 2016, Mr Schrems had updated his original (2013) complaint with the Data Protection Commissioner regarding the use of Standard Contractual Clauses which were being used as a substitute for the invalidated ‘Safe Harbour’ mechanism.
In the Schrems II judgement of July 2020. The ECJ confirmed the validity, in principle, of use of Standard Contract Clauses (SCCs) for the transfer of personal data from the EEA to third countries. However, the endorsement of SCCs was not unqualified.
The court specified that companies that depend on SCCs for the legitimate transfer of personal data must carry out an assessment regarding the security of the data prior it to it being transferred to a third country to ensure “essential equivalence” of protection to that which it enjoys within the EU.
Impact of the Judgement
Since the ruling (July 2020), organisations engaged in transfers of personal data to a third country, have had to take the following actions:
Those that had previously relied on ‘Privacy Shield’ to transfer personal data to the US had to seek an alternative mechanism to do so;
Organisations that had been using or started to use Standard Contractual Clauses to transfer personal data to a third country, have to carry out an assessment prior to making a transfer under this mechanism. Such assessment must include factors which might potentially impinge on the terms of the clauses;
National supervisory authorities are required to act to suspend or prohibit data transfers to third countries pursuant to Standard Contractual Contracts if such authority forms the view that the terms of the contract is not or cannot be complied with by the third country in respect of the personal data.
In August 2020, the Data Protection Commission (DPC) informed Facebook Ireland, where the organisations European headquarters is located, of a preliminary draft decision that personal data should not be transferred to the US parent, Facebook Inc.
The DPC said it had arrived at a draft preliminary decision that data transfers outside of the EU should be suspended as they were made in circumstances that fail to guarantee a level of protection to data subjects, equivalent to those provided for in EU law. Arising out of the decision, Facebook Ireland has initiated High court proceedings, seeking to have that decision quashed.
It is expected that global data protection authorities will take a gradual approach to enforcement of Schrems II. While waiting for regulatory guidance, it is recommended that organisations use this period to ensure compliance with ongoing obligations and prepare for future international data transfer methods.
For more information on any of our industry insights please contact our expert team at email@example.com