Schrems II on standard contractual clauses and privacy shield

The judgement is broadly interpreted as a relief for companies that rely on such contractual agreements to share data overseas without falling foul of European data protection laws.

On the other hand, the Court struck down EU-US Privacy Shield Decision due to surveillance possibilities of US intelligence services.

Summary of the judgement

According to the judgement, SCCs are a possible way to transfer personal data to a recipient outside the EU/EEA in compliance with GDPR requirements. However, the ECJ argues that such contractual agreements can, in general, be valid only if they include effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law. In addition, transfers of personal data are to be suspended or prohibited in the event of a breach of SCCs or it being impossible to honour them.

With regard to the Privacy Shield Decision, the Court is of the view that the limitations on the protection of personal data, (arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country), are not circumscribed in a way that satisfies requirements that they be essentially equivalent to those required under EU law, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary. The Court pointed out that, in respect of certain surveillance programmes, those provisions do not indicate any limitations on the power they confer to implement those programmes, or the existence of guarantees for potentially targeted non-US persons. As a consequence, the Court finds that the Privacy Shield Decision is invalid.

Practical steps to be taken

Given that SCCs are the key data transfer mechanism used by many organisations to transfer personal data outside of the EU, this decision has far-reaching repercussions and should be welcomed by companies across the globe. If the decision had not been in favour of SCCs, almost all data transfers to third countries would have been affected.

The decision is also important for another reason: In the context of the UK's withdrawal from the EU, most businesses have implemented SCCs as part of their Brexit preparations. Based on today's decision, organisations will be able to continue to rely on those SCCs for transfers of personal data from the EU to the UK after Exit day.

However, it should not be ignored that the Court annulled the Privacy Shield Decision because the surveillance measures to which US intelligence services are entitled are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law.

This being said, companies would do well to assess whether and to what extent they rely on the Privacy Shield Decision today and implement replacement mechanisms.

At first glance, SCCs may appear to be the right alternative. Even so, in view of the Court's clear words it must be carefully considered whether the law of the jurisdiction outside of the EU/EEA, ensures adequate protection, under EU law, of personal data transferred pursuant to SCCs.

Given that the present decision by the ECJ is a so-called preliminary ruling, the Irish court, competent to handle this case, will now have to judge for itself whether Facebook Inc. can guarantee through its SCCs that personal data of its users may not be abused by US intelligence services.

Outlook

Although the Court reinforced the role that data protection commissioners already have in policing the adequacy of standard contractual clauses, it is impossible to predict how the competent data protection authorities will deal with the judgement. It is to be expected that there will be a kind of a grace period (as it has been when Safe Harbour was cancelled) before there is related enforcement action, during which organisations will have some time to replace old regimes with alternative mechanisms. Nevertheless, there is no reason to neglect the importance of data protection compliance in the company, nor the urgent need for continuous monitoring.

Data exchange with and to the United States has become an integral part of daily business in the globalised world of the 21st century. It is therefore now a challenge for both sides, the EU and the US, to work on finding a solution that not only provides a legally secure way for companies to transfer data to the US, but also respects the fundamental rights of EU citizens as highlighted in the ECJ judgement today.