The Court of Justice of the European Union (“CJEU”) has invalidated the EU-US Privacy Shield in its judgment delivered on 16th July, 2020 (“Schrems II case”). It held that the Privacy Shield can no longer serve as a legal instrument permitting the transfer of personal data from the European Union (“EU”) to the United States of America (“US”). Therefore, any transfer of personal data between the EU and US that relies on the Privacy Shield is held illegal. However, the CJEU has considered that Standard Contractual Clauses (“SCC”) are valid for transfer of personal data to processors established in third countries if the contractual obligations under SCC are complied with.
Transfers of Personal Data
The General Data Protection Regulation (“GDPR”) ensures that personal data is protected in the EU and this protection must also be accorded if personal data is transferred outside the EU. Any third country that provides for an adequate level of protection for personal data is permitted to transfer data under GDPR. The level of protection is assessed by the European Commission based on laws and regulations of the third country being essentially equivalent to the protection provided under GDPR. If adequate protection is not provided by the third country, the exporting data controller is responsible to implement appropriate safeguards to permit the transatlantic data transfer.
Mostly, such appropriate safeguards are taken under contractual agreement containing SCC set out by European Commission decision on 5th February, 2010 to ensure adequate protection of personal data transferred outside the EU. The Schrems II case questions the validity and level of protection provided by Privacy Shield scheme as well as SCC mechanism.
Safe Harbour Scheme
In 2013, a complaint was filed with the Irish Data Protection Commission (“IDPC”) challenging the transfer of personal data of EU citizens by Facebook (Ireland) to Facebook Inc. in the US. After revelations on methods used by US national security agencies by the whistle blower incident of Edward Snowden, it was argued that US does not have any legislation to offer adequate protection against surveillance of the data transferred to that country. In view of such insecurity, any data transfer of EU citizens to US was asked to be suspended. When IDPC rejected these submissions, the complainant approached the Irish High Court which referred the questions to CIEU for preliminary ruling.
Subsequently on 6th October, 2015, the CJEU delivered a judgment in the case of Maximilian Schrems v Data Protection Commissioner (“Schrems I case”) which invalidated EU-US Safe Harbour Scheme, the predecessor of the EU-US Privacy Shield. It also observed that “legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.”
EU-US Privacy Shield
Soon US re-negotiated with EU and framed EU-US Privacy Shield, promising protection to the data of EU citizens being transferred to US. This framework was adopted on 12th July, 2016 after European Commission approved the same. However, on functioning, the Privacy Shield framework failed to address lack of legislations in US which respect and guarantee privacy of personal data. Hence, the Irish High Court was subsequently referred to determine the validity of SCC and refer new set of questions to CJEU on whether EU-US Privacy Shield was adequate to protect EU citizen’s personal data overseas. When relying on EU’s data protection law, especially GDPR, any transfer of personal data for commercial purposes by an economic operator is valid. The data transferred to an operator in a third country can also be processed by the authorities under the purview of public and state security. However, the same cannot be misused and hinder the fundamental rights of EU citizens provided under the Charter of the Fundamental Rights of the European Union (“Charter”).
When assessing the level of protection, the CJEU looked at both the relevant aspects of the legal system of that third country in complying with respective obligations and the correct application of SCC under the transfer contract. Additionally, any transfer of data to such third country which does not comply with data protection obligations required by EU law can be stopped and prohibited by supervisory authorities. Therefore, under the light of requirements of GDPR and provisions of the Charter, the CJEU declared EU-US Privacy Shield invalid.
It is noted that US data protection provisions were interfering with the fundamental rights of persons whose data are transferred to US under the ambit of US national security, public interest and law enforcement. In addition, lack of limitations on the power of such surveillance programmes and insufficient guarantees for non-US citizens hinders the judicial protection against interference by US authorities. The European Commission held the binding nature of EU data protection laws on the US authorities, since laws of US “do not grant data subjects actionable rights before the courts against the US authorities”. Therefore, the Privacy Shield decision cannot ensure a level of protection essentially equivalent to that arising from the Charter, contrary to the requirement in Article 45(2)(a) of the GDPR as per which a finding of equivalence depends, inter alia, on whether data subjects whose personal data are being transferred to the third country in question have “effective and enforceable data subject rights.”
In an era of digitalised society, strong policies and frameworks are required to protect one’s data against the risk of being compromised or misused. However, due to lack of adequate safeguards under the data protection regime of US, the EU-US Privacy Shield can no longer be used for the transfer of personal data from EU to US. But the transfer can still take place using SCCs if the contractual obligations can be fulfilled without interruption by US surveillance laws. Although the rule of SCC is uniform for all relevant third countries other than US which receive personal data of EU citizens, supervisory authority can assess the transfer contract on case to case basis.
Such strong stance by the EU might prove beneficial and in interest of its citizens but has significantly disrupted the functioning of data transfer across jurisdictions. The CJEU decision will require companies previously relying on the Privacy Shield as the basis for those transfers, to immediately reassess their data transfers. The transfer might not have been completely closed (since contractual transfers under SCC are allowed) but the companies in such transactions will have to formulate new policies complementing data protection laws of EU. This will change the data transfer route from EU to other third countries while maintaining the integrity and sanctity of personal data.
Even though the decision in Schrems II case applies only to EU-US Privacy Shield, it might jeopardize Swiss-US Privacy Shield scheme as well since it was based on the former. Swiss Data Protection Commission had discontinued the Swiss Safe Harbour Framework following the decision of CJEU invalidating EU Safe Harbour scheme in 2015. Thus, this decision might become a stepping stone for US to change or amend its surveillance laws and monitor activities of its intelligence agencies. Meanwhile, any alternate data transfer method being adopted by the companies must respect the fundamental rights of EU citizens granted under the Charter and comply with EU data protection laws.
Umang Motiyani, 5th Year, ILS Law College, Pune