CJEU Decision in re Schrems II

Abstract

New Hurdles for Data Transfers to the USA

The Court of Justice of the EU (CJEU) today issued its long-awaited decision in re Schrems II (C-311/18).1 The decision addresses the permissibility of the transfer of personal data to the USA and other countries without adequate data protection laws on the basis of the EU-U.S. Privacy Shield and the EU standard contractual clauses. The CJEU declares the Privacy Shield invalid. Companies that base their data exports on the Privacy Shield must therefore rely on another basis in the short term. In principle, the standard contractual clauses may still be used, but they must be examined on a case-by-case basis, in particular with regard to the access rights of the authorities in the country of destination. With regard to exports to the USA, developments in the coming days and weeks must be monitored and further careful consideration of the CJEU’s decision is needed.

The main findings of the decision

  • The EU-U.S. Privacy Shield can no longer serve as a basis for the transfer of personal data from the EU to the USA. The reason for this are the comprehensive surveillance measures of the USA, which according to the CJEU are not sufficiently limited by the Privacy Shield.
  • In contrast, the standard contractual clauses approved by the EU Commission are valid and can in principle be used for data exports to countries without an adequate level of data protection.
  • However, the CJEU makes an important reservation concerning standard contractual clauses: The data exporter cannot use the standard contractual clauses indiscriminately, but must verify on a case-by-case basis whether compliance with the standard contractual clauses is guaranteed in the recipient country. In particular, governmental access rights must be taken into account: Provided that these rights do not go beyond what is necessary in a democratic society to safeguard public security, such access rights are unproblematic. However, if it turns out that despite agreeing on the standard contractual clauses with the data importer, an adequate level of data protection is not achieved in the country of destination, the export should be suspended. This may be the case, in particular, if mass surveillance is carried out in the country of destination, which is not compatible with the principles of a democratic society.
  • The CJEU decision raises doubts as to whether the standard contractual clauses can be used in the future as a basis for data transfers to the USA. The CJEU has not ruled on this question. However, it argues that the U.S., surveillance measures conflict with European data protection law, as the U.S. surveillance programs are not limited to what is absolutely necessary.

Effects of the decision

In addition to the obvious consequence of the abolition of the privacy shield, the CJEU’s decision also makes data exporters and supervisory authorities responsible: data exporters may continue to use the standard contractual clauses, but they can no longer use them indiscriminately for exports to any country of destination. Instead, they must verify on a case-by-case basis whether the standard contractual clauses can be complied with. The CJEU is thereby creating new hurdles and uncertainties for data transfers to third countries, in particular to the USA. It can be assumed that data exports under the standard contractual clauses will require more attention in the future.

However, due to the importance of the standard contractual clauses for the transfer of data to third countries, it is above all the supervisory authorities who are called upon to act: They must now quickly clarify whether, in which cases and, if necessary, with which additional measures the standard contractual clauses can still be used in the medium term for data transfers to the USA and other countries with comparable surveillance programs. A coordinated approach at European level seems urgently necessary here.

Finally, the CJEU’s decision also sends a signal to the USA: The CJEU is not willing to settle for the limited improvements of the Privacy Shield compared to the former Safe Harbor Framework. The CJEU is thus increasing the pressure on the USA to make further concessions with regard to the protection of the personal rights of individuals in the EU in order to guarantee the transatlantic transfer of data, which is important for the economy.

Relevance for Swiss companies

The CJEU decision also has implications for Swiss companies. These too base their data exports largely on the standard contractual clauses also recognized by the Federal Data Protection and Information Commissioner (FDPIC). Switzerland also has the Swiss-U.S. Privacy Shield, which corresponds to the EU-U.S. Privacy Shield, which has now been declared invalid.

With regard to the Privacy Shield, it can be assumed that the FDPIC will also declare data exports on the basis of the Swiss-U.S. Privacy Shield to be inadmissible and adapt its list of countries with adequate data protection laws accordingly. It can therefore be assumed that in the short to medium term Swiss companies will no longer be able to rely on the Swiss-U.S. Privacy Shield for data exports.

With regard to standard contractual clauses, the situation in Switzerland under the Data Protection Act (DPA) is comparable to the one under the EU General Data Protection Regulation (GDPR): data transfers to third countries are permitted under art. 6 para. 2 lit. a DPA if «sufficient safeguards, in particular contractual clauses, ensure an adequate level of protection abroad». Swiss companies can therefore generally rely on the standard contractual clauses when exporting personal data to third countries. However, here too, intervention is required if there is reasonable doubt as to whether the data importer is complying with the standard contractual clauses.

Need for action

Companies that base data transfers to the USA on the EU-U.S. Privacy Shield will have to put these transfers on a new basis. The same is recommended to companies in Switzerland who base their data transfers to the USA on the Swiss-U.S. Privacy Shield.

The standard contractual clauses are an alternative. Here, the concerns of the CJEU must be taken into account: If the standard contractual clauses cannot be complied with by the data importer, the export must be suspended.

We advise companies that base their data exports from Switzerland to the USA on the standard contractual clauses to adopt a cautious approach in the short term. It is hardly imaginable to stop all these data exports from one day to the next, and in our opinion there is no immediate need for this either from a Swiss perspective or under the GDPR. It can be assumed that the European supervisory authorities and the FDPIC will soon issue guidance on the matter. Consequently, developments must be monitored and a reaction will be necessary if there is a change in practice. To this end, it must be made clear which contracts would have to be adapted, if need be, if there were any changes in practice with regard to the standard contract clauses and their application.

The background to the decision

The background to the decision is a dispute between Facebook and Maximilian Schrems regarding data transfers from Facebook Ireland to the USA. Facebook Ireland has based its data transfers to the USA on the standard contractual clauses since the CJEU’s annulment of the Safe Harbor Framework.2 This means that the U.S. Facebook entity has committed itself to Facebook Ireland to respect European data protection laws. Maximilian Schrems applied to the Irish data protection authority to prohibit the further transfer of his personal data by Facebook Ireland to the USA. He argued that the standard contractual clauses cannot serve as a basis for such transfer due to conflicting U.S. law.

Footnotes:

1 Judgment of the CJEU of July 16, 2020, Case C-311/18, available here: https://bit.ly/2ZADzY4 (visited on July 16, 2020).

2 Judgment of the CJEU of October 6, 2015, Case C-362/14, available here: https://bit.ly/3exrXcD (visited on July 16, 2020).

If you have any queries related to this Bulletin, please refer to your contact person at Homburger or to: