EUROPEAN COURT OF JUSTICE LANDMARK JUDGEMENT STRIKES DOWN EU-US PRIVACY SHIELD

For the second time in nearly five years, the European Commission’s adequacy decision relating to the United States has been invalidated, the EU-US Privacy Shield has been struck down.

On 16 July 2020 in the CJEU (Court of Justice of the European Union) / ECJ (European Court of Justice) the landmark judgement and ruling of the Grand Chamber[1] confirmed the criticisms of the Privacy Shield, which had been expressed on a number of occasions by the European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB)[2], striking down the Privacy Shield and passing judgements on other elements used in the processing of personal data in third countries.

The striking down of the Privacy Shield means that the United States as a ‘third country’ is not considered a country with a data protection legal framework that offers equivalent protections of the rights of EU data subjects, to that of the European Union (EU) and therefore, no longer on the adequacy list[3].

Organisations processing the personal data of EU data subjects as defined under the EU General Data Protection Regulations (GDPR), in third countries not on the adequacy list and outside of the EU/EEA (European Economic Area), are legally required to put in place ‘appropriate safeguards’[4] that ‘ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union’[5] effectively ‘affording a level of protection essentially equivalent to that guaranteed within the EU by the GDPR’[6].

These appropriate safeguards include the use of Standard Contractual Clauses (SCC)[7] and these are designed to place legal obligations on data controllers and processors, with ‘enforceable data subject rights and of effective legal remedies’[8]. The decision of the ECJ in their ruling on the Privacy Shield also considered the use of SCC for the purpose of processing in third countries[9]. The use of SCC was found to be valid for the purpose but – and it is a big ‘but’, there were clarifications as to when and how their use could be made which narrowed considerably the validity of SCC.

When electing to use SCC, an organisation (controller or processor) processing the personal data of EU data subjects in a third country need to ensure that the SCC used is enforceable and that the EU data subject’s rights, data privacy and protection afforded by their use, cannot be undermined or weakened by the third country’s legal framework thereby granting the EU data subject equivalent protection.

One of the reasons for striking down the Privacy Shield by the ECJ was that it gave no protection when EU data subjects’ personal data was being processed by organisations, within or outside of the Unites States, that were subject to US surveillance laws or FISA 702 (the Foreign Intelligence Surveillance Act which applies to electronic communication service providers only). If processors were subject to either of these, the ECJ found that US law would have primacy[10], and this would in effect annul the protection of EU data subjects’ personal data.

This principle of US surveillance law and FISA 702 having primacy applies equally to SCC[11] however, only those SCC arrangements where the US organisation (controller or processor) is subject to these laws. This now means that SCC should only be used where the US organisation IS NOT subject to US surveillance laws or FISA 702. Sectors like banks, hotels, airlines, shipping, sales of goods, etc. are not believed to be covered by US surveillance laws or FISA 702 however, a clarification by the US would be needed to confirm this.

A risk for controllers or processors who intend to and/or believe that they can rely on SCC is that they will have to be able to prove (i.e. document) that the US organisation is not subject to US surveillance laws or FISA 702. A further caution here is that if the controllers or processors find that the  US organisation is not subject to US surveillance laws or FISA 702, they should consider that many US organisations outsource services to other providers therefore, even though the US organisation subject to the SCC may not be subject to these laws, their service providers may be subject to US surveillance laws or FISA 702 and, controllers and processors will need to look at all the US organisations’ service providers, and possibly further along the supply chain, to be certain that SCC can be lawfully and successfully used.

A similar issue therefore arises where an EU/EEA controller or processor processes the personal data of EU data subjects with an EU subsidiary of a US parent organisation. The EU subsidiary of the US parent may also be subject to US surveillance laws or FISA 702. The EU subsidiary of the US parent will equally have to review all internal data flows so as to identify all EU data subjects’ personal data flows to the US and should also consider ensuring that the personal data remains within the EU/EEA and is not transferred to the US parent.

The European Data Protection Board (EDPB) has stated that it ‘will assess the judgment in more detail and provide further clarification for stakeholders and guidance on the use of instruments for the transfer of personal data to third countries pursuant to the judgment’[12]. We will watch, read and report further in due course however, all organisations transferring the personal data of EU data subjects to third countries, and in particular the US following this ruling, should also revisit their corporate risk register, and any completed assessments for personal data flows such as their DPIAs (data protection impact assessment).

The ECJ’s decision is likely to see a greater activity by Supervisory Authorities as the judgement provided ‘clarifications regarding the responsibilities of controllers and European DPAs to take into account the risks linked to the access to personal data by the public authorities of third countries’ as acknowledged within the statement of the European Data Protection Supervisor[13].

The shockwave from the ECJ’s ruling is and will be far-reaching. There is still much to analyse and understand from the ruling, and there is every likelihood that there will be an examination of the use of BCR (Binding Corporate Rules) in due course which may hold similar discovery and implications for controllers and processors.

Notes

With special  thanks to: Christopher Schmidt, CIPP⁄E CIPM CIPT CBSA, Tara TAUBMAN-BASSIRIAN LLM, and Michael Clohisy for their review and feedback on the writing of this article.

[1] C-311/18, Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems, [2020] CJEU

[2] EDPS, ‘EDPS Statement following the Court of Justice ruling in Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd and Maximilian Schrems (“Schrems II”)’ (Statement, 17 July 2020) <https://edps.europa.eu/press-publications/press-news/press-releases/2020/edps-statement-following-court-justice-ruling-case_en> accessed 18 July 2020

[3] European Commission, ‘Adequacy decisions’ <https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en> accessed 18 July 2020

[4] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L 119/1, art 46.1

[5] n4. rec 108

[6] Court of Justice of the European Union, ‘The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield’ (press release No 91/20, 16 July 2020) para 8

[7] n4. rec 108

[8] n4. rec 108

[9] n1. paras 26-41

[10] n6. para 12

[11] n6. para 12

[12] European Data Protection Board, ‘Statement on the Court of Justice of the European Union Judgment in Case C-311/18 – Data Protection Commissioner v Facebook Ireland and Maximillian Schrems’ (Statement 17 July 2020) <https://edpb.europa.eu/news/news/2020/statement-court-justice-european-union-judgment-case-c-31118-data-protection_hu> accessed 20 July 2020

[13] n2. para 4