Irwin Mitchell Comments On Significance Of Ruling
In one of the most highly anticipated court cases of the year, the CJEU has confirmed that for now, Standard Contractual Clauses (“SCCs”) live to fight another day but the EU-US Privacy Shield has been invalidated.
What are transfer mechanisms and why are they needed?
Personal data can only be exported outside of the EEA if certain protections are in place. The purpose of those protections is to ensure that the people concerned are still protected and can still exercise their rights when personal data is transferred to a non-EEA country.
There are a number of different permitted mechanisms. Aside from a non-EEA country being declared adequate, the most commonly known are the EU-US Privacy Shield and the SCC’s. The EU-US Privacy Shield replaced the previous Safe Harbour principles and allows for the export of personal data to US companies who are signed up to the EU-US Privacy Shield as it deems their protection of personal data adequate. The SCCs, otherwise known as model clauses, are clauses approved by the European Commission as offering sufficient safeguards to personal data being exported internationally.
Background to where we are now
Data export has been a contentious issue for a number of years and privacy campaigners have been working to get some of the grounds for legitimising data export declared invalid.
Max Schrems is a well-known privacy activist, who was previously successful in having Safe Harbor declared invalid in the case known as Schrems I in 2015.
Since then the transfer of personal data to third countries outside of the EEA has remained under the limelight and doubts have remained over whether there is adequate protection of personal data being exported both under the EU-US Privacy Shield and by SCCs.
Schrems II is the latest challenge brought by Max Schrems against Facebook Ireland Ltd. The case called into question the lawfulness of Facebook Ireland’s transfer of EU citizens’ personal data to Facebook Inc. in the US on the basis of SCCs. The Irish High Court referred the question to the CJEU who have released their judgment.
The CJEU issued the long-awaited judgment in Schrems II. We don’t want to leap to making assertions about its impact until we have fully digested the judgment, but based on our initial reading the main highlights so far seem to be that:
• Privacy Shield is invalid – this is no surprise given the criticisms made of it almost since its inception
• The so-called SCCs or model clauses remain valid of themselves, but in the absence of an adequacy decision they may not be enough to validate an international transfer if the laws of the destination territory are such that the SCCs cannot be fully complied with.
• If the SCCs cannot be complied with then the transfer cannot take place on the basis of the SCCs.
• Supervisory authorities may be required to suspend international transfers to a territory on the basis of the SCCs if they are not satisfied that the SCCs can be complied with under the laws of that territory.
The question, then, seems to be whether the laws of key external territories, including the USA and a post-Brexit UK, will allow full compliance with the SCCs.
Expert Opinion"This ruling has arguably prevented many headaches for organisations who transfer data using SCC’s. For the time being, it provides some comfort that SCC’s are still a valid means of transfer but further highlights that a case by case analysis is needed to meet data protection requirements.
"For UK organisations in particular that are not yet prepared for the end of the transition period, it is now time to urgently get your ducks in a row and put in place SCC’s to ensure the continued legitimate transfer of your personal data outside of the UK to the EU once the transition period ends.
"The invalidation of the EU-US Privacy Shield by the CJEU will undoubtedly create uncertainty and we anticipate it will have an impact on data flows from the EEA to the US. We now expect to see a massive scramble for businesses who use the EU-US Privacy Shield to find alternatives."
Joanne Bone - Partner
For further information join our data protection specialist Joanne Bone, in a webinar on Thursday 23 July as we analyse the judgement and take a practical look at its implications for organisations.