Schrems II: Privacy Shield faces same demise as Safe Harbor. Uncertain future for Standard Contractual Clauses for US transfers.

As background, subject to certain exceptions, the GDPR prohibits transfers of personal data outside the European Economic Area unless safeguards are in place. Certain countries are on a designated “white list” but this does not include the US. The European Commission has the power to issue decisions which approves such transfers on another basis. It has issued approvals in relation to transfers to companies in the US who are members of the EU-US Privacy Shield, and transfers which are governed by contracts including the approved “standard contractual clauses” (“SCCs”). Today’s judgment invalidates the Privacy Shield as a valid transfer mechanism and casts doubt upon the adequacy of the SCCs when making transfers to the US.

The rationale, seemingly mirroring the same concerns raised in relation to Safe Harbor back in 2015, focuses on fundamental concerns with US surveillance law: the “level of protection essentially equivalent to that guaranteed within the EU by the GDPR, read in the light of the [EU] Charter [of Fundamental Rights] cannot be guaranteed [in the US].” The protections for EU citizens in the US are weak because US “provisions do not grant data subjects actionable rights before the courts against the US authorities". The “US Ombudsman, intended to help EU citizens make their case, does not have sufficient binding authority over the US intelligence services.”

Although this element of the decision on its own has sent shockwaves through the data protection community in Europe and the US today, this decision was not unexpected. Going back in time to the fall of Safe Harbor, that decision resulted in many companies rushing to replace agreements based on Safe Harbor with standard contractual clauses. At least in the UK, the ICO gave companies reasonable time to complete this exercise. When Privacy Shield rose from the ashes of Safe Harbor there was a large degree of sceptisicm. Burnt with that experience, many of our clients have chosen as a matter of policy not to allow transfers based on the Privacy Shield or, at the very least, they have inserted mechanisms in contracts where the Privacy Shield is relied upon which allow for SCCs to be put in place in these circumstances.

Which brings us to the elephant in the room, whether the SCCs (and indeed Binding Corporate Rules) remain a valid mechanism for transfers of data to the US following the judgment. Many of the reports today have focussed on the general finding that the SCCs remain valid. That may be true in principle, but in practice it is clear that the use of SCCs, particularly for transfers to the US, will not be so straightforward. The actual decision in the judgment around this is more subtle. In essence, the question put to the court by the High Court of Ireland, was whether they were entitled to assume that any transfers made to the US under either of these mechanisms were adequate without further investigation. The answer to this is rather nuanced. The judgment appears to be saying that it should be for the Supervisory Authorities to investigate themselves as to whether the SCCs present an adequate mechanism for transfer, when taken together with any access to the personal data by public authorities in the third country and the relevant aspects of the legal system within that third country. Faced with a damning summary of US surveillance laws, this judgment would appear to have put the DPC In Ireland, the ICO in the UK and their counterparts across Europe between a rock and a hard place. Do they go with the strong message of the judgment and nullify the only remaining feasible transfer mechanism for making bulk transfers of personal data to the US, or ignore it and face further challenge? It is hard to see what if any middle ground there might be for the Supervisory Authorities to follow. With a strong message pointing the Supervisory Authorities to look at SCC transfers to the US in more detail, this prompts many questions. How practical is it for a data exporter or indeed a Supervisory Authority to assess whether the SCCs can be complied with by the data importer and will this lead to different approaches across Europe? The ICO in particular will be treading a fine line, as it will not want to take any actions which might call into question the UK’s own pending adequacy decision.

At the time of writing the ICO has advised that it is considering the consequences of the judgment. The DPC have stated the following “So, while in terms of the points of principle in play, the Court has endorsed the DPC’s position, it has also ruled that the SCCs transfer mechanism used to transfer data to countries worldwide is, in principle, valid, although it is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable. This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis.”

What does this mean for you?

1. Identify any arrangements which rely on Privacy Shield for transfers to the US. In the short term at least it would seem the only course of action is to suspend transfers or replace with SCCs. Note that when Safe Harbor suffered the same demise, the ICO published guidance stating that they would not be seeking to take enforcement action immediately but did expect organisations to be taking steps to remedy this compliance.
2. Review all arrangements which involve US transfers to identify where you are relying on SCCs. It does seem that the future of the SCCs as a sticking plaster for transfers of data to the US has been called into question. For intragroup arrangements, binding corporate rules should be considered but noting that this can be a lengthy process and their future could also be called into question.
3. Keep an eye on the ICO for their more detailed position statement.