Schrems II: consequences of the invalidation of the Privacy Shield
With the decision of last July 16 (C-311/18), the EU Court of Justice invalidated decision no. 2016/1250 with which, according to art. 45 GDPR, the EU Commission had stated that the Privacy Shield – i.e. the EU-USA agreement ruling on data transfers between the European Union and the USA – provided for adequate protection for the data concerned. This is a decision with a huge impact: more than 5000 US organisations had been part of the Privacy Shield and many European companies had relied on it to legitimise data transfers to the USA.
It should be noted, however, that the Privacy Shield was only one of the possible mechanisms provided for by the GDPR to legitimise EU-USA data transfers. In addition to the EU Commission’s adequacy decisions, in fact, the GDPR lays down that data transfers may take place: subject to appropriate safeguards (including: binding instruments between public authorities, standard clauses, codes of conduct, certification mechanisms) pursuant to article 46; based on binding corporate rules pursuant to article 47; by virtue of international agreements in the cases provided for by article 48; based of the data subject’s consent as well as in the special cases referred to in article 49. Lacking the Privacy Shield, it is now to be understood which of these mechanisms may be invoked by EU subjects for future data transfers to the USA.
The key points of the decision are examined below.
First of all, it must be recalled that this decision follows the so-called ‘Schrems I’ decision (C‑362/14) adopted in the proceeding initiated by Mr. Schrems, who had reported to Irish authorities that Facebook Ireland Ltd. had transferred his data to Facebook Inc (based in the USA) in breach of EU privacy laws. In ‘Schrems I’ decision, in particular, the EU Court of Justice had found the so-called ‘Safe Harbour’ – i.e. the previous agreement for EU-US data transfers, validated by EU Commission decision no. 2000/520 – invalid, because it did not guarantee a level of protection comparable to that provided by European laws. On the one hand, in fact, the Safe Harbour was only applicable to the companies that had signed it (and not e.g. to US public authorities), on the other hand, the companies could have been asked to disapply it for public interest purposes. Ultimately, it had allowed a generalised interference by the US authorities. Following the invalidation of the Safe Harbour, the EU Commission had therefore approved the new ‘Privacy Shield’ mechanism with decision no. 2016/1250.
Called to reformulate his complaint, Mr. Schrems had then stressed that, also in this case, despite the adequacy decision on the Privacy Shield, EU citizens did not benefit from the “adequate level of protection” required by the GDPR for international data transfers. This definition, in fact, must be interpreted as meaning that the receiving party must ensure an adequate level of protection, comparable to that ensured by the GDPR and the EU Charter of Fundamental Rights, guaranteeing (amongst other things) effective judicial remedies against unlawful processing.
Since Mr. Schrems’s observations had raised the issue of the possible invalidity of the decision on the Privacy Shield, the Irish Authority thus had referred the matter to the Irish High Court, in order to address the relevant preliminary questions to the EU Court of Justice. The referring Court, in fact, had pointed out that US law required Facebook Inc. to make the personal data transferred to it available to US authorities (such as the National Security Agency-NSA and the Federal Bureau of Investigation-FBI), and that such data could have been used in national surveillance programs. Such interferences were indeed legitimised by the Privacy Shield itself (point I.5. of Annex II, decision no. 2016/1250).
On these bases, the referring Court had highlighted that EU citizens did not have adequate legal remedies against the processing carried out by US authorities. On the one hand, in fact, EU citizens cannot benefit, such as US citizens, from the 4th amendment of the US Constitution (which is the most important means of protection against unlawful surveillance). On the other hand, the activities of the US authorities cannot be challenged before a Court. Moreover, the Ombudsperson provided for by the Privacy Shield could not be regarded as a tribunal within the meaning of Article 47 of the Charter (which provides for the right to have an effective remedy before a tribunal), thus compensating for the shortcomings of the US legal system. Finally, neither the standard contractual clauses – adopted by the EU Commission with decision no. 2010/87 – could provide adequate guarantees for the protection of the data transferred, precisely by virtue of their contractual nature (which allowed companies to disapply them).
The Irish High Court had therefore asked the EU Court of Justice to assess whether the US legal system provided EU citizens with a level of protection comparable to that provided for by article 47 of the Charter and if the EU Commission’s adequacy decision no. 2016/1250 could legitimise the cross-border transfers at issue.
Considering that the processing carried out by the US national authorities cannot be exempt from the application of the GDPR only because it is based on defence and public security needs, the EUCJ, endorsing all the above observations of the Irish judge, found decision no. 2016/1250 to be invalid, stating that the US law does not provide adequate guarantees for the transfer of data of EU citizens, precisely due to the absence of effective remedies against such processing, and does not comply with the principle of proportionality of processing in the context of intelligence operations.
This ruling did not, however, invalidate the Standard Contractual Clauses (which constitute adequate guarantees for data transfers pursuant to Article 46(2) of the GDPR) provided for by the aforementioned decision no. 2010/87, specifying, however, that the use of such clauses can legitimise data transfers only if the level of protection guaranteed is adequate, based on an assessment to be carried out on a case-by-case basis, taking into account the possibility of the US authorities to access the data transferred. Finally, the Court clarified that, in the absence of an adequacy decision, national data protection Authorities can suspend or ban data transfers based on Standard Contractual Clauses that do not provide an overall adequate level of protection.
As seen, the decision commented upon here has a huge impact. Since there is no “grace period” during which EU companies are exempted from seeking alternative mechanisms to the Privacy Shield to legitimise data transfers to the USA, the same companies must now suspend data transfers in the absence of a valid alternative legal mechanism. However, the consequences of the invalidation of the Privacy Shield are in some ways still poorly defined and, at the moment, national Data Protection Authorities and the European Data Protection Board are weighing up the interpretation and the consequences of this ruling, in order to set out guidelines for companies to manage future data transfers to the USA.
At the moment, the EDPB published its FAQs relating to the application of the EUCJ’s decision (available at this link) and adopted a statement (link) in which it points out that the EU companies that will transfer data to the USA shall put in place additional measures to those included in the Standard Contractual Clauses; additional measures not yet specified and on which the EDPB itself is still working. In the absence of adequate guarantees, however, the companies shall suspend the processing or notify the national DPAs their intention to go on with data transfers, and the DPAs will be entitled to suspend or ban such transfers. In addition, the EDPB recalls that the exceptions referred to in article 49 apply to occasional and non-repetitive data transfers, to be assessed case by case.
The Italian DPA, instead, has not yet formally taken a view on the decision of the CJEU. Meanwhile, NOYB (the non-profit organization founded by Maximilian Schrems) has published its FAQs at this link, which may help companies to manage cross-border transfers.