23 July 2020
Schrems II – 2 of 4 Insights
On 16 July 2020, the CJEU delivered its judgment on the Schrems II case (C-311/18) which may cause significant difficulties for the digital economy (and beyond) inside and outside Europe.
In the ruling, the CJEU declared the EU-US Privacy Shield invalid because personal data in the US is not sufficiently protected from the US authorities and legal protection is not sufficient. The US intelligence services would have unacceptably extensive powers to access data, especially where non-US citizens are concerned. Furthermore, the ombudsman mechanism of the US State Department does not provide legal protection under the European Charter of Fundamental Rights. By contrast, the standard contractual clauses (SCC) issued by the Commission remain valid.
However, in the case of data exports, it's no longer sufficient to simply agree on the SCC. Instead, the data exporter and importer must ensure that in the country of destination, the transferred data enjoys a level of protection comparable to that provided under the GDPR in light of the European Charter of Fundamental Rights. Following the ruling, it's questionable whether this can be guaranteed at all for the USA, because the SCC as a contractual agreement cannot control the behaviour of the authorities with binding effect. Many questions remain open for the affected companies.
Still, the European Commission believes that transatlantic data flows could continue for the time being, since SCCs remain in force. In addition, the Commission is working to develop a "toolbox" for secure international data transfers, including modernisation of the SCC.
Taking into account the high level of protection of personal data involved here, the Commission is working with the US administration to ensure the security of data transfers to the US.
The US government – represented by the Secretary of Commerce and the State Department – has already expressed its dissatisfaction with the ruling. The State Department stressed that the US shares the same values regarding the rule of law and democracy as the EU. The Secretary of Commerce hopes that, in cooperation with the European Commission, the negative effects on transatlantic trade can be limited.
Within Europe, numerous supervisory authorities have also submitted comments. Broadly speaking, two directions can be identified. While some of the supervisory authorities have welcomed the ruling and announced that they want to examine compliance with data protection standards more closely (eg Ireland, Hamburg, and Berlin), others want to examine the ruling first and refer to the necessary European coordination (eg Great Britain, France). As a practical measure, the UK Information Commissioner's Office (ICO) recommends continuing to use the Privacy Shield for the time being if it is already in use. That said, under no circumstances should data transfers based on the Privacy Shield be started now.
The State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg has warned of the fatal consequences for the economy on both sides of the Atlantic if data transfers are consistently prevented. Conversely, the supervisory authority in Berlin has taken a clear position in favour of stopping data flows to the US for the time being.
The following overview summarises the statements of the supervisory authorities to date.
We have divided the opinions are into three categories:
The Czech Office for the Protection of Personal Data has only briefly referred to the CJEU’s judgment, but has not made an assessment yet.
The Danish Data Protection Agency only briefly summarises the main contents of the CJEU’s judgment, pointing out that the issues raised by the CJEU would have to be examined before greater comment can be made. The statement does not contain any further assessment.
The North Rhine-Westphalian State Commission for Data Protection and Freedom of Information briefly summarises the CJEU’s judgment. In its view, SCCs may still be used, however, the contracting parties have to assess for themselves whether SCCs are sufficient or need to be accompanied by additional measures. This will apply particularly if the third country provides a poor level of data protection. In instances where SCCs are not complied with in the respective third country, the data exporter has to suspend the data transfer or at least inform the competent supervisory authorities.
The Hessian State Commission for Data Protection briefly covers the invalidity of the EU-US Privacy Shield on its website. While the Commission has also published the DSK's statement and refers to statements made by the EDPB, it does not make its own assessment. The EDPB highlights that the requirements of the SCC have to be followed and the supervisory authorities should prohibit data transfers if those requirements are not met.
The Finnish Office of the Data Protection Ombudsman only briefly addresses the CJEU’s judgment. For an assessment of the CJEU’s judgment and further information, it refers to the EDPB. The EDPB highlights that the requirements of the SCC have to be followed and the supervisory authorities should prohibit data transfers if those requirements are not met.
The French National Commission for Information Technology and Civil Liberties (CNIL) is keeping a low profile for the time being and refers to the review of the CJEU’s judgment within the EDPB.
Without any further comment, the Icelandic Data Protection Authority only provides links to the statement and the FAQ of the EDPB on its website. The EDPB highlights that the requirements of the SCC have to be followed and the supervisory authorities should prohibit data transfers if those requirements are not met.
The Lithuanian State Data Protection Inspectorate offers a concise summary of the main points of the CJEU’s judgment and states that it's assessing the decision within the EDPB.
The Data Protection Office of Liechtenstein provides a short summary of the CJEU’s judgment. Companies would have to use other appropriate safeguards pursuant to Art. 46 GDPR, until the EU and the US reach a new agreement on the transfer of personal data. Further, it refers to the FAQ provided by the EDPB. The EDPB highlights that the requirements of the SCC have to be followed and the supervisory authorities should prohibit data transfers if those requirements are not met.
The Swiss Federal Data Protection and Information Commissioner offers little additional insight on the CJEU’s judgment. In his view, it is not directly applicable to Switzerland. However, he will examine it and comment on it in due course.
In its press release, the US Department of Commerce expresses its deep disappointment and states that it's still studying the CJEU’s judgment to fully understand its practical impact. Commerce Secretary Wilbur Ross wants to remain in close contact with the European Commission and the EDPB in order to limit the negative consequences to the $7.1 trillion transatlantic economic relationship. It is critical for companies recovering from consequences of the COVID-19 pandemic to be able to transfer personal data without interruption.
He also mentions that US national security data access law and practices meet – and in most cases exceed – the rules governing such access in foreign jurisdictions, including the EU. The Department of Commerce continues to administer the EU-US Privacy Shield and reminds participating organisations that the CJEU’s judgment does not relieve them from their obligations under the EU-US Privacy Shield.
The Chairman of the Senate Committee on Commerce, Science and Transportation, Roger Wicker, and the Chairman of the Subcommittee on Manufacturing, Trade and Consumer Protection, Jerry Moran, have stated that the economic effect of the CJEU’s judgment was troubling, as invalidating the EU-US Privacy Shield would cause significant disruptions to data transfers and trade activity. They stress the need to work quickly to establish a successor framework that supports economic development and adequately protects consumer data across borders.
The US Department of State is very disappointed with the CJEU’s judgment, as it believes that the US and the EU had a shared interest in protecting individual privacy and ensuring the continuity of commercial data transfers. According to Secretary of State Michael Pompeo, the US is reviewing the decision and its implications. The US will continue to work closely with the EU to find a mechanism to enable the essential unimpeded commercial transfer of personal data from the EU to the US.
The Bulgarian Commission for Personal Data Protection briefly summarises the CJEU’s judgment and points out that future data transfers to the US have to be based on other safeguards under the GDP – eg Binding Corporate Rules (BCR) or EU Standard Contractual Clauses (SCC). In this context, the Commission does not provide any further assessment.
The Croatian Agency for Personal Data Protection solely refers to the statement of the EDPB and does not provide any further remarks. The EDPB highlights that the requirements of the SCC have to be followed and the supervisory authorities should prohibit data transfers if those requirements are not met.
The Cyprian Office of the Commissioner for Personal Data Protection points out that, although SCC remain a valid instrument, companies must take into account the surveillance practices of the third country. If necessary, companies must implement additional measures. However, the Commissioner does not provide any specification on conceivable additional measures. The Commissioner further points out that if an adequate level of data protection cannot be ensured, data transfers have to be suspended or terminated. For further information, a reference to the statement and the FAQ issued by the EDPB is made. The EDPB highlights that the requirements of the SCC have to be followed and the supervisory authorities should prohibit data transfers if those requirements are not met.
The European Data Protection Board (EDPB) notes that the CJEU refers to flaws in the EU-US Privacy Shield, which the EDPB had already pointed out. It wants to support the European Commission in concluding a legally compliant agreement with the US. In addition, the EDPB wants to develop measures that data exporters can implement to ensure the required data protection. However, it also draws attention to the obligations contained in SCCs and stresses that the supervisory authorities are obliged to prohibit data transfers that do not meet the set requirements.
The EDPB also issued FAQ, which it aims to further develop and complement as it continues to assess the CJEU’s judgment. In the FAQ, the EDPB points out that the threshold set by the CJEU applies to all appropriate safeguards pursuant to Art. 46 GDPR and not only to data transfers to the US, but any third country. Consequently, companies transferring personal data to the US or any other third country based on SCC or BCR have to assess whether the level of data protection required by the GDPR is met within the respective third country in order to determine if the guarantees provided by SCC or BCR can be complied with in practice. If this is not the case, additional measures have to be implemented.
It is in the primary responsibility of the data exporter and importer to assess on a case-by-case basis what these additional measures could consist of. These additional measures could be of a legal, technical of organisational nature. In this context, the EDPB also points out that the law of the third country must not impinge on such additional measures in order to ensure their effectiveness.
The European Data Protection Supervisors (EDPS) welcomes that the CJEU’s judgment emphasises the importance of a high level of protection for personal data being transferred to third countries. At the same time, he hopes that the US will soon achieve a level of data protection equivalent to the EU and reaffirmed by the CJEU. On the basis of the CJEU’s judgment, the EDPS is also reviewing the agreements that EU institutions have concluded. In this context, he explicitly mentions Microsoft.
In the European Commission’s opening remarks at the press conference following the CJEU’s judgment, Vice-President Věra Jourová and Commissioner for Justice Didier Reynders both stressed the importance of data protection and declared that they will do everything to comply with the CJEU’s judgment. They welcome the fact that the CJEU confirmed that SCCs remain a valid tool for data transfers to third countries, as this means that transatlantic data transfers can continue.
They have also emphasised that the Commission is not starting from scratch, but that it had already been working intensively to update the toolbox for international data transfers. In particular, this includes modernising SCCs, which will be finalised swiftly. The Commission wants to work closely with its US counterparts, the EDPB and the national supervisory authorities to develop a strengthened and durable data transfer mechanism. In the meantime, transatlantic data transfers between companies could continue using other mechanisms for international data transfers available under the GDPR.
In its press release, the German Data Protection Conference (DSK) expresses its belief that the CJEU’s judgment has strengthened the data protection rights of EU citizens. According to the DSK, the data transfer to the US based on the EU-US Privacy Shield was inadmissible and needed to be stopped immediately. In general, SCCs could continue to be used, but the data exporter and importer have to assess whether the third country offers an adequate level of data protection. If this is not the case – such as in the US – additional measures have to be taken. However, these additional measures should not be undermined by the rules and regulations of the third country.
Furthermore, the DSK notes that the findings of the CJEU’s judgment apply to all safeguards pursuant to Art. 46 GDPR, in particular to BCR. If necessary, they also had to be accompanied by additional measures. Only data transfers to the US based on derogations pursuant to Art. 49 GDPR were still admissible without further action. The DSK advises data controllers who wish to continue transferring personal data to the US or other third countries to immediately verify whether they can do so under the above conditions. Apart from that, the DSK states its belief that the CJEU has given the supervisory authorities a key role when it comes to further decisions on the data transfer to third countries. The German supervisory authorities will coordinate their approach going forward with the EDPB, and will provide guidance on more specific questions in the future.
The German Federal Commissioner for Data Protection and Freedom of Information still considers data transfers between the EU and the US to be possible. He wants to advise companies on the transition from the EU-US Privacy Shield to other measures. He also believes that the supervisory authorities have been strengthened and stresses that data transfers must be stopped if they do not meet the requirements set by the CJEU.
The State Commissioner for Data Protection and Freedom of Information of Rhineland-Palatinate believes that the rights of individuals have been strengthened by the CJEU’s judgment, but also sees "hard work" ahead for affected companies. He emphasises that data transfers to third countries must be suspended if local law is incompatible with the GDPR. He points out the need for coordination between the supervisory authorities. The Commissioner has also compiled a list of answers to frequently asked questions.
The Thuringian State Commissioner for Data Protection and Freedom of Information welcomes the CJEU’s "clear finding that the ombudsman mechanism [of the US] does not meet the EU’s legal safeguards". It's questionable how SCCs can be brought to life in the future. The European supervisory authorities are now being called upon to ensure that personal data is transferred to the US in compliance with data protection regulations.
The State Commissioner for Data Protection and Freedom of Information of Mecklenburg-Western Pomerania refers only briefly to the CJEU’s judgment. In his view, the options available for data exporters are the same as they were five years ago when the Safe Harbor Agreement was declared invalid (ie SCC, BCR and individual agreements).
According to the Commission, German and European supervisory authorities are working together in order to understand and enforce the CJEU’s judgment uniformly. Regarding the question of what additional measures could be taken, the statement does not provide further information. Rather, the Commission refers to the EDPB, which currently examines what these additional measures could consist of.
The Irish Data Protection Commission welcomes the CJEU’s judgment, as it confirms its concerns about data transfers to the US. The Commission also believes that the position of the supervisory authorities has been strengthened, as they could now also intervene regarding data transfers to the US.
The Italian Data Protection Authority has only produced a short summary of the CJEU’s judgment. Apart from that, it refers to the FAQ issued by the EDPB. The EDPB highlights that the requirements of the SCC have to be followed and the supervisory authorities should prohibit data transfers if those requirements are not met.
The Maltese Office of the Information and Data Protection Commissioner provides a short summary of the CJEU’s judgment. Apart from that, it refers to the FAQ issued by the EDPB. The EDPB highlights that the requirements of the SCC have to be followed and the supervisory authorities should prohibit data transfers if those requirements are not met.
The Romanian National Supervisory Authority for Personal Data Processing provides a summary of the CJEU’s judgment. It further points out that, in the absence of an adequacy decision, data transfers to the US are still possible based on appropriate safeguards in the meaning of Art. 46 GDPR. Apart from that, it refers to the statement and FAQ issued by the EDPB. The EDPB highlights that the requirements of the SCC have to be followed and the supervisory authorities should prohibit data transfers if those requirements are not met.
The Slovakian Authority provides a brief overview of the CJEU’s judgment and provides a link to the statement of the EDPB. The EDPB highlights that the requirements of the SCC have to be followed and the supervisory authorities should prohibit data transfers if those requirements are not met.
The Slovenian Information Commissioner summarises the CJEU’s judgment and advises companies transferring personal data to third countries to switch to other data transfer mechanisms "as soon as possible". Based on SCCs or BCR (for example), data transfers to the US are still possible if the data controller takes appropriate safeguards to ensure the protection of privacy. However, the Commissioner does not specify what such safeguards could look like.
The Spanish Data Protection Agency offers little commentary around the CJEU’s judgment. It refers to the statement of the EDPB and declares it will continue working with the other European supervisory authorities to find a common and consistent approach to apply the CJEU’s judgment within the EU. The EDPB highlights that the requirements of the SCC have to be followed and the supervisory authorities should prohibit data transfers if those requirements are not met.
The Swedish Data Protection Authority briefly acknowledges the CJEU’s judgment and the statement published by the EDPB. It refers to the future analysis and assessment of the decision by the EDPB. The EDPB highlights that the requirements of the SCC have to be followed and the supervisory authorities should prohibit data transfers if those requirements are not met.
The Estonian Data Protection Inspectorate gives a short summary of the CJEU’s judgment. In its view, SCCs still pose a valid alternative, however, it is up to the contracting parties to assess whether the third country offers an adequate level of data protection. If the protection of personal data cannot be guaranteed, the data transfer must be suspended, or another appropriate safeguard must be found. However, the Inspectorate does not elaborate further on such appropriate safeguards. Furthermore, it refers to the FAQ published by the EDPB. The EDPB highlights that the requirements of the SCC have to be followed and the supervisory authorities should prohibit data transfers if those requirements are not met.
The Berlin Commissioner for Data Protection and Freedom of Information welcomes the CJEU's clarification that data exports are not only about economics, but also that fundamental human rights must be a priority, opining that the "hour of digital independence for Europe" has now come. In addition, the Commissioner considers the CJEU’s judgment as a challenge to prohibit inadmissible data transfers to third countries. In addition to the US, Russia, China and India are mentioned explicitly. The Commissioner also points out that companies can be liable for damages concerning data subjects if they transfer personal data to third countries in an inadmissible way.
The Hamburg Commissioner for Data Protection and Freedom of Information welcomes the CJEU’s judgment. He stresses that the US has not made any significant improvements after the nullified Safe Harbor Agreement. He also argues that the CJEU's stance on SCCs as an appropriate instrument for data protection is inconsistent. The Commissioner also believes that the supervisory authorities should jointly develop a strategy on how to deal with international data transfers and sees difficult times ahead for international data transfers.
In an interview with the German newspaper Frankfurter Allgemeine, the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg generally welcomes the CJEU's attempts to establish a worldwide level of data protection that is on the same level as the GDPR. At the same time, he questions whether or not the CJEU overestimating the influence of the EU. If Europe were to strictly prevent the transfer of personal data to the US, this would also result in massive damage to the EU. However, he stresses that the CJEU is serious about data protection, including all its consequences.
Although the Dutch Data Protection Authority (AP) does not expressly oppose the use of SCCs for data transfers to the US, this results from the overall context. The AP explains that SCCs can only be used as a safeguard if in practice an adequate level of data protection can be guaranteed in the third country. Given the lack of a general law on the protection of personal data, the US does not have an adequate level of data protection comparable to that of the EU. The AP is currently examining the practical consequences of the decision within EDPB.
There's still considerable uncertainty over how to deal with data transfers to third countries that don't provide an adequate level of data protection. If your business is affected, please reach out to us to find out how we can help you.
16 September 2020
Michael Tan, Julian Sun, Paul Voigt and Wiebke Reuter look at what China's new SCCs mean for businesses looking to export personal data from China to the EU.
by multiple authors
by Dr. Paul Voigt, Lic. en Derecho, CIPP/E and Wiebke Reuter, LL.M. (London)
by Dr. Paul Voigt, Lic. en Derecho, CIPP/E and Wiebke Reuter, LL.M. (London)