On 9th July, the Court of Justice of the European Union (the CJEU) sat for a hearing concerning case 311/18; more commonly known as “Schrems II”. During the 8-hour session, many interested parties gave their oral submissions concerning the future of personal data transfers from the EEA to third countries.
Max Schrems himself is no stranger to dealing with the CJEU. His other well-publicised case, Max Schrems vs Data Protection Commissioner – “Schrems I”, brought a complaint against Facebook Ireland following the revelations of Edward Snowden and the PRISM mass surveillance programme operating in the United States. This, in turn, led to the collapse of the EU-US Safe Harbour data transfer agreement in 2015. Following this collapse, the Privacy Shield Framework was hastily put together by stakeholders on both sides of the Atlantic in order to preserve such transfers and the interests of business on each continent.
Schrems II, however, does not solely concern Privacy Shield specifically, but rather the international personal data transfers from the EEA made under the Standard Contractual Clauses (SCCs). The SCCs exists as one of the ‘safeguards’ which can be used to legally transfer personal data to a third country. They are made up as a set of contractually binding, standard terms and conditions aimed at protecting personal data when it leaves the EEA, which both the sender and the receiver commit to upholding.
The specific question the CJEU has been asked to examine is whether “EU law applies to the transfer of personal data by a private company from an EU member state to a private company in a third country for commercial purposes, and may be further processed in the third country by its authorities for national security and law enforcement.”
In essence, the CJEU has been asked to examine whether the data protection right of data subjects in the European Economic Area (EEA) is still upheld once personal data leaves the EEA under the transfer mechanism of SCCs. This is specifically for cases where third-country intelligence and law enforcement agencies come in direct contradiction of European data protection laws. The specific example of Facebook’s interaction with US government agencies was presented; whereby after a transfer to Facebook in the US from the EEA is made, US law requires Facebook to “assist the US in surveillance of non-US persons.” The CJEU must assess if such an interaction invalidates the SCC transfer mechanism.
If the CJEU does indeed find Schrem’s arguments presented to be compelling, there could be a lot of headaches coming the way of organisations who rely on SCCs for the smooth operation of their international transfers. Unlike the original Schrems I case, which collapsed the Safe Harbour agreement between the United States and the EEA, a ruling which invalidates the SCCs would have a much wider global impact as personal data transfers from the EEA to the entire world, which are reliant on SCCs, would be in jeopardy. An alternate path, and one likely more preferable for the Irish Data Protection Commissioner (DPC), would be for SCCs to be reviewed on a case-by-case basis, rather than completely invalidating the mechanism. This could lead to a situation whereby SCCs are approved on a third-country by third-country basis.
So how can organisations take proactive steps now to minimise any potential impact of the Schrems II decision? Firstly, the record of processing should be consulted to see which processing operations undertaken are done so under the SCCs as the international transfer mechanism. It should be established to which third-country the personal data is sent, to whom the personal data is being sent and the categories of personal data being sent. Following that, Article 49 of the GDPR should be consulted to see whether any of the derogations apply to your international transfers. To help with this, the European Data Protection Board (EDPB) recently published guidelines on this very topic, as well as Opinion 14/2019 on the draft SCCs submitted by the Danish Supervisory Authority (Datatilsynet).
Although immediate options are limited to fill the void left should the SCCs be invalidated, the European Commissioner for Justice, Consumers and Gender Equality recently announced that the European Commission is working on updating the SCCs (which were first published in 2010) to bring them in line with the GDPR. It is hoped that such an update will take in the concerns and considerations raised in Schrems II as they are being prepared.
A preliminary, non-binding opinion on Schrems II is expected on 12 December of this year, with the full decision slated for early 2020.
If you wish to talk more about the issues discussed in this article, or any other matter concerning Data Protection, please visit Trilateral’s Data Governance page and do not hesitate to contact a member of Trilateral Research’s Data Governance team.