Schrems II: standard contractual clauses survive; Privacy Shield dead

Well this is a fine mess. Austrian privacy campaigner Max Schrems has struck again: transfers of personal data from the EU to the US are suddenly vulnerable again, thanks to today’s CJEU judgment in Data Protection Commissioner v Facebook Ireland and Max Schrems (Case C-311/18; 16 July 2020) – the so-called Schrems II judgment. The judgment (see here: Schrems II Judgment) is complex and multi-faceted, but I’ll aim for a nutshell summary just now.

What’s the issue?

Both Directive 95/46/EC and its successor, the GDPR, restrict the transfer of personal data outside the EU. The aim is to ensure that, generally speaking, data subjects’ GDPR rights aren’t compromised when their data is sent outside the GDPR’s reach.

As data protection fans know, the law contains a number of mechanisms for protecting data subjects’ rights when data goes abroad. One is an adequacy decision: if a country is on the European Commission’s ‘white list’, you can transfer at will, as the destination country is treated like it was part of the EU for these purposes.

Another option is to ensure your transfers are governed by ‘standard contractual clauses’ or ‘SCCs’ (sometimes called ‘model clauses’): basically, you build into your contract between data exporter (in the EU) and data importer (somewhere else) a set of off-the-shelf terms that have been approved by the European Commission. You can find them here. They date from well before the GDPR. The controller-controller clauses date from 2001-2004; the controller-processor ones date from 2010.

Here is a snag with SCCs: they have contractual force. They can’t bind those who are not parties, e.g. public authorities, regulators or other parties in destination countries. To that extent, their ability to guarantee GDPR-standard protection in non-GDPR countries is constrained.

Another common option is to implement Binding Corporate Rules (‘BCRs’) between the entities (usually part of the same corporate group) that are in the import-export relationship. These aren’t off the shelf. They are bespoke, and are interrogated and signed off by the data protection regulator in each case.

What is Schrems II about?

Mr Schrems has long focused on a specific way in which the exporting of personal data from the EU to the US compromises EU standards of data protection. His focus is on Facebook. His concern runs like this.

If you’re an EU Facebook user, some of your data gets transferred to Facebook Inc. in the US. Under US law, Facebook Inc. is required to make personal data transferred to it available to certain US authorities, such as the National Security Agency, the FBI and the CIA. That data – both metadata and content – can apparently be used in the context of various security and surveillance programmes, with cool names like PRISM and UPSTREAM. If you’re a US citizen, you can assert your rights in the fact of such activities, thanks to Fourth Amendment to the US Constitution in particular. But that provision does not apply to EU citizens.

The EU Facebook user’s personal data may end up being accessed by US security authorities without the EU user being able to do anything much about it. So, argues Schrems, if you use Facebook in the EU, your GDPR rights are seriously compromised.

The US does not have an adequacy decision. Instead, various schemes have been cobbled together over the years that, in essence, allow you to export data to a recipient that is registered with the scheme. The old one was called ‘Safe Harbor’. It turned out not to be safe. Max Schrems killed it: that was Schrems I in the CJEU, in 2015.

In a panic, the powers that be cobbled together a replacement scheme, called ‘Privacy Shield’. It has turned out not to be a lasting shield. Max Schrems has killed it too: this is Schrems II, in 2020.

What did the Court decide in Schrems II?

A couple of preliminaries. Mr Schrems’ challenge, i.e. his complaint to the Irish Data Protection Commissioner about Facebook’s transfers, began under the old data protection law – so does it affect things under the GDPR? Answer: yes. The GDPR essentially carried over the same regime for international transfers.

Another preliminary: does the GDPR actually bite on these particular concerns about US security bodies accessing data? Doesn’t Article 2 of the GDPR carve out processing relating to policing, public security and the like? So can’t we forget the GDPR and all just get along? Nice try. But no, says the CJEU, understandably. “The possibility that the personal data transferred between two economic operators for commercial purposes might undergo, at the time of the transfer or thereafter, processing for the purposes of public security, defence and State security by the authorities of that third country cannot remove that transfer from the scope of the GDPR” (para 86).

Let’s move onto the two meaty issues from today’s judgment. I’ll take them in reverse order.

First, the CJEU has killed off Privacy Shield (‘PS’), just like it did Safe Harbor. The Irish court making the preliminary reference doubted whether PS did what Article 45 GDPR demands, i.e. ensures that GDPR standards are maintained in the US, in line with the Charter of Fundamental Rights of the EU. The problems are that, judged by EU standards, the US legal regime governing access to personal data by security bodies doesn’t contain adequate limitations and safeguards. Access to data thus slips (or risks slipping) into being neither necessary nor proportionate. Nor do EU citizens get an adequate judicial remedy: there is a ‘PS Ombudsman’, but this is not good enough.

The CJEU agreed, and PS is struck down. This was a bold step that the CJEU did not strictly need to take: the Advocate General’s opinion suggested that this point did not need resolution in light of the questions referred. Still, it is hardly surprising that the CJEU waded in, given its past form on this very issue.

The second core issue concerned the SCCs: are they good enough? Can they continue to be relied upon for lawful data transfers? Answer: yes, they are okay.

Note that SCCs do not necessarily make a transfer bullet-proof. If it turns out, on the facts of a case, that the recipient cannot or does not abide by the SCCs, a data protection supervisory authority is required to act and prohibit the transfers, notwithstanding the presence of SCCs.

But, as the Advocate General had concluded, the SCCs themselves are fit for purpose. They impose detailed contractual duties on the recipients, including duties to tell the exporter about anything that may prevent GDPR compliance, so that action can be taken or transfers suspended.

Where does this leave us?

As I remarked at the outset, the short answer is: in a fine mess. I doubt there will be any (or at least any quick and effective) steps to patch up PS. Best to regard it as dead.

Okay, now what? Scramble to implement SCCs, or even BCRs in the longer term. Supervisory authorities will probably not take immediate action against controllers whose PS-based transfers continue while PS’ corpse is still warm. They are likely to want to confer a period of grace to allow blind-sided controllers to fix things by suspending transfers or getting SCCs or BCRs in place. It’s impossible to say how long such periods will be just now. Hence the mess. Enjoy!

Chris Knight acted for the UK government in Schrems II.

Robin Hopkins