Alan Dahi, our of-counsel, is also part of the team at noyb, the non-profit entity created by Max Schrems for the purpose of fostering the protection of the right to privacy across Europe and beyond.
The recent CJEU judgment is the latest achievement in a process started by Max Schrems a few years ago.
The Schrems I judgment
In its Decision 2000/250 – known as “Safe Harbor” – the EU Commission stated that companies in the United States that self-certify according to the Safe Harbor principles ensure an adequate level of protection of the rights of the data subjects, hence providing a general framework for the transfer of personal data from EU to USA.
Prompted by the fact that Facebook Ireland transferred his personal data to servers located in the USA belonging to Facebook Inc., Max Schrems filed a complaint before the Irish Data Protection Authority seeking to stop such transfers, arguing that under US regulations public authorities have access to personal data to an extent that is incompatible with the data subject’s rights afforded by the EU laws. We should keep in mind that this was the time of Edward Snowden’s revelations about NSA’s practices.
In 2015, the CJEU declared Safe Harbor invalid on the basis that the United States did not offer an adequate level of protection for personal data of European data subjects transferred in the Country.
The Schrems II judgment
After the invalidation of Safe Harbor, the EU Commission approved Decision 2016/1250 – known as “Privacy Shield” – which, based on a few measures implemented by the United States, renewed its evaluation on the adequacy of the protection of the rights of the data subjects provided in the US. As with Safe Harbor, it was a self-certification programme.
In the meantime, given that the first judgment of the Irish Data Protection Authority in the case filed by Max Schrems had been annulled by the CJEU, the Austrian reformulated his complaint seeking to block personal data transfers from EU to USA carried out by Facebook under the legitimation of the Standard Contractual Clauses (SCCs) approved by the EU Commission (Decision 2010/87).
Subject matter of the Schrems II judgment are both the SCCs (in their version controller/processor) and the Privacy Shield.
The CJEU found that, while the SCCs are valid in themselves, their implementation is not sufficient to allow the transfer of personal data from the EU to the USA, as (being a mere contractual arrangement between two private parties) they are superseded by those provisions of law which entitle access to personal data by public authorities for the purposes of public security, defence and State security. Furthermore, the CJEU states that European data subjects are not given enforceable rights and effective legal remedies against such extensive rights of access.
Moreover, the Court found Privacy Shield (just like Safe Harbor already) invalid on the grounds that the US legal system does not offer an adequate level of protection of the right to privacy, in particular as surveillance programmes in the United States are not limited to what is strictly necessary.
Therefore, the Schrems II judgment removes both the Privacy Shield adequacy decision by the Commission (art. 45 GDPR) and the SCCs (art. 46.2.c GDPR) as a legal basis to allow the transfer of personal data from the EU to the US.
What shall businesses do now?
The GDPR provides a possible set of other remedies to allow data transfers outside the European Economic Area. However, some of these may suffer the same criticism as the SCCs, i.e. that local public security laws would prevail (e.g. in respect to binding corporate rules, adoption of code of conducts and other commitments by the US entity receiving personal data from the EU).
Moreover, broad scrutiny and powers by public authorities are an issue also outside the United States, meaning that the same principle could apply beyond the specifics of the Schrems II case also to data transfers to many other countries worldwide.
Notwithstanding the above, the GDPR still offers valid grounds for personal data transfers from EU to USA, which are not impacted by the recent CJEU judgement, including the informed consent of the data subject (art. 49.1.a GDPR) – which however could be revoked at any time – and the necessity of the transfer for the performance of a contract (or the implementation of pre-contractual measures) at the data subject’s request (art. 49.1.b GDPR). For example, a travel agency will still be allowed to transfer some personal data to a local US tour leader, where necessary for a client who is booking a holiday in the US.
Taking all this into account, entities in the EU should carefully evaluate their approach to the location of the processing of personal data, possibly favouring processing within the EU as opposed to outside. As discouraging as this might be, it has now become clear than even countries which are the subject of adequacy decisions by the EU Commission might not prove so ‘secure’ after all, causing the data exporter to have to modify its personal data processing flows, and possibly to do so promptly in order not to risk sanctions under the GDPR.
Moreover, businesses shall become even more careful when choosing their suppliers/processors of personal data, performing the appropriate investigations on any transfer of the data outside of the EU and the applicable safeguards and legal basis. The extent of data transfers to the US might not be so clear at a first glance: privacy notices of common services such as Microsoft 365 and other platforms inform of such “possibility” – but no clear statement on whether it happens or not. Transfers to US are quite pervasive and we might be surprised how much so when we further analyse the issue.
A couple words by Alan Dahi from within the eye of the cyclone
“The Court has spoken in a loud and clear voice. We have fundamental rights to privacy, to data protection, and to an effective remedy and a fair trial. These rights cannot be ‘transferred’ away to a third country.”
Photo by Ketut Subiyanto from Pexels