The impact of the ‘Schrems II’ case on personal data
On 17 July 2020, the Court of Justice of the European Union (CJEU) issued its long-awaited judgement in the ‘Schrems II’ case.[1] In this article, we provide an insight into the significance of the judgement and its effect on personal data transfers to third countries, which are countries outside of the European Economic Area (EEA).
Transferring personal data to third countries
The General Data Protection Regulation (GDPR) restricts sending personal data, which is any information relating to an identified or identifiable living individual such as for instance a name or telephone number, outside the EEA. Such transfers may only take place if the third country ensures an ‘adequate level of data protection’.
The GDPR provides several possibilities for international transfers to validly take place. In this article, we focus on two mechanisms which were brought under the scrutiny of the CJEU in the Schrems II case:
- The EU-US Privacy Shield, which is a self-certification program whereby US companies can be granted recognition for their adequate data protection, permitting personal data transfers to these specific US companies.
- Standard Contractual Clauses (SCCs), which are two sets of non-country specific model clauses approved by the European Commission that both the sender and the receiver need to sign (and thus adhere to) prior to any transfer.
The Schrems II case
With its judgement, the CJEU declared the EU-US Privacy Shield invalid. The Court found that the limitations on the protection of personal data arising from US law on the access and use of personal data by US public authorities were not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law (by the principle of proportionality) in so far as the surveillance programs based on those provisions are not limited to what is strictly necessary. Furthermore, the CJEU found that the Privacy Shield does not grant EU data subjects sufficient rights to act.
Subsequently, the CJEU examined the validity of SCCs. The Court stated that SCCs provide sufficient personal data protection, but highlighted the fact that all entities using this method are required to evaluate prior to the transfer whether there is in fact an adequate protection level guaranteed in the receiving country.
Response of legal authorities
While the Belgian Data Protection Authority has not yet released a statement on the CJEU judgement, other national Data Protection Authorities (DPA) have issued several opinions.[2]
Furthermore, the European Data Protection Board (EDPB) has, since the judgement, released an FAQ guidance that addresses multiple topics on personal data transfers outside the EEA.[3] One of their main remarks was the lack of a grace period for the CJEU ruling to take effect and whether or not SCCs actually remain a valid transfer mechanism. The EDPB also calls on the EU and the US to achieve an effective framework guaranteeing an essentially equivalent level of protection in the US to that within the EU.
Conclusion
With its recent judgement, the CJEU found that the Privacy Shield can no longer be used to transfer personal data from the EU to the US. However, the CJEU consider SCCs to be a valid method for international transfers, including those to the United States, but highlight the need for EU organizations to evaluate whether an adequate level of protection is available.
Given the significance of the Schrems II case, we highly recommend all companies and organizations to revise their international data transfer policies and promptly bring them in line with the changes brought forward by the case.
Please get in touch with our data protection experts if you require more information on this topic.
Please note that, since the publication of this article, the Belgian Data Protection Authority issued its first observations with reference to the EDPB's FAQ guidance. The Belgian authority is currently further investigating the consequences of the CJEU judgement and will provide insights at a later stage. The observations were published on 31 August 2020 and can be accessed here.
[1] CJEU 16 July 2020, n° C-311/18, ‘Schrems II’.
[2] This information was last updated on 7 August 2020. Examples of statements made by other DPAs consist of the Information Commissioner’s Office (DPA UK), “Update ICO statement on the judgment of the European Court of Justice in the Schrems II case”, https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/07/updated-ico-statement-on-the-judgment-of-the-european-court-of-justice-in-the-schrems-ii-case/; The Commission nationale de l'informatique et des libertés (DPA France), “Invalidation du « Privacy shield » : la CNIL et ses homologues analysent actuellement ses conséquences”, https://www.cnil.fr/fr/invalidation-du-privacy-shield-la-cnil-et-ses-homologues-analysent-actuellement-ses-consequences; Several German DPAs have issued statements, such as the DPA Hamburg, “EuGH suspendiert Privacy Shield und bestätigt Standardvertragsklauseln”, https://datenschutz-hamburg.de/pressemitteilungen/2020/07/2020-07-16-eugh-schrems.
[3] EDPB, “Frequently Asked Questions on the judgment of the Court of Justice of the European Union in Case C-311/18 – Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems” ,https://edpb.europa.eu/sites/edpb/files/files/file1/20200724_edpb_faqoncjeuc31118.pdf