Today was the day that privacy pros were waiting for — the decision of the Court of Justice of the European Union (CJEU) on what has come to be known as ‘Schrems II’.
The case was a complicated one that involved Ireland, Facebook and covered probably more than you would want to know. You can find the press release of the decision here.
The outcome of the court’s decision was that Privacy Shield was held to be invalid. For those of you who are unaware, Privacy Shield is a scheme that was agreed by the EU Commission and the US Dept of Commerce to facilitate the transfer of personal data between the EU/EEA and the US. It involved a US company agreeing to a set of principles and the scheme was managed by the US Dept of Commerce. A company that had self-certified under Privacy Shield could transfer data back and forth across the pond without any other data transfer safeguards.
The Court held Privacy Shield to be invalid because “the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.” In other words, the Court said that the US law on surveillance and the access and use of personal data by the US authorities does not provide the appropriate level of protection of personal data as we have in the EU.
The result of Privacy Shield being declared invalid is that recipients of personal data in the US will need to conduct a review if to see they are subject to obligations under relevant US surveillance laws.If they are, they can’t use Standard Contractual Clauses (SCCs) to transfer data either because the US authorities will still be accessing the data, regardless of the transfer mechanism. US companies who aren’t subject to surveillance laws can use SCCs.
Fortunately, the Court didn’t declare Standard Contractual Clauses to be invalid as well. Standard Contractual Clauses are just that — contracts that were written by the EU Commission and are agreements between the data exporter and the data importer about how the personal data will be secured and how the rights of the data subject will be upheld.
The US Department of Commerce issued a statement and said “While the Department of Commerce is deeply disappointed that the court appears to have invalidated the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield, we are still studying the decision to fully understand its practical impacts.” See the full statement here.
The ICO stated: “The ICO is considering the judgment from the European Court of Justice in the Schrems II case and its impact on international data transfers, which are vital for the global economy. We stand ready to support UK organisations and will be working with UK Government and international agencies to ensure that global data flows may continue and that people’s personal data is protected.” See the statement here.
The ICO issued an updated statement on the 27th of July:
“Further work is underway by the European Commission and EDPB to provide more comprehensive guidance on extra measures you may need to take. In the meantime you should take stock of the international transfers you make and react promptly as guidance and advice becomes available.
The EDPB has recommended that you must conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework, whether the transfer is to the US or elsewhere. The receiver of the data may be able to assist you with this.” Read the full statement here.
The UK government’s response was this: “The UK government is reviewing the details of the judgment. It remains committed to supporting UK organisations on international data transfers.” The full statement can be found here.
What to do now?
Companies that had been using Privacy Shield will likely be switching to using SCCs. Keep an eye on your inbox for them. Sign and send back.
If you transferred data to a company that was on Privacy Shield and you haven’t heard from them, please contact them for an update on their position.