In the Schrems II judgment, which was announced on 16 July 2020, the Court of Justice of the European Union found that the EU-US Privacy Shield (the framework jointly adopted by the EU and the US and which constitutes a lawful basis for transfer of personal data from the EU to the US) does not maintain necessary protection for personal data and thus no longer constitutes a lawful basis for the transfer of personal data.
The EU Court of Justice also found that the Standard Contractual Clauses (another instrument which is available in conjunction with the transfer of personal data to third countries) are per se valid, but the EU Court of Justice points out that their validity is contingent on the relevant parties to the standard agreement (the party exporting data to a third country and the party importing data from the EU) ascertaining, in each individual case, that the transfer is taking place in a lawful manner. The Standard Contractual Clauses are not, of course, binding on parties other the signatories to the clauses. Accordingly, public authorities in the third country are not a party, and one must thus consider the extent to which the law in the recipient country can result in a failure to maintain the security of the personal data. It is important to note that this part of the judgment involves transfer to any third country, not just the US (which is the case with the EU-US Privacy Shield). Consequently, the Schrems II judgment is also relevant where transfer is made to a country other than the US. The Court did not specifically adjudicate whether the Standard Contractual Clauses are unlawful in the US but, since US legislation in respect of the EU-US Privacy Shield has been found to conflict with European legislation, there is an imminent risk that the Standard Contractual Clauses are also inadequate and thus not lawful in respect of transfer to the US in particular.
Doesn’t this seem a bit familiar?
The Schrems II judgment is the continuation of what happened in the autumn of 2015 when the Schrems I judgment was issued. The earlier judgment pertained to a case brought by Maximilan Schrems, an Austrian student, regarding the way in which Facebook Ireland Ltd. processed his personal data. The import of the Schrems I judgment was that the Safe Harbor framework was not regarding as maintaining adequate security and thus it became unlawful to use Safe Harbor as a basis for processing. After some time, the EU and the US succeeded in finding a replacement for Safe Harbor in the form of the EU-US Privacy Shield. The EU Court of Justice has now found that this framework is also inadequate to ensure security for the privacy of EU citizens. Here, too, Maximilian Schrems brought action, once again against Facebook Ireland Ltd. The basic reason is that US and EU legislation are incompatible in certain respects; legislation such as the Cloud Act and FISA (Foreign Intelligence Surveillance Act) grant US authorities the right to access data in a manner which contravenes the GDPR.
What does this mean in practice?
As of 16 July, an organisation’s transfer of personal data to the US based solely on the EU-US Privacy Shield is unlawful and, as such, must cease without delay. Where the transfer is made to a third country (the US or another country) on the basis of the Standard Contractual Clauses, the parties must make a separate determination as to whether the legislation in the third country entails that the security for the specific transfer reaches the level required under EU law. One must look at all of the circumstances in order to ascertain whether the data can be transferred in accordance with the standard clauses.
In practice, this means that most European and US actors will encounter a very tangible problem, since transfer from the EU to the US is exceedingly commonplace. It takes place through, among other things, use of cloud services (such as Google and AWS) and other service providers, such as Microsoft.
Consequently, as of 16 July 2020, the EU-US Privacy Shield no longer constitutes a lawful basis for transfer of personal data to the US. All Swedish and European actors that transfer data to the US and rely solely on the EU-US Privacy Shield must ensure that there is some other lawful basis for such transfer. Transferring data to a country outside of the EU without a lawful basis for the transfer violates the GDPR. Accordingly, where transfer has been made in reliance on the EU-US Privacy Shield, the Standard Contractual Clauses (or, in practice, also on the BCR, Binding Corporate Rules), measures must be taken, and taken without delay.
When Safe Harbor was invalidated in 2015, a grace period was granted. That’s not the case now. The supervisory authorities have not yet received instructions to actively investigate whether companies have ceased transferring data based on the EU-US Privacy Shield, but the EU has encouraged the Swedish Data Protection Authority (and other supervisory authorities in the EU) to respond to complaints.
It is worth pointing out that the issue is largely political and that the US and EU have long had a sort of turf war on this issue, where the US believes that it has a right (based on national security) to access all information stored on the servers of US companies, irrespective of where such servers are located. In the EU’s opinion, this entails an unacceptable invasion of the privacy of EU citizens. As a consequence of the conflicting legislative schemes, the US and EU have not found common ground. Accordingly, it is by no means clear that there will be a new replacement for the EU-US Privacy Shield. One established understanding appears to be that it will, in such case, require legislative changes in both the EU and the US.
How should you proceed? Unfortunately, this is still extremely unclear. The Swedish Data Protection Authority and the EDPB (European Data Protection Board) will issue guidelines but since transfer is already unlawful, we recommend that you begin to take measures as soon as possible.
If you are relying solely on the EU-US Privacy Shield, conduct a risk assessment and attempt to find another lawful basis for the transfer. If you are relying on Standard Contractual Clauses or Binding Corporate Rules, you must conduct an assessment of whether the data is given adequate protection by the party processing the data in the third country (e.g. a personal data processor). You can then also take additional protective measures to ensure security (technical, organisational, or legal). One example may be to encrypt or limit the scope of the data (or the type of data) which is transferred. The new judgment imposes significant responsibility on the actors and requires that they always ensure that the security level is acceptable and compliant with European law. Going forward, standard practice will determine where these limits lie – making those determinations is no simple matter for either personal data controllers or personal data processors. On reflection, the need for European actors which can provide the services which are, at present, largely purchased from American companies is increasing, and this would provide stability and security in the transfer of data which is often significant to operations.
The Swedish Data Protection Authority and the EDPB are presently working intensively to produce guides and guidelines regarding how to act, how to conduct risk assessments, and how to look at other lawful bases for transfer (e.g. consent).
Our recommendation is that you should not wait for the guides but should, instead, promptly review the activities and the extent to which transfer takes place on a lawful or an unlawful basis. The Director-General of the Swedish Data Protection Authority, Lena Lindgren Schelin, has stated that parties should ascertain, in each individual case, that transfer to the US is taking place in a lawful manner, and that the Swedish Data Protection Authority is taking proactiveness into consideration if the organisation’s processing becomes subject to inspection by the Swedish Data Protection Authority. Consequently, we cannot recommend a wait-and-see stance in terms of how to solve this. Instead, a risk assessment must, in any case, be commenced and documented.
The EDPB’s statement regarding the judgment can be read in its entirety here – >>
The judgment itself is available here – >>
Finally, we can note that this judgment will have far-reaching consequences for both US and European organisations and comprehensive work has already begun in order to find acceptable political and legal solutions. However, at present, we do not know how this will be solved and how quickly it will happen. In addition, parties who are subject to European law must act in order to reduce invasions of privacy of the individuals whose data is processed and in order to reduce their risk of becoming subject to sanctions as a consequence of violations of the GDPR.
Do you have questions about the GDPR?
Sara Malmgren, Senior Associate at Foyen Advokatfirma
+46 (0)73-322 84 28