Recently, the Court of Justice of the European Union (CJEU) released the long-anticipated Schrems II decision, which effective immediately invalidated the EU-U.S. Privacy Shield mechanism that over 5000 U.S. businesses, from major tech companies to large financial institutions, have relied on for purposes of transferring and processing data from the EU to the U.S. The decision is a companion to the 2015 Schrems I decision where the CJEU invalidated the adequacy decision underlying the EU-U.S. Safe Harbour framework, which led to the development of the Privacy Shield mechanism.
What you need to know
- Organizations should immediately review vendor agreements to determine whether any EU-U.S. personal information transfers are based on Privacy Shield.
- Privacy Shield certification is no longer a legitimate basis to transfer personal data from the EU to the U.S. The CJEU did not put in place a grace period.
- Data transfer agreements may need to be amended immediately to provide for alternative transfer mechanisms before any further transfers can occur.
- These vendor transfer reviews should include all vendor sub-processors who may receive EU data in the U.S.
- More due diligence on government access to data will be required to rely on Standard Contractual Clauses for transfers to any country that does not have an adequacy ruling from the EU Commission.
- The CJEU upheld the validity of the EU Standard Contractual Clauses (SCCs) as a mechanism of GDPR-compliant transfers to third countries. However, data exporters and importers that rely on SCCs must verify, prior to any transfer whether the level of protection required by EU law is respected in the third country and whether local conditions make it impossible to comply with the SCCs.
- Canada is still subject to an adequacy ruling in respect of PIPEDA, but this is currently being reviewed.
- Data maps should be reviewed and updated to ensure all transfers of EU personal information to third countries are listed, and the legal basis for the transfer is documented.
EU international data transfers
Under GDPR, there are several permissible mechanisms under which EU resident personal information may be transferred and processed outside of the EU. First, a third country can receive an adequacy decision from the Commission with respect to the level of protection it offers (GDPR 45). For example, Canada’s federal privacy law, PIPEDA1, has been deemed adequate since December 20022. In the absence of an adequacy decision in the processor’s country, a processor may generally remain compliant by either: a) incorporating the Commission’s (Decision 2010/87) Standard Contract Clauses into its data transfer agreements; or b) subscribing to binding corporate rules (Article 46). For one-off data transfers, organizations may be able to rely on the derogations outlined in Article 49.
The Schrems saga
The Schrems I3 and II4 decisions originate from complaints brought forward by Maximillian Schrems, an Austrian resident, about Facebook Inc.’s requirement that EU users permit Facebook Ireland to transfer EU personal data to Facebook Inc.’s U.S. servers.
The Schrems II decision continues where the 2015 Schrems I decision left off (please review our prior bulletin for an analysis of Schrems I). After the Schrems I decision invalidated the “safe harbor” data transfer mechanism, and before Privacy Shield was adopted, Mr. Schrems filed a complaint with the Irish Data Protection Commission (DPC) requesting the DPC to use its broad powers to suspend EU-U.S. data transfers on the basis that Facebook’s use of Standard Contractual Clauses to transfer personal data to the U.S. was not justified. The Irish DPC raised its own concerns with respect to the use of SCCs, which lead to the broader questions of significance that were eventually referred to the CJEU in Schrems II.
CJEU’s decision in Schrems II
In Schrems II, the CJEU was asked to address 11 questions that related directly to the validity of SCCs and indirectly to the validity of the Privacy Shield.
Privacy Shield review
CJEU’s rationale for invalidating Privacy Shield did not focus on Facebook’s internal data use or processing practices, rather it focused on the requirements of U.S. domestic law. Of particular concern was U.S. surveillance and national security policy that permits interception of and, in some cases, requires mandatory disclosure by companies such as Facebook of, information contained in EU to U.S. data transfers5. The decision expressed concern with the U.S. Foreign Intelligence Surveillance Act (and the programs in authorizes, like PRISM and UPSTREAM), which did not “indicate any limitations on the power it confers to implement surveillance programmes for the purposes of foreign intelligence or the existence of guarantees for non-U.S. persons potentially targeted by those programmes”. As such, the CJEU determined that U.S. surveillance programs are not circumscribed in a way equivalent to the requirements under EU law because they are not limited to data collection or use that is strictly necessary6. The court also noted that individual remedies under the Foreign Intelligence Surveillance Act are limited, especially for non-U.S. citizens, so there are inadequate avenues of recourse for breaches of the privacy rights of EU citizens7. Further, the court raised issues with deficiencies relating the Privacy Shield Ombudsman mechanism8.
In light of the lack of necessary limitations and safeguards on the power of the authorities under U.S. law and the lack of effective remedies for EU data subject in the U.S., the CJEU held that the Privacy Shield was an inadequate means of protecting data of individuals in the EU when it is transferred to the U.S. The EU Commission has confirmed that it is working on alternate mechanisms for EU to U.S. transfers9.
The CJEU upheld the Commission’s prior decision supporting the validity of SCCs as a mechanism of GDPR-compliant transfers to third countries (Decision 2010/87). Despite finding the SCCs to be a valid third-country data transfer tool, the CJEU in Schrems II imposed additional due diligence and accountability requirements on data exporters who rely on SCCs. The CJEU highlighted that it is the responsibility of the data exporter (in collaboration with the data recipient) to assess whether the level of protection required by EU law is respected in the third country concerned in order to determine if the guarantees provided by the SCCs. can be complied with in practice—in effect requiring organizations to do mini-adequacy reviews. This is consistent with recent efforts by the Office of the Privacy Commissioner of Canada to place more accountability on organizations that transfer Canadian personal information to other countries.
Where the third country law is not essentially equivalent, organizations will need to implement supplementary measures to ensure an essentially equivalent level of protection over data transferred as in the EU. This will not be a viable option where the third country’s law will prevent such measures from being effective, because parties cannot contract out of the application of domestic laws. As a result, where government access to personal information is the concern, there will be little contracting parties can do to prevent such incursions.
Implications for business
The is no doubt that Schrems II broadly impacts data transfers between EU and third countries such as the U.S. The requirement to do a case-by-case review of third countries and organizations receiving personal data will apply to virtually all transfer mechanisms unless the country has an EU Commission adequacy decision10. As a result, organizations that transfer personal information between the EU and third countries should:
- create or update data maps to track all EU personal data being processed or transferred outside the EU, including through affiliates, vendors and sub-processors;
- review the basis for transferring data outside the EU in all instances, and identify alternate data transfer mechanisms if the organization relied on Privacy Shield;
- document the due diligence used to assess recipient organizations and third party countries, such as by outlining relevant laws that would allow government access to the information, mapping the type of personal data at issue, analyzing whether the data or recipient have historically been subject to government intelligence requests, and recording the measures put in place by the recipient to shield EU data from such requests;
- consider processing options that do not require data to leave the EU, such as local cloud instances, regional vendor outposts and read-only remote access to databases;
- proactively monitor guidance from EU regulators with respect to which countries do not provide adequate protection even when SCCs or BCRs are employed, and consider contractual provisions that allow the organization to suspend or modify its data transfers on short notice; and
- review audit and reporting obligations in vendor agreements to ensure:
- recipient organizations are required to notify the organization of legal or political changes that would prevent them from complying with their obligations to safeguard EU data, and Contractually require data recipients to immediately inform EU data exporters of any inability to comply with the terms of the alternate data transfer mechanism or the supplementary measure that are put in place; and
- the transferring organization can test the recipient’s ability to meet its contractual commitments.
Canadian companies should expect similar issues to be raised by European counterparties going forward, as many organizations will choose to implement this level of diligence globally, regardless of whether the recipient country has an adequacy decision from the EU Commission.
1 Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5.
2 In December 2001, the European Commission issued Decision 2002/2/EC, pursuant to Article 25(6) of Directive 95/46/EC. The Decision states that Canada is considered as providing an adequate level of protection of personal data transferred from the EU to recipients subject to PIPEDA. The adequacy decision was reaffirmed in 2006 but is currently up for review.
3 Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (Case C-362/14) (Schrems I).
4 Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (Case C-311/18) (Schrems II).
5 The CJEU also examined the validity of the Privacy Shield Decision (Decision 2016/1250 on the adequacy of the protection provided by the EU-U.S. Privacy Shield), as the transfers at stake in the context of the national dispute leading to the request for preliminary ruling took place between the EU and US.
6 Schrems II, paras. 164-185.
7 Schrems II, paras. 191-192.
8 Schrems II, paras. 193-197.
9 European Parliament, Parliamentary questions (May 19, 2020), E-001120/2020. In a response to the EU Parliamentary question about international data transfers the Commission noted that: “The Commission is a party in the two cases pending before the Court of Justice of the European Union that are relevant to the Privacy Shield (T-738-16, La Quadrature du Net and C-311/18, Schrems II). While the Commission cannot predict the outcome of this litigation, it is looking into possible scenarios. In doing so, the Commission is in contact with stakeholders, including the United States authorities. In parallel, the Commission continues to work on alternative instruments for international transfers of personal data, including by reviewing the existing Standard Contractual Clauses”.
10 European Data Protection Board FAQ document on CJEU judgment C-311/18 (Schrems II), response to Question 9.
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.
© 2021 by Torys LLP.
All rights reserved.