ECJ invalidates Privacy Shield; Model Clauses valid but may not be sufficient

[UPDATE 27/7/20: the ICO has now published a statement on the decision]

On July 16th 2020, the European Court of Justice made its long-awaited decision in the case of Data Protection Commissioner [Ireland] v Facebook Ireland Ltd and Maximillian Schrems, generally known as “Schrems II”. This concerned two of the GDPR’s mechanisms for transferring personal data from the EU to other countries: Standard Contractual Clauses (SCCs) and the US Privacy Shield. This is relevant to organisations in the UK for two reasons:

  • SCCs and Privacy Shield were options available – both now and after we leave the EU – for transferring personal data to third countries;
  • After we leave the EU, SCCs are one of the options that may be used to receive data from EU countries.

Taking the Court’s summary of findings (see the very last section of the judgment – p61 of the PDF) in reverse order, for clarity:

  1. Point 5: Privacy Shield is invalid because it does not protect against US surveillance laws which do not provide safeguards equivalent to the EU requirements for proportionality and judicial redress.
  2. Point 4: SCCs are still valid (para 149) and sufficient to ensure the recipient organisation provides adequate protection (para 124), but…
  3. Point 3: …since a contract cannot bind the authorities of the receiving state (para 125), National Regulatory Authorities (and data exporters) must also examine the legal environment into which transfers under SCCs are made, and must stop/order suspension of individual transfers where that environment does not offer sufficient protection;
  4. Point 2 – In particular (para 129), where data transferred under SCCs may be accessed by the receiving country’s public authorities, the legal framework covering that access must be assessed on the same basis as when the Commission makes (or doesn’t) an adequacy decision (including rule of law, relevant legislation, independent supervisory authorities, international commitments, etc. Para 45(2)) is full list).

I think that means

  1. Watch ICO for indications of which transfers from UK to US are likely to raise concerns under SCCs; review yourself any transfers that might need additional safeguards.
  2. Post-Brexit, unless the UK receives an adequacy decision, SCC transfers to the UK may be investigated/stopped by any EU regulator if they feel UK law does not provide adequate protection in case of access by authorities. Such decisions must be taken by individual regulators, but may be discussed by the EDPB.
  3. SCCs are still valid and worth including (both when exporting and importing personal data) as they continue to ensure the recipient organisation provides adequate protection.
  4. But exporters and importers also need to consider whether additional protective measures are needed in case of access by authorities (note, for example, that transfers of student data to US institutions – unlike the transfers within Facebook that were the subject of the case – are likely to be covered by FERPA when they get there). Document these decisions, in case they are challenged. It’s also worth reminding (and expecting to be reminded) of SCC Clause 5(b)’s obligation on importers to inform the exporter if national law has a substantial adverse effect on their ability to comply with the contract. And have a process ready for receiving/sending such notifications.
  5. If an exporter or a Regulator decides a data flow isn’t safe, the only option seems to be to change the flow. Para 132 makes clear that a contract can’t fix the problem, because it doesn’t bind the national authorities. But Para 112 considers “all the circumstances of the transfer of personal data in question”: Bird & Bird suggest that encryption, tokenisation and other technical measures may be relevant circumstances.

Finally, my attention has been drawn (thanks!) to the excellent “EU-US Privacy Shield, Brexit and the Future of Transatlantic Data Flows”, published by UCL’s European Institute in May – after the Advocate-General’s advice to the ECJ has been published but before the Court ruling. Highly recommended if you want to know more about the legal and practical background, the options available to the Court, and the implications for post-Brexit EU-UK data flows.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

3 replies on “ECJ invalidates Privacy Shield; Model Clauses valid but may not be sufficient”

Hi Andrew, many thanks for this. You refer to “the Court’s summary of findings (see page 61 of the judgment)” — which version of the document are you using, as the online one doesn’t seem to have page numbers 🙂

Sorry – it’s the very last para, *after* para 203.

And blog text has now been fixed to say that

Thanks! I searched for ‘summary’, couldn’t find it, and didn’t get as far as looking for the detail 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *