CJEU: standard contractual clauses valid but not Privacy Shield

However, Andreas Carney and Jonathan Kirsop of Pinsent Masons, the law firm behind Out-Law, said the ruling by the Court of Justice of the EU (CJEU) will require organisations reliant on standard contractual clauses (SCCs) for complying with the General Data Protection Regulation's (GDPR's) rules on data transfers to monitor for compliance with those clauses much more closely in future, and that it has also cast into doubt whether the use of SCCs for EU-US data transfers would comply with the GDPR.

Carney and Kirsop said the judgment will require many large US technology companies in particular to review their arrangements for transferring personal data from the EU to the US in light of the court's findings, not least because it has also ruled that the EU-US Privacy Shield is invalid.

"Clearly the CJEU's ruling is good news for businesses that rely on SCCs in order to legitimately transfer personal data from their operations in Europe," said Carney, a Dublin-based data protection expert at Pinsent Masons. "There have been doubts as to the on-going availability of SCCs for some time now, not least because of the questions referred to the CJEU which it decided upon today. Those doubts have been largely alleviated."

"That said, the court has made clear that organisations planning to rely on SCCs to export data must verify that the level of protections that SCCs are designed to mandate will be respected in the jurisdictions to which the data is being transferred. In practice this will require extra due diligence and a review of local laws in those jurisdictions in particular. Exporters will also have to ensure that the data importers know to notify them if they cannot comply with the SCCs because of those laws. If the protections afforded under the SCCs cannot be assured, the exporter will need to consider supplementary measures, or otherwise suspend or terminate the data transfers. The CJEU draws particular attention in this context to the need to consider laws in the data importer’s jurisdiction that allow public authorities to access the imported data. How this is to be managed is as yet uncertain, but may take some of the ‘gloss’ off the validation in the long run," Carney said.

Kirsop said that despite the validation of SCCs, the position is less clear cut for US-based businesses importing personal data from the EU.

"Businesses currently reliant on the Privacy Shield for EU-US data transfers that glance at the CJEU's high-level findings may assume that they can counter the invalidation of the Privacy Shield by executing SCCs instead – indeed many EU-US data transfer arrangements built on the Privacy Shield are also underpinned by SCCs to address the risk of the Privacy Shield framework being invalidated and the need to switch mechanisms swiftly. However, within the detail of the CJEU's findings are points which would call into question the ability of businesses to rely on SCCs either for EU-US data transfers, at least in the long term."

The CJEU's decision was issued in response to questions referred to it by the Irish High Court, stemming from a complaint lodged by the Austrian privacy rights activist, Maximillian Schrems to the Irish Data Protection Commission (DPC) regarding the transfer of his personal data from Facebook Ireland to Facebook, Inc, established in the US. Schrems claimed that the US did not provide adequate protection to his personal data against intrusions resulting from the surveillance activities practised by US public authorities.

In its judgment, the CJEU said that the protections provided for by the GDPR apply to business-to-business personal data transfers from the EU to a country outside of the European Economic Area (EEA) like the US even if "the data at issue is liable to be processed, at the time of that transfer or thereafter, by the authorities of the third country concerned, for the purposes of public security, defence and State security".

The CJEU said that, the Commission and DPAs must take account of the potential access public authorities in third countries can obtain to personal data exported from the EU under the legal framework in those countries when assessing the level of protection afforded to the data. DPAs are obliged to suspend or prohibit data transfers where it identifies the protections provided for in data transfer mechanisms cannot be complied with in practice.

The CJEU confirmed that the European Commission's decision to endorse the use of SCCs is in line with the requirements of EU data protection law. It said the decision was valid because it includes effective mechanisms to ensure compliance with EU data protection standards when personal data is transferred to 'third' countries outside the EEA, and because it further provides for the suspension or prohibition of data transfers underpinned by SCCs where there is a breach of those clauses or where it is impossible to honour them.

However, the CJEU followed the approach suggested of its advocate general in a non-binding opinion issued in the case late last year by confirming that organisations need to be aware of local laws in other jurisdictions to determine whether they contradict the protections offered by the SCCs, and act to apply supplementary measures to ensure the required level of protection, or prohibit, suspend or terminate data transfers in cases where that is not possible.

"Businesses will need to effectively assess their existing SCCs and police future SCCs in the context of the laws in the jurisdictions they transfer data to, which may prove very challenging," Carney said. "Businesses will be looking to the Commission, European Data Protection Board (EDPB) and national data protection authorities (DPAs) for consistent guidance on how to meet the new due diligence obligations around the use of SCCs."

On the Privacy Shield, the CJEU ruled that the Commission's so-called 'adequacy decision', which endorsed the Privacy Shield framework as providing for equivalent data protection in the US as is available in the EU, was invalid. The EU-US Privacy replaced the Safe Harbor scheme which previously helped facilitate EU-US data transfers until that framework was effectively invalidated by the CJEU in 2015, also following a legal challenge brought by Schrems.

The court reached its invalidity finding after determining that the protections provided for in the Privacy Shield framework, which includes an independent ombudsman mechanism for the handling of complaints relating to the accessing of EU citizens' personal data by US authorities, are not sufficient to address "the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to the United States".