The future of data transfer rules in the aftermath of Schrems II
Isabella Oldani, Università di Trento
On 16th July 2020, in its landmark judgment in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C- 311/18, Schrems II), the European Court of Justice (“ECJ”) invalidated the Commission Implementing Decision (EU) 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield (“the Privacy Shield Decision”). As a result, thousands of companies can no longer rely on the Privacy Shield Decision as a legal basis for transferring personal data from the EU to the US. In its judgment, the ECJ also affirmed the validity of Standard Contractual Clauses (“SCCs”) as a data transfer mechanism for international data transfers, but with a few conditions: companies are required to assess the data importer’s ability to comply with the contractual arrangements embedded in SCCs and adduce «additional safeguards» where appropriate. The implications of the case are much wider than just the invalidation of the Privacy Shield Decision. The judgment has important implications on the other tools that compose the data transfer toolbox offered by the GDPR and has raised uncertainties on the future of international data transfer more broadly.
The background and the findings of the case
The case arose back in 2013 from a complaint brought to the Data Protection Commission (i.e., the Irish Data Protection Authority) by Maximillian Schrems, an Austrian national and Facebook user since 2008. In his complaint, Mr. Schrems requested the Data Protection Commission to prohibit the transfer of his personal data from Facebook Ireland to the US servers belonging to Facebook Inc.. In his complaint, Mr. Schrems contended that the US legal framework did not ensure an adequate level of protection to the transferred data. In this regard, he referred to Snowden’s revelations about the mass surveillance activities conducted by the US public authorities, and in particular by the National Security Agency. In 2015, Mr. Schrems reformulated his complaint to the Data Protection Commission after the ECJ’s decision in Schrems I (Case C-362/14), in which the ECJ invalidated the Safe Harbour, the predecessor of the Privacy Shield Decision (Nino). To overcome such invalidation, Facebook, like many other companies, switched to SCCs in order to keep the flow of data from the EU to the US alive. SCCs are contracts between EU data exporters and non-EU data importers which aim to regulate the transfer of data between the two entities, their respective obligations and liabilities, and third-party beneficiary rights (i.e., the rights that data subjects can exercise against the data exporter, the data importer and, under certain circumstances, even against sub-processors).
In his reformulated complaint (which then lead to the Schrems II judgement), Mr. Schrems contested this extensive resort to SCCs considering that «there is no judicial remedy which would allow the data subject to take appropriate action to protect his personal data rights» and that «his personal data controlled by Facebook and processed by Facebook Inc. is at the very least “made available” to US government authorities under various known and unknown legal provisions and spy programmes such as the “PRISM” programme» (Request for a preliminary ruling, par. 17). In light of this, Mr. Schrems asked the Data Protection Commission to prohibit or suspend the transfer of his personal data to the United States on the basis of SCCs. Taking the view that the said complaint was raising questions about the validity of Commission Decision 2010/87/EU on standard contractual clauses for the transfer of personal data to non-EU processors (“2010 SCCs”), the Data Protection Commission brought an action before the Irish High Court in order for the Court to refer the case to the ECJ. The Irish High Court then referred several questions to the ECJ for a preliminary ruling concerning the validity of 2010 SCCs and the Privacy Shield Decision.
As for the validity of 2010 SCCs, the Irish High Court asked whether 2010 SCCs are capable of providing an adequate level of protection, and are hence valid in the light of Articles 7, 8, and 47 of the Charter of Fundamental Rights (the “Charter”), given that those clauses do not bind the public authorities in the third countries to which data are transferred. In its Schrems II judgement, the ECJ acknowledged that those clauses are (only) binding on the parties to the contract, i.e., the EU data exporter and the non-EU data importer. At the same time, the ECJ held that the validity of SCCs is not called into question by the fact that, due to their inherently contractual nature, those clauses are unable to bind the public authorities in the third country in question. Rather, the validity of the Commission decision adopting 2010 SCCs depends on whether it includes «effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law and that transfers of personal data pursuant to the clauses of such a decision are suspended or prohibited in the event of the breach of such clauses or it being impossible to honour them» (Schrems II, par. 137). In the Court’s view, these mechanisms are indeed provided by SCCs. Precisely, these clauses include the parties’ obligation to verify, prior to transfer, whether the level of protection guaranteed by the SCCs can be respected in the third country in question (SCCs, Clause 4(a) and Clause 5(a) and (b)), the data importer’s obligation to inform the data exporter of its inability to comply with SCCs (Clause 5(a)) and of any «legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited» (Clause 5(d)(i)), and the data controller’s right to suspend the data transfer or terminate the contract where the data recipient is no longer able to comply with the contractual obligations set out under SCCs (Clause 5(a) and (b)).
At the same time, the ECJ stressed that, depending on the legal framework of each third country, it may be necessary to supplement the guarantees provided in SCCs with some «additional safeguards» if the data controller exporting the data concludes, on a case-by-case basis, that SCCs alone are unable to ensure compliance with the level of protection required under EU law. It is hence the responsibility of the data controller (with the assistance of the data importer, if necessary), to verify «whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses» (Schrems II, par. 134). Where the company exporting the data is unable to take those additional safeguards, the data exporter «or, failing that, the competent supervisory authority, are required to suspend or end the transfer of personal data to the third country concerned» (Schrems II, par. 135). This is for example the case where the legal framework of the third country in question imposes on the data recipient obligations that go against the guarantees provided by standard data protection clauses.
As for the validity of the Privacy Shield Decision, the ECJ concluded that the US law on the access and use by public authorities of data for national security, public interest, and law enforcement purposes does not satisfy the requirement of proportionality. This conclusion derives from the fact that, in the Court’s view, the US law allows for interferences with the protection of personal data which are not sufficiently circumscribed and limited to what is strictly necessary. As regards the requirement of judicial protection (Article 47 of the Charter), the ECJ noted that the US surveillance programmes do not grant data subjects effective remedy against the US public authorities. This deficiency cannot be remedied by the Privacy Shield Ombudsperson (i.e., the body which was specifically established to provide data subjects with a redress opportunity against access to personal data for national security reasons). Indeed, as highlighted by the ECJ, this mechanism is unable to ensure the independence of the Ombudsperson from the executive and does not empower the Ombudsperson to adopt decisions that are binding on intelligence services. On those grounds, the ECJ concluded that, contrary to the Commission’s finding in the Privacy Shield Decision, the United States does not ensure a level of protection for personal data essentially equivalent to that guaranteed in the European Union. As a result of these considerations, the Privacy Shield decision was declared invalid with immediate effect.
Some first reactions to the judgement
Several, mixed, reactions have sparked from the conclusions reached by the ECJ. The vice-president of the European Commission, Věra Jourová, and Commissioner Reynders welcomed the judgment, since it underlined, once again, «that the right of European citizens to data protection is absolutely fundamental». At the same time, they reassured citizens and businesses by stating that the European Commission will continue its work to ensure the continuity of the data flow between the two sides of the Atlantic, starting from the modernization of SCCs.
Along the same lines, the European Data Protection Board (“EDPB”) welcomed the judgement, since it «highlights the fundamental right to privacy in the context of the transfer of personal data to third countries». The EDPB is also committed «to provide the European Commission with assistance and guidance to help it build, together with the U.S., a new framework that fully complies with EU data protection law». The European Data Protection Supervisor (“EDPS”) followed a similar approach, stating that the protection of personal data «is more than a “European” fundamental right – it is a fundamental right widely recognised around the globe». The EDPS also «trusts that the United States will deploy all possible efforts and means to move towards a comprehensive data protection and privacy legal framework, which genuinely meets the requirements for adequate safeguards reaffirmed by the Court».
National Data Protection Authorities (“DPAs”) have also started to provide some guidance following the ECJ’s ruling. The strongest statements came from Berlin, Hamburg, and the Netherlands. These authorities are advising companies to suspend the transfer of data to the US. The Berlin DPA even encouraged companies to swiftly switch to service providers within the EU or in other countries that provide an adequate level of protection. The Irish Data Protection Authority welcomed the judgment and noted that, even if SCCs are in principle still valid, their application to transfers to the US «is now questionable» (Fazlioglu). On the other hand, the Information Commissioner’s Office (“ICO”), i.e., the UK Data Protection Authority, somewhat regretfully stated that international «data transfers, that are so vital for the global economy, suddenly became open to question». The ICO is also aware of the challenges that UK businesses face when dealing with international data transfer and «will continue to apply a risk-based and proportionate approach in accordance with [its] Regulatory Action Policy». As for the UK, it should be noted that the focus placed by the ECJ on government’s access to data may also have important implications for the UK adequacy assessment that is currently underway in order to keep the EU-UK flow of data “alive” after the end of the transition period (31 December 2020). The UK surveillance law and the legislation on access of public authorities to personal data more broadly will, in fact, be part of this assessment. It is hence open to question whether the European Commission will consider the UK framework in line with the high threshold established by the ECJ in Schrems II (Evans, Horten, de La Lama and de Fonseka; see also Manancourt and Scott on the possible implications of the ECJ judgement in Case C-623/17 on the chances that a UK adequacy decision is adopted).
The judgment was unsurprisingly less welcomed in the opposite side of the Atlantic. The US Secretary of Commerce Wilbur Ross and the US Secretary of State Michael R. Pompeo stated that the US authorities are deeply disappointed that the ECJ has invalidated the EU-US Privacy Shield Decision. At the same time, the US authorities will continue to work in close contact with the EU to find a mechanism to ensure the transfer of data from the EU to the US. Interestingly, the Department of Commerce will continue to administer the Privacy Shield program. In other words, as clarified by the Department of Commerce in its FAQs on the impact of Schrems II, even if the Privacy Shield is no longer a legal basis for transfer under Article 45 GDPR, the judgement does not relieve companies self-certified under the Privacy Shield of their obligations under that framework. The Federal Trade Commission will so continue to expect companies to comply with those obligations as a demonstration of their «commitment to protect personal information in accordance with a set of privacy principles that offer meaningful privacy protections and recourse for EU individuals».
The impact of Schrems II on (other) data transfer tools
The judgement has undoubtedly raised great uncertainties about the future of data transfers. Unlike the conclusions reached in Schrems I, in Schrems II the ECJ did not only invalidate the adequacy decision on which international data transfer to the US was grounded, but it also stressed that the same standards of protection should be ensured when the transfer is operated by any other legal means. As further clarified by the EDPB in its FAQs on the case, “the threshold set by the Court also applies to all appropriate safeguards under Article 46 GDPR used to transfer data from the EEA [European Economic Area] to any third country”. This is even more true considering that, as noted by the EDPB, the US law examined by the ECJ applies to any transfer of data via electronic means that falls under the scope of the legislation regardless of the data transfer tool specifically used.
The ECJ also stressed the responsibility of both data exporters and DPAs in ensuring the effectiveness of existing legal bases for transfer. Data exporters and DPAs are hence responsible for ensuring that the level of protection guaranteed by the data transfer instruments set out under the GDPR is not undermined by the legal framework to which data recipients are subject. On this point, it is certainly not new that the legal requirements to which data recipients are subject inevitably prevail over any contractual obligations that such recipients may undertake when entering into SCCs. Back in 1998, the Article 29 Working Party (i.e., the predecessor of the EDPB) identified the “problem of overriding law” as one of the major limitations to the use of contracts as a legal basis for data transfer. The legal framework of a third country may, indeed, require the recipient in that third country to disclose personal data to public authorities. These disclosure requests inevitably take precedence over the contract signed between the data exporter and the data recipient.
What the ECJ is now asking, or better demanding, is that SCCs stop being treated as a mere formalistic requirement that the parties to the agreement sign and then forget. This can be achieved by ensuring that the mechanisms for suspending or prohibiting the transfer of data are made effective in case the clauses have been breached or cannot be complied with. To this aim, as clarified by the EDPB in its FAQs, before operating a transfer on the basis of SCCs, companies should make an assessment taking into account the circumstances of the transfer and, where appropriate, implement supplementary measures to make sure that the third-country law does not impinge upon the guarantees offered by those clauses. If the result of the assessment is that appropriate safeguards cannot be ensured (meaning that data subjects whose data are transferred would not enjoy a level of protection which is essentially equivalent to that guaranteed within the EU), the data exporter is required to suspend or terminate the transfer. If it intends to continue the cross-border data flow of personal data, the data exporter is required to notify the competent DPA. Again, this is nothing new compared to what has already been in place for many years. Indeed, under clause 4(g) of 2010 SCCs, the data exporter shall inform the competent DPA if it intends to continue the transfer of data despite the notification from the data importer about any legal requirement that may prevent it from fulfilling its obligations under the contract. This is another obligation that many companies that have signed SCCs have probably largely disregarded and that should now be made effective.
Needless to say, this – fairly (some would say excessively) burdensome – assessment would require companies (as well as DPAs) to become acquainted with the foreign legal systems to which they transfer personal data (Kuner). With specific reference to the US, since the ECJ has found that US law does not ensure an adequate level of protection, data exporters transferring data to the US on the basis of SCCs are now required to assess whether their US provider is caught under the scope of application of the US laws analysed by the ECJ in its judgment. For example, in order to understand whether a US provider falls under the scope of the US Foreign Intelligence Surveillance Act Section 702, EU companies may assess whether that provider can be qualified as an “electronic communication service provider”. As noted by one author, «U.S. Foreign Intelligence Surveillance Act Section 702, Executive Order 12333 and Presidential Policy Directive 28 concern communication service providers, not retailers, manufacturers, health care or pharma companies, or the thousands of companies that use SCCs to export employee data to headquarters in the U.S.». To this end, NOYB, the non-profit organization founded by Schrems in Austria, has made available a model request that EU data exporters wishing to continue to use SCCs may submit to US providers. This request aims to assess whether US providers fall under the scope of application of the US laws that, in the Court’s view, do not ensure an essentially equivalent level of protection. A second set of model request has been elaborated for companies that process data in the EU but have US ties and may for that reason still be caught under US law. Whether or not data can (continue to) be transferred to the US on the basis of SCCs will hence depend on the result of this assessment.
The implementation of additional safeguards
As seen above, as part of the assessment that companies are required to undertake before operating an international data transfer, companies should consider the implementation of «additional safeguards» or «supplementary measures». At the time of writing, no specific guidance has been released by the EDPB on what these safeguards should look like. The EDPB is currently analysing the judgement to determine what kind of legal, technical and/or organizational measures may effectively address the concerns expressed by the ECJ in its judgment. One possibility would be to devise new ways to contractually compensate for the lack of adequate protection in the third country in question. For example, the data importer could contractually commit to “resist” and question excessively broad requests from public authorities. Similar commitments are already present in Binding Corporate Rules (“BCRs”). Indeed, BCRs shall include the commitment by the non-EU BCR member to inform not only the EU data exporter but also the competent DPA of «any legally binding request for disclosure of the personal data by a law enforcement authority or state security body». If in the specific case in question the notification to the DPA is prohibited (for example, in order to preserve the confidentiality of the investigation), the non-EU BCR member shall «use its best efforts to obtain the right to waive this prohibition in order to communicate as much information as it can and as soon as possible». If despite its best effort the BCR member concerned is still not in the position to inform the competent DPA, it shall commit to annually provide the DPA with general information about the requests it has received, such as the number of requests, the types of data involved and the authority filing the request (criterion 6.3 for approval of BCRs for controllers, WP256 rev.01; criterion 6.3 for approval of BCRs for processors, WP 257 rev.01).
This commitment could be complemented with a more general endeavour on the part of non-EU companies to use their best efforts to challenge and, to the extent possible, waive any disproportionate and indiscriminate legal obligation to which they may be subject. This contractual commitment may so aspire to become one of those «supplementary measures» that the ECJ is inviting companies to implement. A similar approach seems to be recommended by the EDPS in its paper on the “Outcome of own-initiative investigation into EU institutions’ use of Microsoft products and services”. One of the criticalities identified by the EDPS in its investigation on the contractual arrangements between the EU institutions and Microsoft was the fact that Microsoft retained discretion to disclose personal data to third parties, including law enforcement and other governmental authorities (p.24). In the light of this, besides informing the EU institutions of any requests for access to data it receives, Microsoft should «challenge access requests, exhausting all available legal remedies». Moreover, the EDPS recommended that the EU institutions «request information from Microsoft once a year on whether any disclosures of EU institution data had taken place and if so, what action was taken in response». The EU institution concerned should then assess the information received and «take any further measures necessary to ensure that the contractual prohibition of disclosure, notification procedures and agreed safeguards were respected» (p. 26).
The Commissioner for Data Protection and Freedom of Information for the German State of Baden-Württemberg (Landesbeauftragter für Datenschutz und Informationsfreiheit Baden-Württemberg – “LfDI BW”) is also moving in this direction. Indeed, in its guidance on how to deal with international data transfer in the aftermath of the Schrems II case, the LfDI BW suggested the inclusion of supplementary contractual measures to 2010 SCCs. Among others, the LfDI BW suggested to modify SCCs so as to include the obligation of the data importer to inform both the data exporter and the data subject of any legally binding requests for disclosure by a foreign public authority and the obligation of the data importer to take legal action against such requests.
To what extent these contractual commitments may satisfactorily address the concerns expressed by the ECJ in its judgment is, however, yet to be seen. Indeed, as stressed by the Court, some essential guarantees against disproportionate interferences with fundamental rights should be provided for by the (third country) law (Schrems II, par. 175). In the absence of these guarantees, even if non-EU data recipients contractually commit to challenge access requests «there is no guarantee that the companies will win such challenges»; those companies would be ultimately bound to comply with the conflicting legal obligation to disclose (Daskal). Moreover, even if contractual commitments to challenge excessively broad requests may, to some extent, bring such requests closer to the principle of proportionality as established and developed in the EU, the lack of effective judicial remedies and actionable rights against US authorities (or any other foreign public authority) highlighted by the ECJ may be hardly “compensated” by such additional contractual or organizational measures, absent a change in US law (among others, Christakis; Solove; Propp and Swire).
The implementation of some additional technical measures should also be considered. For example, in its guidance, the LfDI BW recommended the implementation of encryption (where only the data exporter holds the key), and of anonymization or pseudonymization (where only the data exporter can link the data to a specific data subject). However, these measures may often be impractical and in contrast with companies’ business needs (Grentzenberg et al.).
In the Schrems II case, the ECJ reiterated the importance of ensuring that the high standards of data protection guaranteed in the EU are not undermined once data leave the EU. As one author has argued, the judgement «appears as a strong constitutional confirmation of the importance to build a solid, comprehensive and coherent regime of protection of European personal data transfers – including against governmental access to such data». The judgment seems also to be in line with the European Commission’s commitment to promoting global convergence in the area of data protection by placing the EU standards as a reference point at the international level. On several occasions, EU institutions have shown to be willing to foster the role of the European Union as a driver for the development of international data protection standards. Among others, back in 2010, the European Commission noted that the «European Union must … remain a driving force behind the development and promotion of international legal and technical standards for the protection of personal data, based on relevant EU and other European instruments on data protection». Ten years later, the European Commission reiterated its commitment to promote global convergence in its communication on two years of application of the GDPR. In the said communication, the Commission stated that it «will continue to focus on promoting convergence of data protection rules as a way to ensure safe data flows». This commitment also includes «forms of “upstream” work … in the context of ongoing reforms for new or updated data protection laws».
The judgment delivered by the ECJ in Schrems II may so be perceived by third countries as a clarion call for developing standards of protection more in line with the EU standards. In less romantic terms, it could be argued that the judgement may increase the (perceived) pressure coming from the EU to pass equivalent laws by making access to some specific resources (i.e., data coming from the EU) conditional upon compliance with the EU data protection standards. However, although the development of common standards of protection across the globe would appear to many as the most desirable solution for ensuring continued protection of transferred data, a universal consensus on a set of “standardized” data protection rules is still far to be reached.
In the meantime, as stated by the Advocate General in his Opinion on Schrems II, a balance should be struck between the need to assert the fundamental values recognised in the EU legal order on the one hand and the need to show a «reasonable degree of pragmatism in order to allow interaction with other parts of the world» on the other (par. 7). This could start from making the existing data transfer rules work in practice by moving from the “mere” signature of contractual clauses to their effective implementation. Data transfer rules have been widely criticized for being formalistic and bureaucratic requirements with a limited capacity of increasing users’ privacy (Tene). This trend may be (hopefully) reversed by following the ECJ’s judgment. The mechanisms that such rules provide for ensuring continued protection of transferred data (and, in particular, the mechanisms for terminating or suspending the transfer if the level of protection required by EU law cannot be guaranteed) should be not only effectively implemented but also further strengthened by means of additional safeguards. It is yet to be seen whether this will finally lead to a stable «data free flow with trust» (G20 Osaka Leaders’ Declaration, 29th June, 2019) or to further challenges for companies wishing to engage in cross-border data transfers and for resource-constrained DPAs in charge of overseeing those transfers.