In summary, the CJEU has:
- Invalidated the use of the Privacy Shield as an adequate safeguard when transferring personal data outside the EEA to the United States – primarily due to potential unrestricted U.S. government access.
- Found the SCCs to be an adequate safeguard when transferring personal data outside the EEA to third parties. However, depending on the prevailing position in a particular third country, the adoption of supplementary contractual provisions by the controller to ensure compliance with that level of protection afforded in the SCCs may be required.
To conclude, all data transfers from the EEA to countries outside the EEA will have to be assessed on a case-by-case basis to determine whether additional clauses, in addition to those afforded under the SCCs or even under binding corporate rules, have to be implemented by organisations. It is expected that EU data protection authorities will grant more guidance regarding specific countries.
The background to this case is a complex one. The case is the continuation of an earlier complaint made by Schrems against Facebook in 2013. In 2013, Schrems filed a complaint with the Irish data protection authority claiming that Facebook’s transfer of EU citizens’ personal data under the Safe Harbor framework to Facebook in the United States violated their rights.
In a landmark finding in October 2015 (Curia.europa.eu), the CJEU held that the Safe Harbor framework was invalid (Schrems I). We wrote about this decision in a previous client alert. Among other reasons, this decision was based on the fact that U.S. legislation did not limit the interference with an individual’s rights to what is strictly necessary.
Since then, Schrems reformulated his complaint and decided to challenge the transfers of personal data to the United States performed on the basis of SCCs. The use of SCCs was the alternative mechanism Facebook relied on to legitimise EU to U.S. data flows, as they could no longer rely on the Safe Harbor provisions following Schrems I. Following its investigation into Schrems’ reformulated complaint, the Irish data protection authority published a draft decision where it took the view that personal data transferred to the United States was likely to be consulted and processed by certain U.S. authorities in a manner incompatible with articles 7 and 8 of the Charter of Fundamental Rights of the European Union (Charter). The Irish data protection authority further concluded that U.S. law did not provide EU citizens with the equivalent to an effective judicial remedy in accordance with article 47 of the Charter, and that the SCCs were not capable of remedying this defect.
The Irish data protection authority brought the Schrems II proceedings before the Irish High Court who referred 11 questions for a preliminary ruling (see below). In an annex to the referral, the Irish High Court included a copy of a judgment it handed down on 3 October 2017 in which it had set out the results of an analysis of the evidence before it in a national proceeding in which the U.S. government had participated. In this judgment, the Irish High Court agreed with the Irish data protection authority regarding the lack of effective judicial remedies and further concluded that the appointment of a Privacy Shield ombudsperson did not remedy this defect.