The European Court of Justice (ECJ) has struck down the EU-US Privacy Shield, removing a key method for lawful transfers of personal data from the EU (and UK) to the US. As with its predecessor, Safe Harbor, the court considered that Privacy Shield could not provide adequate protection against the US Federal government’s bulk digital surveillance.
In the same judgment, the ECJ confirmed that Standard Contractual Clauses (SCCs) are a potentially valid safeguard for international transfers of personal data. However, the Court emphasised that the SCCs cannot be used merely to “paper over” a transfer of data. The data exporter and the recipient must verify, prior to any transfer, whether the required level of protection is adhered to in the country to which personal data is being transferred. If the SCCs cannot verifiably provide meaningful protection for data subject rights, then the data exporter is “obliged to suspend the transfer of data and/or terminate the contract” with the recipient.
What does this mean for EU (and UK) to US transfers?
Max Schrems, the Austrian privacy campaigner who brought the case to the ECJ, has suggested that SCCs cannot, in reality, be used to legitimise transfers of personal data to the US because the primacy of US Federal government digital surveillance means that verifiable and meaningful protection for data subject rights cannot be confirmed in any of the 50 States. That view is open to challenge, but it does mean that organisations must:
- Be aware of any transfers of personal data to the US; and
- More precisely, be aware of the particular US States to which personal data is being transferred; and
- Verify that the receiving State affords meaningful protection based on the SCCs.
Without that State-by-State verification, the strict legal position is that personal data transfers must be suspended or terminated. If, as Schrems asserts, no US State can provide meaningful protection, then personal data transfers cannot at the moment be legitimised by SCCs.
Are regulators bound to act now?
Today’s judgment does not give regulators much wriggle room. Paragraph 121 states: “unless there is a valid Commission adequacy decision, the competent supervisory authority is required to suspend or prohibit a transfer of data to a third country pursuant to SCCs if, in the view of that supervisory authority and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country... and the protection of the data transferred cannot be ensured by other means”.
What other means might be available?
As Binding Corporate Rules (BCRs) are likely to be subject to the same issues as the SCCs, derogations based on GDPR Article 49 might provide the only available (and temporary) basis for EU-US transfers. The key derogations that might be relied on are:
(a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards
(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request
(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person
(d) the transfer is necessary for important reasons of public interest
(e) the transfer is necessary for the establishment, exercise or defence of legal claims
(f) the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.
However, the Article 49 derogations cannot generally be relied on to support “business as usual”. They are intended to provide cover for occasional and small-scale transfers of personal data. Obtaining explicit consent also brings with it all the usual GDPR compliance requirements, including that consent is freely given and can be withdrawn at any time. Consequently, while the smoke clears in the aftermath of Schrems II it is likely that many organisations will be faced with a compliance dilemma. Those organisations relying solely on Privacy Shield are likely to consider putting in place SCCs, as representing at least a step to mitigate the risks relating to the demise of Privacy Shield.
The SCCs and other “third countries”
Today’s ruling confirms that the SCCs are potentially valid for international transfers of personal data, but that they are reliable only if accompanied by verification that they will provide meaningful protection. That confirms the need for a risk-management approach that asks:
- Is there an adequacy decision in relation to the third country to which personal data is being transferred?
- If not, do we have verification that SCCs will provide meaningful protection in the third country to which personal data is being transferred?
What should you do now?
We are not expecting organisations to stop or radically change their flows of data to the US in the short term. It is simply not practical to do so. We are however expecting governments and regulators to come up with solutions, potentially some short term interim measures followed by longer term measures.
The aim at the moment should be to avoid being singled out from the other organisations struggling with the same dilemma. We therefore recommend that you should:
- Put in place SCCs where you had previously solely relied on Privacy Shield. SCCs are not guaranteed to work; but it’s the best pragmatic solution currently available and shows that you are aware of the duties of being a data controller
- Drawing up a data map to make sure that you understand all your flows of data to the US so that you can react to changes in guidance promptly. Identifying any high risk data transfers to the US and consider undertaking state-by-state analysis
- Speak to others in your industry and association bodies. Try to agree a sector approach and lobby the government to provide guidance promptly.
Womble Bond Dickinson
WBD is a transatlantic law firm with privacy specialists in the UK and the US. Our team can advise on the GDPR and US state privacy laws and has long experience of managing cross-border data transfers.