Stemming from release of highly classified information from the National Security Agency in the U.S. by the whistleblower Edward Snowden, a number of complaints relating to the transfer of personal data outside the EU have found their way to the Court of Justice of the European Union (“the CJEU”). On the 16 July, the CJEU delivered its judgment in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems [C-311/18]. This decision will have profound implications for those undertakings whose business model relies on the of personal data to servers located outside of the EU. While this decision focused on the protection of these data on severs located in the United States, the consequence of this ruling means that all third-party countries subject to an adequacy decision by the EU Commission may be caught.
This decision marked the second time this essential question was litigated before the CJEU. After the Data Protection Commissioner in Dublin rejected Mr. Schrems’ initial request to prohibit the transfer of his Facebook data on the basis that the prevailing arrangement between the E.U and the United States (Decision 2000/520; “the Safe Harbour Decision”) afforded an adequate level of protection, the High Court here referred questions for a preliminary ruling to the CJEU. That decision (“Schrems I”) invalidated Safe Harbour and sent both sides scrambling in haste to draft an alternative agreement resulting in the Privacy Shield adequacy decision (Decision 2016/1250).
In striking down the Privacy Shield Framework in this most recent judgment, the CJEU had regard to U.S surveillance programs which routinely collects data held on servers based in that jurisdiction. It was held that U.S. surveillance laws do not meet the requirements of the E.U. Charter of Fundamental Rights which provide, inter alia, a right of EU citizens to judicial redress. The consequence of the CJEU’s most recent ruling means that all companies relying on the Privacy Shield Framework for trans-Atlantic trade of data need to immediately re-assess their transfer mechanisms and seek out alternatives.
Standard Contractual Clauses
Standard Contractual Clauses (SCC’s) provide another way for controllers to outsource data processing services and were appended to the Commission’s decision in Decision 2010/87. The CJEU did not call into question the validity of these clauses, however, it reaffirmed its position that businesses do not merely exchange agreements and file them away without taking practical steps to ensure compliance. It stated that, “transfers of personal data pursuant to such clauses are suspended or prohibited in the event of the breach of such clauses or it being impossible to honour them.”
In a recent blog, Mr. Schrems has gone as far as to opine that all data flows, even within the SCCs must stop if a U.S company falls under surveillance law. Much attention will be directed to statements and advices emanating from Member States‘ supervising authorities over the coming weeks and months, however, what is clear is that the CJEU has highlighted the obligation on both data exporter and importer to ensure compliance with current E.U. jurisprudence. Should the importer inform the data exporter of any impeding factor that would prevent it from complying with the clauses, transfer must be suspended or terminated.
In making this judgment the CJEU has ostensibly reinforced its position in Schrems 1. Data controllers will need to undertake a forensic examination of the nature of each transfer. Unless the E.U. discards the standards adopted under the GDPR (in which personal data derives its legitimacy from the EU Charter of Fundamental Rights), or the United States strengthens its protection of personal data to a level essentially equivalent with E.U. law, it would seem that transfers between the two jurisdictions as they are currently framed are severely compromised.
If you are concerned with how your data is being used or transferred or you have been affected by any of the issues discussed above contact David Whelan at [email protected]