What was at the heart of this case again?
"Schrems II" is the second case of Maximilian Schrems, the famous Austrian privacy activist, concerning the processing of his personal data by Facebook Ireland. More specifically, the case concerns the fact that Facebook Ireland provided its personal data to its parent company Facebook, Inc. in the USA where according to Schrems, there is no adequate level of protection for personal data and where his privacy is therefore not sufficiently guaranteed.
Pursuant to European privacy regulations (formerly the Privacy Directive, now the General Data Protection Regulation (GDPR)), personal data may not simply be transferred to persons or organizations located in countries outside of the European Economic Area. This is only permitted if the level of protection as guaranteed by the GDPR is not undermined in such a country. The GDPR includes a number of possibilities for providing such protection, two of which were under discussion in the Schrems II case, namely: i) the transfer on the basis of an 'adequacy decision' (in this case: the decision about the EU-US Privacy Shield2), and ii) the transfer on the basis of 'standard provisions' (also known as the SCC).
What is the Court's ruling?
First of all, it is striking that the Court of Appeal tested the validity of the SCCs and of the Privacy Shield against the GDPR, even though the preliminary questions were asked before the GDPR came into effect and thus, Schrems' complaint still related to the Privacy Directive. In this regard, the Court of Appeal points out that the final decision on Schrems' complaint has not yet been taken, and that the further assessment of the complaint will therefore have to take place under the GDPR3.
On the validity of the SCCs, the Court ruled – briefly summarized - that the existence of such a model contract must ensure a level of protection that is broadly similar ('essentialy equivalent') to the level of protection within the European Union (EU). The Court indicates that the assessment of this level of protection must take into account (i) the contractual provisions themselves (i.e. the content of the SCCs), and (ii) the relevant aspects of the legal system of the third country where the data is going (such as possible access by public authorities). It is noteworthy that the Court explicitly refers to the criteria mentioned in Article 45(2) of the GDPR (the criteria to be taken into account by the European Commission when taking an adequacy decision4).
The Court then finds that the SCCs sufficiently guarantee a level of protection as required by the GDPR. For example, the transfer of personal data may be suspended or prohibited where the provisions of the SCCs are infringed or cannot be complied with. According to the Court, if the controller were to continue to transfer personal data, it is for the national supervisory authorities to prohibit or suspend those transfers (if the required level of protection cannot be ensured otherwise). The SCCs therefore remain in place.
On the validity of the Privacy Shield, the Court (similar to its judgment on Safe Harbor) states that this regime does not ensure a level of protection that broadly corresponds with the level of protection as guaranteed within the EU. In short, the interference of U.S. government bodies and the surveillance programmes in place there are not limited to what is strictly necessary. The Court adds that data subjects are not granted enforceable rights before the courts against the US authorities. Nor does the ombudsman mechanism contained in the Privacy Shield Convention provide adequate safeguards for necessary and effective judicial protection. Therefore, the Court declares the adequacy decision on the Privacy Shield invalid5.
What is the consequence of the ruling?
As a result of the Court's ruling, organizations that transfer personal data to parties in the United States based on the Privacy Shield regime are no longer in compliance with the GDPR. This applies to future data flows, but also to data that have been transferred in the past and are still visible or accessible to parties in the US. These organisations will now have to provide alternative safeguards as soon as possible.
Relying on SCCs may be a practical and obvious alternative. Today's ruling shows that the use of the SCCs remains possible. An important question is however whether the SCCs do in fact provide a sufficient level of protection in the event of transfers to the US or any other third country. The Court did not directly answer this question. The assessment will have to be made - on a case-by-case basis - by the data controllers themselves, partly on the basis of the criteria set out in Section 45(2) of the GDPR. This requires an analysis of, inter alia, the legal system of the third country, the rule of law and respect for fundamental rights, the access of public authorities to personal data, the existence of effective enforcement mechanisms for data subjects and the effective functioning of supervisory authorities. The nature and scope of personal data will also play a role in the assessment. Moreover, due to the accountability principle under the GDPR, this analysis will need to be well documented.
Overall, not an easy task ahead. It could however have been worse: if the SCCs had also been declared invalid today, finding an alternative way to continue to pass on data would not have been easily determined. After all, other mechanisms for transfers provided for by the GDPR, such as binding corporate rules (the 'Binding Corporate Rules'), a code of conduct or standard provisions adopted (and approved by the European Commission) by the national regulator, are not arranged within a day. This would have created a huge gap, with the result that countless data flows that take place daily on the basis of the SCCs would have had to stop immediately or would have become unlawful. Now that more than 88% of European companies seem to use the SCCs for their transfers (according to research by the IAPP6), the ruling will probably be of some relief for many organizations, at least at this stage.
For the supervisory authorities in the EU on the other hand, which are often already understaffed, the ruling may be less settling. It seems that their workload will increase, now that they have to ensure that data controllers make the right analysis of the level of protection in third countries. The question is whether this is desirable. Not only because of capacity problems, but in particular because this could lead to a fragmented approach between the different national supervisors in the Member States. This creates legal uncertainty; will it soon be easier to transfer personal data from Germany, or will it be less risky to do so from the Netherlands? It will become clear in the coming years. As will the answer to the question of whether the US and the EU will dare to make a third attempt at an adequate data exchange treaty.
1. Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems, 16 July 2020, Case C-311/18.
2. Decision of the European Commission of 12 July 2016 stating that the EU-US-Privacy Shield Treaty of 2 July 2016 provides an appropriate safeguard for data transfers: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en.
3. Recital 77 – 79.
4. Recital 105.
5. In its judgment, the Court has partly followed the opinion of Advocate General Saugmandsgaard Øe (Opinion of Advocate General Saugmandsgaard Øe, 19 December 2019, Case c-311/18). The Advocate General also concluded that the SCCs could be maintained, and although he was critical of the Privacy Shield, he stressed that the Court did not have to rule on its validity. The fact that the Court has now done so may have to do with the pending case La Quadrature du Net (La Quadrature du Net and Others v Commission, Case T-738/16). In this case, the validity of the Privacy Shield is specifically at issue, and the Court of Appeal could not have escaped the opportunity to (still) examine it.