The privacy shield arrangement is a framework allowing the companies to transfer personal data from the European Union (“EU”) to the United States (“US”). This article analyses the ruling of the CJEU in the Schrems II case and lays down its implications on the international data transfer regime.
By: Shail Maheshwari, KIIT, School of Law.
On 16th July 2020, the Court of Justice of the European Union (“CJEU”) unexpectedly declared the E.U.-U.S. Privacy Shield arrangement as invalid in its judgement, Data Protection Commissioner v. Facebook Ireland Ltd., Maximilian Schrems (“Schrems II”). The privacy shield arrangement is a framework allowing the companies to transfer personal data from the European Union (“EU”) to the United States (“US”). The decision of the CJEU means that those companies which seek to transfer the personal data of EU customers to the US have to now solely rely on EU sanctioned legal contracts i.e. Standard Contractual Clauses (“SCC”), which the court held as valid in this judgement.
The Schrems II judgment is a companion to the earlier judgment of the CJEU i.e. Maximilian Schrems v. Data Protection Commissioner (“Schrems I”) which invalidated the E.U.-U.S. Safe Harbour Arrangement which was the predecessor to the privacy shield arrangement.
An Analysis of the Schrems II Judgment
In 2013, the complainant Maximilian Schrems, a privacy activist, had first complained to the Irish Data Protection Commissioner (“DPC”) with regards to Facebook’s data transfer practices.
The complaint primarily concerned the alleged use of SCC by Facebook for data transfer of EU based Facebook users to the US leaving the personal data of users vulnerable to surveillance programs of the US government.
Thus, he sought suspension of data transfer via Facebook pursuant to SCC.
After the complaint was rejected by the DPC, Schrems approached the Irish High Court. The Irish High Court referred various questions to the CJEU for a preliminary ruling. Out of various questions which were referred the two most important questions were
- whether SCCs are valid under the EU Charter of Fundamental Rights (“charter”)?
- whether the EU-US Privacy Shield ensures adequate protection under Article 45 of the General Data Protection Regulations (“GDPR”)?
Validity of SCCs
The CJEU in its ruling clarified the applicability of the GDPR to the transfer of personal data by an economic operator for commercial purposes. It further observed that an economic operator can transfer personal data only if it is established in a member state. However, the level of data protection should be equivalent to that which is guaranteed within the EU by the GDPR in light of the charter.
Upholding the validity of SCCs, it was stated by the CJEU that the level of data protection guaranteed by the SCC will include two important considerations:
- Contractual clause as agreed between the data exporter established in the EU and the recipient of the transfer established in the third country.
- Any access by the public authorities of that third country to which the data is transferred, the relevant aspects of the legal system of that third country.
Validity of the Privacy Shield
The CJEU determined the validity of Decision 2016/1250 (“the Privacy Shield decision”) in light of the adequacy of protection provided by the EU-US Privacy Shield. The privacy shield had been in force since 2016 and also imposes certain restrictions on the U.S. government to access EU citizen data. Many companies in the U.S. had relied on it to receive personal information from the E.U.
Since 2018, with the introduction of GDPR, there has been an increase in the level of data protection, and for companies located in the U.S., complying with the protection standard of privacy shield did not necessarily mean being GDPR compliant.
In light of the facts of the Schrems case, the CJEU invalidated the EU-US privacy shield under its “adequacy decision” power provided by Article 45(2)(a) of the GDPR which states that such a decision can be made in light of “the rule of law, including national security and the access of public authorities to personal data as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data is being transferred.”
Accordingly, the CJEU laid down the main reasons for invalidating the privacy shield as follows:
- CJEU stated that the privacy shield’s protections were not “essentially equivalent” to those required by the EU law as “the surveillance programs based on those provisions are not limited to what is strictly necessary.”
- The provisions of the privacy shield did not grant “data subjects actionable rights before the courts against the U.S. authorities.”
- The body created to handle complaints lacked independence “to adopt decisions that are binding on the U.S. Intelligence services.”
The Implications of the Schrems II judgment
The implications of the judgment have been discussed with respect to first the impact on transatlantic data flows and second the global impact.
Impact on transatlantic data flows– The CJEU has not laid down any transition period required for the companies to adjust and comply with the change in data protection norms. Thus, the companies who rely on the data flow from the EU have been unclear with regards to the implications of the decision on their business. The United States Secretary of Commerce highlighted this concern in his statement following the Schrems II decision.
He stated that “data flows are essential not just to tech companies- but to businesses of all sizes in every sector. As our economies continue their post-COVID-19 recovery, it is critical that companies including more than 53000 privacy shield participants are able to transfer data without interruption.”
It is from this statement that it is clear that the decision impacts not only large organizations like Amazon, Google, Facebook, etc. but also smaller organizations that now have to either rely on a new data transfer mechanism or the SCCs. Thus, companies will have to look for alternatives to carry out transactions like storing documents on cloud-hosted servers, sending emails, etc.
Further, these alternatives, primarily in the form of SCCs can be evaluated and challenged by the EU regulators on a case-by-case basis and can be invalidated if they do not comply with GDPR.
The Global Impact of the decision– The decision is significant from the global perspective as it reinforces the importance of user data protection in international commerce. It also lays down a rigorous data protection standard which can be used to assess and build data governance models in countries like China, which have been a leader in personal data leak or privacy breach of internet users. Data exports from the EU to China is large owing to transfers to Chinese firms like TikTok, Alibaba, etc.
Thus, if the CJEU ruling is also enforced in countries like China, it will help in better understanding the economic implications of stronger data protection laws.
Further, several countries like the UK and Israel conduct extensive surveillance of personal data for national security purposes. The CJEU ruling has reopened questions as to the sufficiency of data protection in these regions as well.
Invalidation of the privacy-shield in the Schrems II ruling can lead to two possible scenarios in the future. The U.S. companies which rely on the E.U. data can continue with cross-border data flow from the EU based on SCCs, or the two countries will negotiate a successor to the E.U.-U.S. privacy shield. However, at present, there is complexity and uncertainty with respect to how quickly the transition has to be made to remain compliant to EU laws, the economic implications of the decision for smaller firms, and the risk of getting penalised by the EU regulators for lack of clear guidelines on adequate measures for data protection.