Does Schrems II Doom Use of SCCs for EU–US Data Transfers? No Answers and Clouds are Gathering
It’s been well written that in Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (Schrems II), the Court of Justice of the European Union (CJEU) struck down the Privacy Shield, a mechanism created to permit the transfer of personal data from the European Economic Area (EEA) to the U.S. The decision also confirmed the validity of the EU Standard Contractual Clauses (SCCs) for the transfer of personal data outside the EU/EEA. However, in its holding, the CJEU stated that whether the SCCs may constitute a lawful basis for the transfer of personal data depends upon whether the recipient of the data (i.e., the data importer) operates in a jurisdiction that affords “a level of protection essentially equivalent to that guaranteed within the EU.”
Given that the Court struck down the Privacy Shield on the basis that it did not afford EU residents a sufficient level of protection of their personal data, the question remains whether Schrems II, which validated the SCCs, also may be read to invalidate their use for EU-U.S. personal data transfers. Some view the decision to state just that. If correct, during a time of economic hardship caused by the pandemic, the holding would have an even broader impact on U.S. businesses by virtually de-legitimizing EU-U.S. data transfers moving forward.
A Brief (and Simplified) History of Schrems
Cicero once said that to not know one’s past is to not know one’s future. In that same vein, it is important to understand that the genesis of the controversy surrounding the transfer of EU personal data to the U.S. stems from the U.S. government’s data surveillance program. In Europe, privacy is considered a basic human right. In essence, governments may not collect personal data absent demonstration of a legitimate need to obtain specific information and that the collection is proportionate to the demonstrated need. In the U.S., however, the U.S. government may collect personal information under laws and orders, including Section 702 of the Foreign Intelligence Surveillance Act of 1977 (FISA) and Executive Order 12333, without demonstrating such need or proportionality, which conflicts with privacy protections afforded under EU law.
In 2015, in Case C-362/14 Maximilian Schrems v Data Protection Commissioner (Schrems I), the CJEU invalidated the then EU–U.S. Data Protection Safe Harbor Act, which had governed EU-U.S. transfers of personal data, on the basis that the Safe Harbor did not cure the lack of EU-level protections of personal data transferred to the United States. Schrems I involved a challenge brought by Austrian law student Maximilian Schrems in which the Irish Data Protection Commissioner (DPC) determined that the Safe Harbor precluded the Irish DPC from halting Facebook’s personal data transfers from Ireland to the U.S. when Facebook allegedly was providing information to the U.S. Intelligence Services in violation of EU data protection laws. From the ashes of Schrems I rose the Privacy Shield.
The Privacy Shield was a mechanism intended to provide the appropriate safeguards deemed absent in the Safe Harbor under Schrems I. At the time of its creation, some suggested that the Privacy Shield was doomed. Those predictions proved correct. The crux of the Schrems II invalidation of the Privacy Shield is the CJEU’s determination that (1) the U.S. government could still access personal data transferred under the Privacy Shield, and (2) the Privacy Shield ombudsperson mechanism did not provide EU data subjects effective administrative and judicial redress for violations of their rights.
In the Schrtems II decision, the Court stated:
196. … [a]lthough recital 120 of the Privacy Shield Decision refers to a commitment from the US Government that the relevant component of the intelligence services is required to correct any violation of the applicable rules detected by the Privacy Shield Ombudsperson, there is nothing in that decision to indicate that that ombudsperson has the power to adopt decisions that are binding on those intelligence services and does not mention any legal safeguards that would accompany that political commitment on which data subjects could rely.
197 Therefore, the ombudsperson mechanism to which the Privacy Shield Decision refers does not provide any cause of action before a body which offers the persons whose data is transferred to the United States guarantees essentially equivalent to those required by Article 47 of the Charter.
* * *
199 It follows that Article 1 of the Privacy Shield Decision is incompatible with Article 45(1) of the GDPR, read in the light of Articles 7, 8 and 47 of the Charter, and is therefore invalid.
The Schrems II Decision and the Future of SCCs
Schrems II also validated the use of the SCCs as a mechanism for permitting the transfer of personal data outside of the EEA. However, the validation is not absolute. The Court stated that whether the SCCs may constitute a lawful basis for a transfer of personal data to a jurisdiction without an adequacy decision, such as the U.S., depends on whether the recipient of the data (i.e., the data importer) operates in a jurisdiction which affords “a level of protection essentially equivalent to that guaranteed within the EU.” The Court stated:
105. Therefore, the answer to the second, third and sixth questions is that Article 46(1) and Article 46(2)(c) of the GDPR must be interpreted as meaning that the appropriate safeguards, enforceable rights and effective legal remedies required by those provisions must ensure that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses are afforded a level of protection essentially equivalent to that guaranteed within the European Union by that regulation, read in the light of the Charter. To that end, the assessment of the level of protection afforded in the context of such a transfer must, in particular, take into consideration both the contractual clauses agreed between the controller or processor established in the European Union and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country, in particular those set out, in a non-exhaustive manner, in Article 45(2) of that regulation. [Emphasis added.]
Given the Court’s findings on the lack of adequate protections in the U.S. that served as the basis of striking down the Privacy Shield, some EU regulators have taken the position that Schrems II invalidates the use of SCCs for EU-U.S. transfers of personal data.
In a July 16, 2020 press release following the Schrems II ruling, Ireland’s Data Protection Commission stated it “strongly welcomes” the ruling, and that the decision “firmly endors[es] the substance of the concerns expressed by the DPC (and by the Irish High Court) to the effect that EU citizens do not enjoy the level of protection demanded by EU law when their data is transferred to the United States.” The Irish DPC further observed that:
the SCCs transfer mechanism…is, in principle, valid, although it is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable.
During an IAPP LinkedIn Live session, Irish Data Protection Commissioner Helen Dixon also opined that binding corporate rules likely will not serve as an alternative to SCCs because they “won't be applicable” as they “are not a broad-based or flexible solution.” Ireland’s DPC cast further doubt onto the validity of supporting a U.S.-EU data transfer with the SCCs, when it notified Facebook in early September 2020 of a preliminary suspension order that denies Facebook use of the SCCs. Currently, the Ireland DPC’s Facebook order only applies to Ireland, but the order is before the EU’s other DPCs for joint approval, which would expand the order’s geographic scope.
In an FAQ, the European Data Protection Board (EDPB) stated that EU data controllers must verify whether their processors and sub-processors transfer data to the U.S. If so, and if such data transfers are inadequate because supplementary measures cannot be provided or because no derogations under Article 49 of the GDPR apply, companies must renegotiate their contracts to forbid transfers to the U.S.:
If your data may be transferred to the U.S. and neither supplementary measures can be provided to ensure that U.S. law does not impinge on the essentially equivalent level of protection as afforded in the EEA provided by the transfer tools, nor derogations under Article 49 GDPR apply, the only solution is to negotiate an amendment or supplementary clause to your contract to forbid transfers to the U.S. Data should not only be stored but also administered elsewhere than in the U.S. [Emphasis added.]
In addition, German Data Protection Agencies in Berlin and Hamburg also have expressed unfavorable views on the use of the SCCs to transfer personal data from the EU to the U.S., explicitly stating in press releases that the SCCs are insufficient for such data transfers.
In lieu of continuing these transfers, the Berlin commissioner advised EU data controllers to begin using service providers based in the EU or another third country with an adequate level of protection instead of engaging in data transfers to the U.S.
This mandate for data localization, however, is not feasible in the commercial sector. For one, arguably it only works if the data is stored only in the EU and there is no access to the data from outside the EEA, as access could constitute a data transfer. It also ignores the reality that multi-national corporations may need to access and process data during work hours outside of EU time. It also simply is not an option for many companies due to the costs that localized data storage would incur.
Moving Forward Post-Schrems II
There are no easy answers. Notably, the United Kingdom government, emphasized in a July 17, 2020 press release following Schrems II that it had intervened in the case in support of the continued validity of the SCCS, and that “[i]t is pleased that this important mechanism for transferring data internationally remains in place and is considering any further implications that may arise from the judgment in respect of this.”
The U.S. government issued its own formal response to Schrems II through a September 28, 2020 Department of Commerce White Paper. Aiming to present additional information regarding data protection when considering whether U.S. safeguards are sufficient to support personal data transfers from the EU, the White Paper emphasized that the majority of data transfers into the U.S. are not of interest to U.S. Intelligence Agencies (a reality Schrems II never addressed). As a result, the White Paper argues, the CJEU’s concern that personal data transferred into the U.S. is at risk of U.S. intelligence surveillance is hyperbolic and unfounded. Further, the document contends that in the rare instances where the U.S. intelligence community has interest in such data, such surveillance would be in the public interest and would be acceptable under Article 49 Derogations.
The White Paper also contends that when considering the sufficiency of the SCCs, companies should analyze additional information that the CJEU did not review in Schrems II because of a limited judicial record that precluded information post July 2016. Contrary to the findings in Schrems II, the White Paper contends, (1) sufficient judicial oversight of U.S. intelligence agencies’ collection of data exists under U.S. law, (2) such data collection is targeted and tailored, (3) EU citizens have avenues for redress under U.S. law should their information be illegally compromised, and (4) that additional privacy safeguards have been added under U.S. law since July 2016.
The White Paper, however, cannot protect a company from prosecution by a supervisory authority under GDPR. In a letter from the Department of Commerce Deputy Assistant Secretary James Sullivan that accompanied the White Paper, Mr. Sullivan stated:
While the White Paper can help organizations make the case that they should be able to send personal data to the United States using EU-approved transfer mechanisms, it is not intended to provide companies with guidance on EU law or what positions to take before EU regulators or courts. Nor does it eliminate the urgent need for clarity from European authorities or the onerous compliance burdens generated by the Schrems II decision.
Whether fragmentation may begin among the EU member states over the interpretation of Schrems II, like options currently available to organizations transferring personal data from the EU to the U.S., is unclear. Nor could fragmentation serve as a long-term solution.
The European Commission is currently working on providing updated SCCs, which may be available in December 2020. Whether the revised SCCs will remedy the apparent shortfall to permit the transfer of personal data from the EU to the U.S. is unclear and unlikely. In the near-term, organizations should begin conducting “Transfer Impact Assessments,” and U.S.-based processors should begin to expect them. Such assessments review the nature of data transfers and its potential risks in relation to the countries of destination concerned, and will become more common in light of the Schrems II case-by-case approach for use of the SCCs. EU regulators are expected to issue guidance on such assessments.
While Article 49 Derogations, such as consent, public interest, or to fulfill transactional requirement, would permit an EU-U.S. data transfer, the derogations also may be infeasible in many contexts. Another possible solution is the use of customer-managed encryption, or other technical safeguards, designed to protect personal data from interception and also to require intervention from EU data subjects in order to release or decrypt such data. But this also may not be a workable solution in many contexts. In the long-term, Schrems II and its application ultimately may significantly reduce international transfers of personal data from the EU, as companies opt for EU-based data storage and hosting facilities to enhance protection of EU personal data to comply with EU requirements.