On July 9, 2019, the European Court of Justice (ECJ)—the highest court of the European Union—will hear oral arguments in the Schrems 2.0 case relating to the validity of two key data transfer mechanisms: the Standard Contractual Clauses (SCCs) and the EU-US Privacy Shield. Both of these mechanisms are widely used by companies in the European Economic Area (EEA), which comprises the 28 EU member states plus Iceland, Liechtenstein, and Norway, to allow the transfer of personal data to the United States and other countries outside the EEA.
Even though the ECJ is not expected to issue its ruling for six to 12 months, the potential invalidation of the SCCs and the Privacy Shield is already creating significant uncertainty for companies doing business in the EEA. Invalidation of both would leave companies without an adequate legal mechanism to transfer their data outside the EEA, ultimately leaving them with two options: localize data in the EEA (which comes with cost and complexity), or continue to transfer data outside the EEA despite absence of an adequate legal basis to do so, which would risk potential fines under the GDPR (up to $24 million or four percent of global annual revenue, whichever is higher).
First Things First: Schrems 1.0
Max Schrems, an Austrian privacy activist, filed a complaint with the Irish Data Protection Commissioner (DPC) in 2013 relating to data transfers to the U.S. by Facebook Ireland in the wake of the Snowden revelations. The complaint alleged a violation of data protection rights because of data sharing between U.S. companies and intelligence agencies, in particular the National Security Agency (NSA).
The complaint ultimately ended up before the ECJ, and raised questions concerning whether the Safe Harbor framework (the predecessor of the Privacy Shield that allowed data transfers from the EU to the U.S.) infringed the right to privacy, the protection of citizens’ personal data, and the right to an effective judicial remedy before a court under the EU Charter of Fundamental Rights (Charter).
In October 2015 the ECJ agreed with Schrems and invalidated the formal decision of the EU Commission upon which the Safe Harbor framework was based. The court found that the Safe Harbor did not provide an adequate level of protection for personal data, particularly in light of the ease of access of U.S. intelligence agencies to EU personal data and the lack of legal redress for individuals who wanted to exercise their privacy rights.
The court’s decision (known as Schrems 1.0) left approximately 4,500 participants in the Safe Harbor trying to find another way to legitimize data transfers outside the EEA. Many of these companies switched to SCCs, which are EU Commission-approved, standardized contracts that contain boilerplate language and are ready to “plug and play” with some minor tweaks. SCCs allow businesses to transfer data from the EEA to anywhere in the world, not just to the U.S., which makes them more widely usable than Privacy Shield (which is limited to data transfers to the U.S.). The EU Commission has drafted three sets of SCCs, depending on whether the data recipient will be a controller or a processor.
Following lengthy negotiations with the U.S. government, in 2016 the EU Commission also approved an enhanced version of the Safe Harbor—the Privacy Shield—as providing adequate protection under EU data protection standards. Approximately 5,000 companies have joined the Privacy Shield.
And They Lived Happily Ever After?
No. Max Schrems filed a new complaint with the Irish DPC challenging Facebook’s use of SCCs as a transfer mechanism. The Irish DPC referred the case to the Irish High Court, which heard the case in 2017 and in turn referred the case to the ECJ in 2018. The high court’s referral includes a list of pertinent questions regarding the legitimacy of EU-US data transfers. When assessing the case, the high court focused on whether the existing mechanisms provide effective legal redress in light of exemptions provided for reasons of national security. The court found that effective legal redress did not exist, since such exemptions could potentially act as a carte blanche for any government access to data, meaning that the data would not receive the protections of the GDPR.
The high court also noted that the Privacy Shield is not an EU Commission adequacy decision, but instead “a unique transfer mechanism.” As for the SCCs, the high court noted that the third-party beneficiary clause allows an individual to bring a lawsuit against the parties to the contract for violating their contractual obligations, but excludes lawsuits against the data exporter for not complying with EU data protection law. The high court then reviewed provisions of the Foreign Intelligence Surveillance Act (FISA) and the Patriot Act, and concluded that they led to mass data processing by intelligence agencies, whereas the protections under the Fourth Amendment of the U.S. Constitution were not available to most EU citizens. Finally, the U.S. Privacy Ombudsman, which has a specific role under the Privacy Shield, was criticized for not being independent from the executive and not having powers of judicial oversight, a concern that has been repeatedly raised by the European Data Protection Board (EDPB).
The upcoming hearing will allow all the parties, including EU institutions, to voice their points on this matter. The Advocate General (AG) will then issue his/her opinion on the case, typically in three to six months following the hearing. The AG’s opinion is not legally binding on the court, but is often an omen of the final ruling. The ECJ will then issue its ruling, which typically happens three to six months following the AG’s opinion. This means that the court’s ruling on the future of the SCCs and the Privacy Shield is expected in the first half of 2020.
As far as scenarios go, the ECJ could invalidate the entirety of the SCCs and/or Privacy Shield with immediate effect. This would practically mean that neither SCCs nor the Privacy Shield could be used to provide a legitimate basis for any data transfers outside the EEA. As such, companies will need to find another way to legally transfer their data abroad. Other possible outcomes are that the ECJ could annul the SCCs and/or Privacy Shield only in part, or give the parties several months to negotiate an enhanced Privacy Shield or issue new SCCs.
If the SCCs and the Privacy Shield are annulled in whole or in part, swift action will be necessary either to reach a new agreement on an enhanced Privacy Shield and issue new SCCs, or both. However, it may be difficult for the EU and the U.S. to agree on a revised Privacy Shield given the current political climate, and approving new SCCs by the commission may take some time, which would leave many companies in a difficult situation during the interim.
This may leave companies with only two options to transfer their data outside the EEA: Binding Corporate Rules (BCRs) or derogations. BCRs are internal, legally-binding data processing rules adopted by international companies that guarantee a high standard of data protection. BCRs are seen as the “gold standard” in data privacy, and an increasing number of companies seek BCR approval from the data protection authorities. The current number of BCR approved companies is limited (circa 120), but is constantly increasing. BCRs are expected to become more mainstream as companies invest in accountability/governance for GDPR compliance, but they typically require six to 12 months until they are approved.
The GDPR also provides a list of derogations where data transfers outside the EEA are permitted. These include an individual’s explicit consent, a contractual obligation, reasons of public interest or an individual’s vital interest, or potential litigation. However, as the word suggests, derogations are seen as exceptional and limited in use, and their use is closely scrutinized by courts and data protection authorities. Hence, companies cannot rely on derogations for routine data transfers outside the EU.
If none of these options are available, companies will need to wait for a new data transfer mechanism. In the meantime, some may be inclined to stop transferring data outside the EU, which may be practically impossible for operational reasons, highly disruptive, and costly. Alternatively, they may continue to transfer data abroad, which may expose them to liability for GDPR administrative fines and civil actions, including class actions, from EU individuals. Irrespective of the outcome, international companies are already drawing contingency plans to be as prepared as possible. In the fallout of Schrems 1.0, many companies changed the mechanism that they use to transfer their data abroad—and so it remains to be seen if such radical change will be required anew. In a few months from now, we will find out whether the ECJ will open Pandora’s box, or whether it has an elegant solution up its sleeve.