Greetings from Fontainebleau, France.
Well, there we have it. The much anticipated "Schrems II" case, the source of much anxiety for many privacy professionals of late, was ruled upon this week. The Court of Justice of the European Union ruled Thursday that Privacy Shield, the EU-U.S. data protection agreement, is invalid.
Sound familiar? It's Safe Harbour all over — 2015 revisited. Once again, major international companies dependent on the European Commission transfer mechanism are faced with new uncertainties and challenges. This decision complicates their modus operandi, involving the daily transfer of bulk quantities of user data to servers in the U.S. for processing. There are presently 5,300 companies using Privacy Shield that may be affected. The decision also has a clear political message in that Europe is at odds with the handling of European citizens' data Stateside, as either adequate or in line with the European Charter of Fundamental Rights. I dare say this decision will send public officials on both sides of the Atlantic into a heightened sense of urgency to find a replacement mechanism.
In examining the Shield considering protections afforded European citizens under the GDPR, the CJEU found that “the requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country.” Moreover, and contrary to the position of the European Commission, the court found that the ombudsman mechanism was lacking and did not offer data subjects actionable rights and guarantees that were substantially equivalent to those offered by EU law that would be binding to U.S. intelligence agencies.
In the same ruling, the CJEU considered standard contractual clauses for the transfer of personal data to processors established in third countries to be valid. However, this may not appear to be an easy stretch for companies. While SCCs do not contain the same assessment provisions on protections offered by any third country as the Privacy Shield, the court did emphasize the obligations of the data controller.
Speaking with Kate Colleary, IAPP country leader for Ireland, she had this to say: “To rely on SCCs organizations will have to undertake documented due diligence to underpin their reasoning for the validity of the transfer.” She added that data transfers could be overturned by the local supervisory authority. Controllers will need to be accountable for and able to demonstrate their due diligence. Supervisory authorities have the authority to audit and review SCCs and put a halt to data transfers where it finds there is no adequate protection afforded by the country where the data is destined. This is problematic, given the court’s decision concerning the lack of adequacy in the U.S. In short, the risks associated with data transfers using the SCC mechanism needs to be properly assessed accounting for the destination of data flows. Invariably, the data controller has a high level of accountability, as well as the legal obligation to suspend data transfers to countries where levels of protection equivalent to EU law are not assured.
By extension, it will be interesting to take heed of how this ruling will be received by the European Data Protection Board and the national EU regulators. The net result may be more active regulatory activity and enforcement efforts in the area of international data transfers. Those jurisdictions with wide sweeping surveillance powers may well become the focus of new investigations.
There is a lot to unpack with this latest ruling, and it may take some time to fully clarify the impact of international data flows. In the meantime, check out our early analysis here.