According to the forthcoming 2017 IAPP-EY Privacy Governance Survey, to be released at P.S.R. in San Diego, 88 percent of companies that transfer personal data from the European Union to the United States and other non-"adequate" countries rely on standard contractual clauses as a valid method for doing so.
As the privacy world now knows, however, the validity of SCCs is now squarely in doubt, following Tuesday’s decision by the Irish High Court in Data Protection Commissioner v. Facebook Ireland and Max Schrems (“Schrems 2.0”). In its ruling, the Irish High Court shared the Irish DPC’s “well-founded concerns” about the validity of SCCs, which made it “necessary and appropriate” to reference the matter to the Court of Justice of the European Union. In doing so, it also rejected Facebook’s argument on the non-application of European law on the issue, saying “clearly EU law is engaged in respect of these transfers.”
So, what happens now? What does the CJEU referral mean procedurally under the EU legal system, and how does it relate to the GDPR’s adoption into law of SCCs as a valid data transfer mechanism? Finally, what should privacy professionals be doing right now to ensure legal compliance while they await more certainty on SCCs?
The role of the CJEU in preliminary rulings
A reference for a preliminary ruling is a mechanism of EU law that allows national member states’ courts to refer questions on certain matters to the CJEU, whose decisions are binding for all member states’ national courts. This ensures uniform application and interpretation of EU law and provides legal certainty. Pursuant to Article 19 (3) (b) of the Treaty on European Union and Article 267 of the Treaty on the Functioning of the European Union, the CJEU has jurisdiction to provide preliminary rulings on the interpretation of the EU law and validity of acts adopted by EU institutions, bodies, offices or agencies.
The scope of the CJEU’s role in a preliminary ruling is to interpret EU law or rule on the validity of an EU Act, “not to apply that law to the factual situation underlying the main proceedings … [which] is the task of the national court or tribunal.” The CJEU is expected to give a reply that will provide guidance in resolving the dispute in the main proceedings, such that the referring court will draw specific conclusions from that reply.
Regarding the hierarchy of the sources of the EU laws, a Directive or Regulation is a type of secondary legislation, which is “valid only if it is consistent with the acts and agreements which have precedence over it,” such as treaties and charters.
Of particular importance to this case is the Charter of Fundamental Rights, a primary source of EU law, which guarantees data protection and privacy at the constitutional level in the EU. Specifically, Article 7 provides: “Everyone has the right to respect for his or her private and family life, home and communications” and Article 8 (1) establishes that “Everyone has the right to the protection of personal data concerning him or her.” Article 47 of the Charter, moreover, provides for the “Right to an effective remedy and to a fair trial.”
In Schrems 2.0, the Irish DPC’s arguments were based on a concern that EU-U.S. data transfers relying on SCCs may violate these fundamental rights. As relayed by the Irish High Court, the DPC was of the view that “there appears to be a well-founded objection that there is an absence of an effective remedy in U.S. law compatible with the requirements of Article 47 of the Charter for an EU citizen whose data is transferred to the US where it may be at risk of being accessed and processed by U.S. State agencies for national security purposes in a manner incompatible with Articles 7 and 8 of the Charter.”
Furthermore, since the SCC decisions made by the Commission “make no provision whatsoever for a right in favor of data subjects to access an effective remedy in the event that their data is (or may be) the subject of interference by a U.S. public authority, whether acting on national security grounds or otherwise,” the DPC argued that they “do not address her well-founded concerns.”
SCCs under the GDPR
For the time being, SCCs adopted by the Commission are recognized (and incorporated within the GDPR) as an appropriate safeguard for cross-border data transfers. The GDPR specifies that “Decisions adopted by the Commission on the basis of Article 26 (4) of Directive 95/46/EC shall remain in force until amended, replaced, or repealed, if necessary, by a Commission Decision." If the European instruments are declared invalid, “[i]t then falls to the competent European institutions to adopt a new instrument to rectify the situation.”
Yet, with the Oct. 3 decision of Justice Costello to formulate and refer question to the CJEU for a preliminary ruling on the validity of SCCs, pending submissions from the parties to the proceedings as to the content of those questions, their future role in data transfers under the GDPR will, at least for a while, remain uncertain. Indeed, it may not be until after May 2018, when the GDPR is set to come into force, that a determination is made as to whether SCCs remain a valid mechanism for EU-U.S. data transfers.
Post-Schrems 2.0: Additional mechanisms for EU-U.S. data transfers
While awaiting the CJEU’s decision on the adequacy of SCCs, it will be important to remember other mechanisms to legitimize personal data transfers out of the EU, such as the Privacy Shield, as well as those under the Data Protection Directive and forthcoming GDPR.
The Privacy Shield, a framework for transferring personal data from the EU to the U.S., replaced the invalidated Safe Harbor agreement and offers a voluntary mechanism for organizations to self-certify that they are complying with the requirements. According to the forthcoming 2017 Privacy Governance Report, 47 percent of respondents use Privacy Shield as a valid data transfer mechanism, up from just 34 percent in the 2016 report.
The main objectives of Privacy Shield are to impose “stronger obligations on companies handling data” through regular scrutiny by the U.S. Department of Commerce; offer redress and Ombudsperson mechanisms for individuals; provide “effective protection of individual rights,” including free “alternative dispute resolution solutions,” such as through national DPAs, and conduct an “annual joint review.”
Yet, concerns over the Privacy Shield have persisted, particularly in the areas of automated decision-making, the right to object and its applicability to data processors, and U.S. public authorities' access to Europeans’ data. The Privacy Shield is now under challenge in European Courts by the Irish privacy advocacy group Digital Rights Ireland, which is seeking the annulment of the Commission’s decision on the Privacy Shield for failing to comply with the EU’s Charter and provide an adequate level of protection. While the destiny of the Privacy Shield remains uncertain, the Commission “is convinced that the Privacy Shield will live up to the requirements set out by the European Court of Justice which has been the basis for the negotiations.” Upcoming developments in the Privacy Shield are important to watch not only to understand how reliable it will be for data transfers, but also whether it will reflect expectations around the updated mechanisms.
Adequacy?
The GDPR recognizes the Directive’s prohibition on data transfers outside of the EU (and the EEA) to countries without adequate levels of data protection, but it also provides more details and specific guidance on ways for organizations to implement these safeguards.
Like the Directive, the GDPR also requires that personal data be transferred only under limited conditions. Article 45 of the GDPR provides the conditions of transfers “on the basis of an adequacy decision,” explaining that “A transfer of personal data to a third country or an international organization may take place where the Commission has decided that third country, a territory or one or more specified factors within that third country, or the international organization in question ensures an adequate level of protection.”
In addition, the GDPR adopts the CJEU’s interpretation, specifying that “The third country should offer guarantees ensuring an adequate level of protection essentially equivalent to that ensured within the Union, in particular where personal data are processed in one or several specific sectors.”
The GDPR introduces new assessment mechanisms by periodically reviewing adequacy. Considering developments in the third country, this review is to be conducted at least once every four years. If the Commission finds that a third country (or “a territory or a specified sector within a third country, or an international organization”) no longer provides an adequate level of data protection, then the transfer “should be prohibited” unless other requirements are fulfilled, such as appropriate safeguards, binding corporate rules, and derogations. The Commission can repeal, amend, or suspend the decision by implementing acts without retroactive effects.
In the absence of an adequacy decision, a data controller or processor can also transfer personal data to a third country or organization if they have provided “appropriate safeguards.” Transfers that are subject to appropriate safeguards include “a legally binding and enforceable instrument between public authorities or bodies,” binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority and approved by the Commission, approved codes of conduct, and certification mechanisms.). In addition, the GDPR also recognizes derogations for specific situations.
Binding corporate rules (BCRs)
Even though they are not explicitly stated in the Directive, BCRs are another mechanism to use for data transfers, with just over 100 companies that have been through the process to obtain them. They can be described as “internal rules (such as a Code of Conduct)” about international data transfers “within the same corporate group to entities located in countries which do not provide an adequate level of protection.” BCRs are used to ensure that data transfers within the group benefit from an adequate level of protection.
Under the GDPR, competent DPAs shall approve the BCRs and specify the structure and rules that organizations have to comply with in detail. Some of these include specifying the structure of the group of undertakings, the types of processing and its purposes, and the categories of personal data involved in data processing.
As the IAPP-EY Annual Privacy Governance Report 2016 found, however, BCRs are primarily used by large organizations, with only 8 percent of small companies (organizations that have fewer than 5,000 employees) considering them appropriate for data transfers.
Codes of conduct
Under the GDPR, approved codes of conduct can provide a basis for cross-border data transfers “together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards.”
DPAs have the authority and advisory power in issuing opinions and draft codes of conduct. Associations and other bodies representing certain categories of data controllers and processors can prepare, amend, or extend codes of conducts under the conditions in compliance with the GDPR. A separate body, which demonstrates independence and expertise in the subject matter, establishes procedures and structures to handle complaints regarding the infringements of the codes of conduct and proves that there is no conflict of interest, can apply to monitor the compliance and periodically review the operation of the code of conducts. This body is also authorized to take appropriate action in the case of noncompliance, such as suspending or excluding the authority from the code and informing the relevant DPA. DPAs can “publish the criteria for accreditation of a body for monitoring codes of conduct and of a certification body” or revoke the accreditation of a body.
Certifications, seals and marks
Another new mechanism the GDPR recognizes is that certifications, data transfers seals and marks may allow cross-border data transfers if they “demonstrat[e] the existence of appropriate safeguards provided by controllers or processors” in line with the GDPR’s requirements. Certifications can be issued by certification bodies, DPAs, or by the European Data Protection Board and businesses can apply for certification or seals by providing “all information and access to its processing activities” to DPAs, the certification body.
This certification body must demonstrate their independence and expertise, subject to approval by the DPA; establish procedures to conduct periodic reviews, withdrawal of certification, seals, and marks; have a mechanism in place to deal with complaints; and show no conflict of interest. These certification bodies shall monitor and assess the certification scheme and withdraw if they fail to fulfill the requirements. The important thing is that these certification mechanisms will be issued for “a maximum period of three years” and may be renewed or withdrawn if requirements are no longer met.
Derogations
Like the derogations listed in the Directive, the GDPR also sets forth derogations for specific situations that will allow data transfers. These are: (a) the “explicit consent” of the data subject to the transfer “after having been informed of the possible risks”; (b) the “necessity” of the transfer for performing a contract or implementation of pre-contractual measures; (c) the necessity of the transfer for the performance or conclusion of the contract “in the interest of the data subject between the controller and another natural or legal person”; (d) the necessity of the transfer for the public interest; (e) the necessity of the transfer “for the establishment, exercise or defense of legal claims”; (f) the necessity of the transfer to protect the “vital interests of data subject where the data subject is physically or legally incapable of giving consent”; and (g) when “the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest.”
A novel derogation introduced by the GDPR is the “compelling legitimate interests.” If a transfer is not based on an adequacy decision or appropriate safeguards, including BCRs, and if the other derogations are not applicable:
A transfer to a third country or an international organization may take place only if the transfer is not repetitive, concerns only a limited a number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data.
When these conditions are met, the data controllers shall inform the DPAs on the transfer.
Moreover, some of the recital provisions offer additional guidance as to the reliance on derogations. For instance, data transfers based on a compelling legitimate interest require consideration of the nature of the data, purpose and duration of the processing operations, country of origin, destination, and other considerations, such as use in scientific and historical research, statistical purposes, and the legitimate expectations of society.
Conclusion
In its decision to make a reference to the CJEU for a preliminary ruling on the validity of SCCs, the Irish High Court reiterated that the legal issues involved are “vitally important” and “of very major, indeed fundamental, concern to millions of people within the European Union and beyond,” and which require “consistency and clarity” from Europe’s highest court. The interpretation and scope of analysis provided by the CJEU on these issues, as well as Commission’s response throughout the process, may decide the future of SCCs under the GDPR.
In line with these recent legal developments affecting the EU-U.S. data transfers, including the invalidation of Safe Harbor and recent challenges to the validity of SCCs and the Privacy Shield, providing a meaningful, “essentially equivalent” mechanism to meet the EU’s expectations to ensure privacy and data protection in data transfers should be a priority. Providing a more robust redress mechanism, creating opportunities for data subjects to be involved in the process, and increasing transparency should be at the forefront of the discussions around cross-border data transfers. Not only does the forthcoming GDPR impose higher sanctions for noncompliance, legal developments demonstrate that ensuring data protection and privacy under the EU data protection framework significantly affects an organization’s practices and data flows across the Atlantic and elsewhere around the world.
Photo credit: You read like a book via photopin (license)