ECJ decision upholds EU standard contractual clauses but not Privacy Shield.

In the decision of Data Protection Commissioner v Facebook Ireland and Maximillian Schrems the European Court of Justice (“ECJ”) upheld Commission Decision 2010/87 that controller to processor standard contractual clauses (“SCCs”) are valid but the EU-US Privacy Shield (“Privacy Shield”) is invalid.

The decision is the latest in a long-running battle between privacy campaigner Maximillian Schrems and Facebook. Under EU data protection law, personal data cannot be exported out of the EU unless:

  1. The European Commission has made an adequacy decision in relation to the country to which the data is being transferred. Such a decision confirms that, once transferred out of the EU, the data will be protected to EU standards.
  2. Appropriate safeguards have been put in place (such as the EU’s standard contractual clauses (SCCs) or binding corporate rules) which provide data subjects with enforceable rights and effective legal remedies.
  3. The transfer falls within one of the exemptions specified in the GDPR, for example the data subject has consented to the transfer.

Data transfers from the EU to the USA used to be permitted under a framework known as safe harbour but in 2015 Mr Schrems successfully challenged safe harbour, which Facebook had sought to rely on to justify the transfer of personal data from Facebook Ireland to Facebook Inc in the USA.

Mr Schrems’ concern was that personal data transferred to the USA would be subject to different data protection rules which might not align with the rights guaranteed under the Charter of Fundamental Rights of the EU (Charter). For example, personal data can be transferred to governmental agencies such as the FBI.

Following the 2015 decision the Privacy Shield framework was established to replace safe harbour, while Facebook Ireland used the SCCs to transfer personal data to the USA.

The ECJ took the view that the SCCs enable personal data to be effectively protected and it therefore confirmed the validity of controller to processor SCCs. The following factors were relevant to the ECJ’s decision:

Articles 2(1) and (2) of the GDPR allow personal data to be exported out of the EU for commercial purposes even if public organisations can process the data for purposes of public safety in the “third country” to which it is transferred.

Article 46(1) and (2)(c) of the GDPR require equivalent data protection rights, appropriate safeguards and enforceable legal remedies for individuals who have their personal data transferred outside the EU to third party countries under the SCCs as would have been guaranteed by the Charter.

For SCCs to be valid they must contain mechanisms which guarantee data subjects an equivalent level of protection to that provided under the Charter with ongoing supervision and the suspension of the SCCs if compliance is not possible.

Articles 58(2)(f) and (j) of the GDPR require supervisory bodies to suspend the transfer of personal data outside the EU under the SCCs where they cannot be sure that the terms of the SCCs can be complied with.

The ECJ then went onto consider the Privacy Shield but concluded that it is invalid. In the USA public security takes primacy over data privacy and so there is a risk that US public bodies might interfere with personal data transferred from the EU. Individuals whose data is transferred to the USA will not have privacy rights equivalent to those in the EU and may not have access to sufficient legal remedies in the event of a data breach.

The good news for businesses is that they may continue to use the SCCs to transfer personal data to third parties outside the EU. However the decision outlines additional measures which must be taken – the organisation exporting data out of the EU must make sure there are sufficient data protection mechanisms in place to provide protection equivalent to EU standards. These mechanisms must be routinely monitored and if the level of protection falls below what is required, the transfer of data must be stopped.

Any businesses which rely on the Privacy Shield must now use a different mechanism to transfer data to the USA. The ICO has issued a statement which confirms that businesses may continue to use the Privacy Shield until new guidance becomes available, but no businesses should start using the Privacy Shield. It is not yet clear how long these transitional arrangements will last.

If you have any questions about the contents or this article, or data protection more generally please do get in contact with us by emailing [email protected].