The CJEU found that the European Commission`s adequacy provision for the Privacy Shield was invalid for two main reasons. First, the Court found that the US surveillance programmes assessed by the Commission in its Privacy Shield decision are not limited to what is strictly necessary and proportionate under EU law and therefore do not meet the requirements of Article 52 of the Charter of Fundamental Rights of the European Union. Second, the General Court found that the persons concerned in the European Union do not have a remedy subject to review in relation to US surveillance and therefore do not have the right to an effective remedy in the United States, as required by Article 47 of the Charter of the European Union. To date, the following jurisdictions have been recognized as ensuring adequate protection of personal data (i.e. The parties to an adequacy decision are: The recent decision of the Court of Justice of the European Union (CJEU) in the Schrems II case, which found the EU-US Privacy Shield invalid and its additional findings regarding the Standard Contractual Clauses include important mechanisms for the transfer of personal data from the EU to the US, with important implications for the trade and development of technologies such as cloud computing and artificial intelligence (AI). Regarding the new legal bases for transfers, they can consider several options, which are described in the EU General Data Protection Regulation. These include, subject to all the above discussions, binding corporate rules that must be approved by data protection authorities for each company and, although not included in the decision, are likely to be subject to similar restrictions. Data protection experts may also consider consent and other exceptions under Article 49 of the GDPR. The Schrems case was brought before the High Court of Ireland before being referred back to the CJEU for a preliminary ruling. On 6 October 2015, the CJEU issued its long-awaited ruling declaring the Safe Harbour mechanism invalid. Article 46 of the GDPR sets out a number of tools that can be relied upon to ensure that adequate safeguards are in place to protect personal data when transferring data outside the EEA. Following the Schrems II decision, the European Commission published its revised draft SCC for public consultation, which was discussed for some time in light of the entry into force of the GDPR.
The revised SCCs follow a modular approach to take into account the diversity of transfer scenarios. In the European Commission`s draft, the Commission mentions four different cases of application: the basis of the CJEU decision in the Schrems I and Schrems II cases, which declared the EU-US Safe Harbor Agreement invalid, and in this most recent case, the EU-US Privacy Shield is a separation between the international impact of the GDPR and its national application on the national security authorities of the Member States. Both Schrems cases concerned the US government`s access to personal data for national security purposes and the rights of EU citizens in the US to judicial review and redress. In both cases, the CJEU found that the US was insufficient as it failed to provide the protection and remedies available in the EU with the protection and remedies available in the EU. With regard to access to data for national security purposes, EU law, including the GDPR, requires that any restriction on EU privacy rights be “necessary and proportionate”.5 At the same time, national security is the sole responsibility of Member States.6 Indeed, each EU country is free to reconcile national security needs with protection rights. data. However, the EU does not have a margin of discretion similar to that of third countries. In fact, the GDPR uses the threat to remove access to personal data from the EU as a tool to seek to reform other countries` security agencies to reflect the CJEU`s notion of proportionality, while freeing member state governments from similar expectations or threats. This effectively makes the CJEU the arbiter of proportionality of other countries` approaches to data access on national security grounds.7 To understand the impact of this decision on these GDPR transfer mechanisms, it is useful to reflect on the institutional incentives and priorities behind the European Commission`s divergent conclusions. and EU national courts and the CJEU, on the other hand. In an adequacy decision, the European Commission balances a number of objectives that are in tension with each other. While focusing on assessing the relevance of US legislation and practices under the GDPR, the Commission is also examining the impact of the cessation of personal data flows on international trade, investment and diplomatic relations.
On the other hand, the procedure for challenging a finding of adequacy is based on the findings of a national data protection supervisor, the findings of national courts and, finally, the CJEU. None of these bodies is supposed to address the range of issues at stake for the Commission. On the contrary, the question is narrower whether the third country guarantees a level of data protection compatible with the Charter of Fundamental Rights of the European Union. It is these competing institutional incentives and guidance that help explain the different conclusions about whether the United States grants adequacy. Regarding the invalidity of the EU-US Privacy Shield, the European Commission confirmed that it is in talks with its US counterparts in order to reach a common understanding of the CJEU judgment and to explore ways to address the concerns raised by the Court. Following the lifting of the Safe Harbour mechanism, Max Schrems again lodged his complaint with the Irish DPC on the grounds that Facebook had continued to transfer personal data from its European headquarters in Ireland to the United States and was now relying on the SCCs. On 12 April 2018, the Irish High Court referred the case back to the CJEU with eleven questions. Schrems II is the most commonly used abbreviation for Data Protection Officer v. Facebook Ireland Limited, Maximillian Schrems (C-311/18), presented by Max Schrems; an Austrian lawyer, data protection expert and founder of noyb – an organisation that aims to bring data protection disputes under the GDPR before EU courts.
However, as the name suggests, the Schrems II case was the second high-profile case raised by Schrems in connection with international data transfers between the EU and the US. It is not (yet) clear what additional measures would be sufficient to address these concerns, and in reality this could prove to be an impossible and impractical task. While adequacy decisions provide certainty as to which countries meet the threshold of protection, in the absence of “deficiency decisions”, it will be extremely difficult for companies to say with certainty which countries do not. Therefore, when using SCCs to justify a data transfer, it is advisable to seek legal advice as to whether and what additional safeguards may be necessary. For small businesses, however, the impact is most pronounced. For many, moving to the EU is not an option. CCS exist, but according to the government, additional protections may be needed for CCS to be viable. Again, it is unclear what such safeguards might look like, or whether SMEs could implement them, even if they existed. The CJEU ruling also obliges processors in third countries to inform EU controllers of changes in legislation that prevent compliance with a CBA. This represents an additional supervisory burden for SMEs in third countries and, if they do not exist, these companies can be held liable for damage caused to the persons concerned in the EU.
Challenges related to the creative and creative sectors also create additional costs and discourage EU companies from developing digital supply chains with SMEs from third countries. The CJEU stated in its decision that Article 6 of the SCCs provides that a breach of the SCCs gives rise to a right of the data subject to compensation for the damage suffered. If the data exporter is aware that special categories of data may be transferred to a country that does not offer adequate protection, it must inform the data subjects in advance or as soon as possible thereafter. If the data importer receives a notification that the legislation of the third country has been amended in a way that would affect the ability to comply with the SCCs, it must inform the data exporter. The question of how the US government accesses data for national security led the CJEU in both Schrems cases to declare the European Commission`s adequacy finding regarding the US invalid. This Schrems decision also makes it clear that not only adequacy decisions, but also SCCs and BCRs are much more limited than originally thought. Another consequence of the Schrems decision is to highlight the fragility of these GDPR data transfer mechanisms. While the Irish High Court and the CJEU overturn a second adequacy decision of the Commission, the CJEU clarified that SCCs (and BCRs) can at any time require the cessation of data flows if the processor in the third country is unable to comply with the GDPR, either due to requests for access to data from a third government, or because of changes in the law. These results will inevitably increase the risk for companies that depend on cross-border transfers of personal data. This will affect not only large technology companies, but also manufacturing and service companies, which are increasingly data-driven. The CJEU ruling brings considerable clarity in some areas and raises additional questions in others, which will undoubtedly be concocted by businesses, regulators and policymakers in the days and perhaps even years to come. We will continue to provide additional guidance and analysis to help privacy professionals meet the challenges ahead.