The Court Of Justice's Decision In Schrems II: Transferring Data Outside Of Europe Just Got More Complicated

• Published date: 22 July 2020
• Subject Matter: Privacy, Data Protection, Privacy Protection
• Law Firm: Alston & Bird LLP Belgium
• Author: Mr Wim Nauwelaerts and Paul Greaves

Introduction

On July 16, 2020, the Court of Justice of the European Union ('CJEU') handed down its long-awaited judgment in the 'Schrems II' Case (Facebook Ireland and Schrems (Case C-311/18)) concerning the legality of data transfers outside the European Economic Are ('EEA') under the General Data Protection Regulation ('GDPR')¹.

In somewhat of a surprising judgment, the CJEU invalidated the EU-U.S. Privacy Shield² ('Privacy Shield'), meaning that it is no longer available as a mechanism for legitimizing transfers of personal data to the U.S. The CJEU also held that the European Commission's Standard Contractual Clauses ('SCCs')³ remain valid as a legal mechanism for transferring personal data outside the EEA. However, the CJEU issued a number of clarifications and caveats on their use going forward. The CJEU emphasized that companies using SCCs to transfer data outside of the EEA should make case-by-case assessments on the effectiveness of the SCCs. They must also suspend their data transfers if it is not or no longer possible to adhere to the SCCs. Failing that, the competent supervisory authorities must block further data flows under the SCCs.

Businesses that have been relying on these legal mechanisms to transfer data outside of the EEA are now strongly advised to assess their options.

What happened in Schrems II?

Prior to Schrems II

The case under discussion in this article has come to be known as the 'Schrems II' case. As suggested by that name, this is not the first case involving the claimant Mr. Schrems - an Austrian privacy activist. Mr. Schrems first filed a complaint with the Irish supervisory authority - the Data Protection Commission ('DPC') - in 2013, which focused on Facebook's transfer of his personal data to the U.S. At the time, Facebook relied upon the 'U.S.-EU Safe Harbor' framework to legitimize the data transfer. Mr. Schrems' main concern was that in the U.S. his personal data was not adequately protected from unlawful access by U.S. authorities and agencies.

The resulting case has come to be known as Schrems I, and lead to the CJEU invalidating the U.S.-EU Safe Harbor framework in October 2015. The U.S.-EU Safe Harbor framework was eventually replaced by the Privacy Shield.

Key Issues in Schrems II

Following the Schrems I case, Mr. Schrems continued his quest against Facebook and reformulated his complaint to the DPC to take account of the fact that the U.S.-EU Safe Harbor framework had been struck down. The DPC established that Facebook continued to transfer personal data to Facebook Inc. in the U.S., in reliance in large part on the use of SCCs.

Schrems' reformulated complaint did not in fact focus on the validity of the SCCs as a means of legitimizing data transfers in general. Instead, Mr. Schrems requested that the DPC exercise its powers to suspend Facebook's particular transfers of personal data to the U.S., claiming that:

• The agreement that Facebook relied on to transfer data to the U.S. was not consistent with the relevant SCCs adopted by the European Commission.
• The SCCs could not in any event justify the transfer of Mr Schrems' personal data to the U.S. According to Mr. Schrems this is because under U.S. law Facebook Inc. was required to make the personal data of its users available to U.S. authorities and agencies, such as the NSA, in a manner incompatible with the Charter of Fundamental Rights of the European Union.

However, after Mr. Schrems made his complaint in 2015, the case took on broader significance:

• The DPC's investigation sought to determine (i) whether the U.S. ensures adequate protection of the personal data of citizens of the EU; and (ii) whether the SCCs offer sufficient safeguards to those citizens. The DPC subsequently...