During the summer, the upper court of the Court of Justice of the European Union handed down a decision that rightly deserves the full attention of all players who are engaged in the cross-border transfers of personal data.
On 16 July 2020, the Court of Justice, the supreme court of the European Union and the upper court of the Court of Justice of the European Union (“Court of Justice”) published its decision in the so-called Schrems II case (Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems). Considering the potential impact that this judgement may have on international data flows and data intensive business sectors in general, it is more than worthwhile to continue to follow how this issue will develop.
As has been widely reported, the Court of Justice found that the Commission’s implementing decision on the adequacy of the protection provided by the EU-U.S. Privacy Shield, is invalid. In other words, data transfers relying on the Privacy Shield framework are no longer compatible with EU law. Whereas a key takeaway is, of course, that data transfers from the EU to the USA just got a great deal more complicated, there are other aspects of the case that deserve close scrutiny by any entity whose business or operations are dependent on the transfer of personal data across borders.
Based on the Schrems II decision, whereas companies can still place reliance on using the Standard Contractual Clauses, using them cannot be done just to appear to be on good form. Now, at the latest, they can no longer be considered a tick-in-the-box exercise – if, as the Court seems to suspect, such would have been at least in certain circumstances the case. In paragraph 134 of its judgement, the Court of Justice states – with respect to using the Standard Contractual Clauses – that it is “…above all, for [the] controller or processor to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses...”.
In practice, this means that the controller and the processor are expected to possess the necessary expertise in the law of the relevant third country to be able to make an informed decision as to whether or not the laws of that country provide enough protection from the point of view of EU law. This is a daunting task and, as some of the more perceptive observers have noted, the Court of Justice seems to hold the opinion that the Commission failed to do so in its adequacy decision with respect to Privacy Shield. Now, however, for example, private entities are expected to fare better. If the parties to the relevant transaction would be able to make such a determination, and should that determination indicate that adequate protection is not afforded by the laws of the third country, the controller and processor should provide “additional safeguards” to those offered by the Standard Contractual Clauses. Unfortunately, the Court of Justice stopped short of saying what such additional safeguards would look like. If the necessary additional safeguards – whatever those might be – cannot be given, then the controller or processor must suspend or end the transfer of personal data to the third country in question. Should both fail to take such action, the competent supervisory authority must do so instead. Thus, the decision of the Court of Justice places a lot of responsibility not only on the parties to a transaction, but also on the relevant data protection authorities.
Lastly, it is important to note that although the case before the Court of Justice, as all court cases, concerned particular parties with a particular set of circumstances, the Court of Justice’s wording is of such a general nature that its impact on international data transfers cannot be read as only concerning data flows from the EU to the United States. Adequacy decisions similar to the Privacy Shield decision have been made with respect to other countries also, and more are in the pipeline. For example, data flows to a post-Brexit Britain will be of particular interest in the coming months. One should also note that the European Data Protection Board has stated that there is no grace period during which transfers can continue while the legal grounds for transfers are being assessed.
On 4 September 2020, the European Data Protection Board advised that it had created a taskforce, which will make recommendations to assist controllers and processors with their duty to identify and implement appropriate supplementary measures that ensure adequate protection when transferring data to third countries. Until more concrete advice is available, companies engaged in the international transfer of data should keep their finger on the pulse, remain vigilant in their operations, and, as necessary, be prepared to react quickly.