In Schrems II, the Court of Justice for the European Union (CJEU) struck down the E.U.-U.S. Privacy Shield but upheld the validity of standard contractual clauses (“SCCs”). The Privacy Shield authorizes companies to transfer data from E.U. to the U.S; SCCs offer acceptable additional safeguards for the transfer of personal data to processors established in third countries. C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems.
Schrems II began in 2013 when Max Schrems filed a complaint with the Irish data protection authority claiming that Facebook Ireland’s transfer of personal data under the Safe Harbor framework to Facebook Inc. violated his rights as outlined in the Charter of Fundamental Rights of the European Union. After the Safe Harbor framework was held invalid in 2015, Schrems redirected his complaint to challenge the validity of SCCs. The case went before the Irish High Court before being heard by the CJEU.
The court held that the privacy shield does not serve as sufficient protection against the surveillance activities in which U.S. public authorities are engaged. However, the European Commission allows data to be transferred to third countries without adequate protection when appropriate safeguards are in place.
This decision signifies that the data processors, or their subcontractor within the E.U., are responsible for ensuring that the SCCs provide adequate protection under E.U. law (para. 134). Although companies cannot prevent foreign authorities from surveilling their data once in the foreign jurisdiction, they can prevent an international data transfer if they believe that E.U. data protection standards have not been met. For SCCs to be a viable means of data transfer, the legal systems of third countries should respect “rule of law, access to justice as well as international human rights norms and standards” and offer guarantees of data protection essentially equivalent to those ensured within the E.U. Regulation (EU) 2016/679, 2016 J.O. (L 199/1). For E.U. data subjects, though the decision may mean that their data will be more secure, it also leads to uncertainty in the future for data transfers for companies to third countries.
Schrems II has resulted in much uncertainty surrounding the practical manifestations of its decision. For instance, it has not clarified a transition period—as it had done after 2015 Schrems decision that allowed companies relying on the Safe Harbor Framework to transition to the then new Privacy Shield—for companies that may be impacted by Schrems II. Corporations, like Facebook, have a few options. First, they could localize their data within the European Union which is likely to be expensive, technically difficult, and unfeasible immediately for business for a global company. Alternatively, they could perform a risk analysis of the data transfers given that if the company’s data is unlikely to be subject to government surveillance by a third country then SCCs may be sufficient protection for the data. Additionally, some have recommended that companies begin conducting “Transfer Impact Assessments” to investigate the nature of transfer and the potential risks involved in relation to the countries of destination. Finally, they could wait for further instruction from the European Commission.
Looking ahead, the European Commission is currently updating its SCC policies to bring SCCs in line with the EU’s General Data Protection Regulation (GDPR) framework. According to Justice Commissioner Didier Reynders, the updated policies will be ready before the end of 2020. Commissioner Reynders also noted that delays in process on this front from their United States counterpart may be expected due to the upcoming 2020 U.S. presidential election.
Though the practical implications of Schrems II remain unclear for both companies like Facebook and E.U. data subjects, those who are concerned with the decision can expect to hear more about the options for transnational data transfers originating from the E.U.