International Data Transfer methods under the magnifying glass in the CJEU

The High Court in Ireland, which referred the case to the ECJ, made a number of findings about US law. The ECJ was asked multiple questions about whether, in the light of these findings, transfers of personal data to the US (pursuant to the SCCs) breach the EU Charter of Fundamental Rights. The ECJ was also asked to rule on the impact of the EU-US Privacy Shield on these questions.

The ECJ is expected to hand down its decision in early 2020.

Whilst the focus of Schrems II is on the SCCs, the questions posed to the ECJ on the effect of US law and on the EU-US Privacy Shield could affect whether or not that regime should be considered to offer adequate protection for personal data transferred from the EU. The validity of the EU-US Privacy Shield is, separately, being challenged directly by French digital rights and freedoms advocacy group, La Quadrature Du Net. This case was due to be heard by the General Court of the European Union on 1-2 July. However, this has now been postponed until the Schrems II case has been resolved, presumably to allow the Court to take that judgment into account. The advocacy group argues that Privacy Shield still permits mass indiscriminate surveillance by US authorities and therefore fails to uphold fundamental EU rights. Standard Contractual Clauses are the main method used by business to transfer personal data outside the EU. Although Privacy Shield is relied on by many organisations, it only addressees transfers of personal data to the US. Binding Corporate Rules can also be relied on by corporate groups – but these require substantial time to put into place and to obtain necessary approvals from data protection authorities: they could not be implemented quickly in the event other transfer methods ceased to be available. There are also other derogations, under the GDPR, from the prohibition on transfers of personal data outside the EU (such as consent or contractual necessity), but these are narrow and rarely suitable for repeat, large-scale, data transfers. The newest GDPR approved transfer methods "approved codes of conduct" and "certification under an approved certification mechanism" cannot be used currently because there are no approved codes of conduct or certification mechanisms as of date.

If the CJEU decides to annul the Commission decision approving Standard Contractual Clauses, therefore, this will be hugely disruptive for business. Commissioner, Vera Jourova has recently announced that the EU Commission is working on modernising the SCCs. The resulting updated clauses could, potentially, be used to resolve any deficiencies found by the CJEU – although the timing for the new SCCs is not clear.

Organisations who lived through the disruption which followed the CJEU’s decision to invalidate the predecessor of the Privacy Shield, the Safe Harbor, will be keen to know what they can do now, so as to be prepared for any eventual decision from the CJEU and to avoid a repeat of the Safe Harbor chaos.

• Companies who transfer personal data to the US, should be relieved that the deferral of the Quadrature du Net case means that there is likely to be some gap between any decision on the SCCs and on the Privacy Shield – albeit that this may prove short term and that Schrems II itself may have repercussions for the Shield.
  
  
• There is no obvious fall-back for companies who transfer personal data to countries other than the US. However, having a clear understanding of what personal data is exported, to whom, where and on what basis, will be a good start. This would allow faster evaluation of the impact of the CJEU decision and – if necessary – a faster move to any successor SCCs.