On 16th July 2020, the CJEU delivered its judgment in the "Schrems 2" case. Most organisations rely on data transfer agreements - Standard Contractual Clauses – to transfer personal data to countries outside the EEA. Organisations which transfer personal data to the US can also often rely on the EU-US Privacy Shield. The CJEU was asked to consider if law and practice in the US relating to access to personal data by the intelligence services should mean that either, or both – of these mechanisms should be invalidated.
The decision concludes that the Privacy Shield is invalid. Standard Contractual Clauses remain valid. However, the CJEU sets out a heavy burden on data exporters which wish to use SCCs; the data exporter must consider the law and practice of the country to which data will be transferred, especially if public authorities may have access to the data. Additional safeguards, beyond the SCCs, may be required.
The EU Commission has also been working on modernizing the SCCS, which date back to 2010 and do not reflect the GDPR requirements. The result was postponed until the Schrems 2 case was resolved, but we should now expect updated clauses, although the exact timing for the new SCCs is unclear. Companies and organizations will also need to adapt to the successor SCCs in a second phase.
Although not highlighted in the summary, concluding paragraphs of the judgment, the decision also concludes that all data transfers to the US made by way of undersea cable are susceptible to access by US intelligence services – and that the law and practice surrounding this access falls short of EU legal requirements. Given this conclusion, the judgment has implications for transfers of personal data to the US more widely.
What happens next?
When the CJEU invalidated safe harbor in 2015, supervisory authorities recognised both that the decision created significant uncertainty as to what organisations should do and that it would take time for organisations to change their approach to data transfers, should this be necessary. Supervisory authorities recognised a need to show leadership – by giving clear guidance – and to allow an appropriate (but not excessive) time for change. It is to be hoped that supervisory authorities take the same approach this time and that clear guidance, which can be implemented by companies in a reasonable time period, is adopted quickly.
What should organisations do?
- Watch out for guidance from supervisory authorities, the European Data Protection Board and the European Commission
- Assess what data is being transferred outside the EU and on what basis. Look out for:
- Data transfers to organisations which participate in Privacy Shield
- Data transfers which rely on Standard Contractual Clauses – note any data transfers to US importers relying on SCCs in particular
- Data transfers which rely on Binding Corporate Rules and which involve data transfers to the US.The CJEU doesn’t mention BCRs – but they are a form of "appropriate safeguard" pursuant to Art.46, so the general comments about the need to assess the law of the importing country could also be applicable here. Guidance on this point from supervisory authorities would be particularly welcome.
Remember, these transfers could be within an international group, or they could be to suppliers/processors.
- Subject to guidance from supervisory authorities, develop an approach for due diligence when data transfers take place – either within the organisation, or with suppliers. This should check:
- To which country personal data is transferred
- Whether public authorities in that country could be entitled to access the data
- On what basis is this authorised?
- Is it set out in law
- Does the law limit the ability to access data
- Is it no more than is necessary and proportionate, in a democratic society, to safeguard national security, defence, public security or the prevention and detection of criminal offences and execution of criminal penalties?
- Does the law provide effective judicial remedies for data subjects?
- Is the data encrypted or tokenised in transit (see below).
Organisations transferring data to suppliers may need help from suppliers to answer these questions.
- Those transferring data to the US on the basis of the Privacy Shield, SCCs or BCRs should look out for additional guidance from supervisory authorities.Where the data importer is not itself subject to US requirements relating to access to data by intelligence services, the data exporter may wish to consider if there are non-contractual safeguards that could be applied to the data – such as encryption or tokenisation – that would allow the exporter to conclude that, because access to content is protected, there are appropriate (technical) safeguards for the data.
The background to the case
Mr Schrems has been a Facebook user since 2008. Facebook processes user data in the United States. Facebook originally participated in the EU-US "safe harbor" programme, which the European Commission had determined provided "adequate protection" for EU user data.
In 2013, Mr Schrems lodged a complaint with the Irish Data Protection Commissioner. He objected to surveillance activities undertaken by US intelligence agencies and argued that the law and practice in the US relating to this meant that there was not adequate protection for personal data transferred from the EU. This complaint was referred to the CJEU, which declared the EU-US safe harbor invalid and asked the Commissioner to reconsider Mr Schrems' complaint.
Following this decision, Facebook – like most other companies affected by the CJEU decision – entered into Standard Contractual Clauses ("SCCs) to provide adequate protection for the personal data it transferred to the US. The Commission decision on SCCs provides that supervisory authorities, such as the Commissioner, can suspend or prohibit data transfers, i.a. if the authority concludes that law of the country to which the personal data is transferred means that the data importer cannot comply with the obligations set out in the SCCs. Mr Schrems asked the Commissioner to use this power to suspend or prohibit transfers of his data to Facebook in the US.
The Commissioner considered Mr Schrems' reformulated complaint. She adopted a draft decision, which took the view that US law and practice, allowing US intelligence agencies access to EU data, was incompatible with the EU Charter of Fundamental Rights. Rather than doing as Mr Schrems asked – and ordering Facebook to suspend data transfers to the US – the Commissioner brought proceedings before the Irish High Court, asking it to make a reference to the CJEU, to consider if the SCCs themselves were invalid.
In 2016, the Commission adopted the Privacy Shield Decision. The decision included consideration of law and practice in the US relating to access by US intelligence agencies to EU data. It referenced explanations and assurances made by the US (including the establishment of an Ombudsperson, with a remit to review complaints about intelligence service access to EU data) and concluded that the EU –US Privacy Shield, offered adequate protection for EU personal data. The Privacy Shield Decision complicated matters: as the European Commission had concluded that EU-US Privacy Shield offered adequate protection for EU personal data, how could the Commissioner suspend data transfers to the US, on the grounds that those same laws precluded appropriate protection for EU personal data? The Irish High Court considered this and this also formed part of the reference to the CJEU.
Privacy shield invalid: US law does not effectively set out limits on the activities of the intelligence services and does not provide effective remedies for individuals whose data has been transferred to the US
The Privacy Shield Decision is an "adequacy decision". Art. 45(2)(a) of the GDPR provides that when the Commission makes an adequacy decision it must consider (i.a.) the "rule of law .. including concerning national security .. and the access of public authorities to personal data.. as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred".
The CJEU noted that matters concerning national security and the access by public authorities to personal data must be provided for by law  and that this law must set out the limitations of the rights to access data  as well as clear and precise rules governing the measures . The CJEU also emphasized the reference, in Art.45(2)(a) to "effective and enforceable data subject rights". The CJEU looked at US practices set out in s.702 of the Foreign Intelligence Surveillance Act ("FISA"), in Executive Order 12333 ("EO1233") and in Presidential Policy Directive 28. The CJEU concluded that these provisions do not set out limitations on the powers of the intelligence services  and do not give data subjects actionable rights before US courts [181, 182] and so "cannot ensure a level of protection essentially equivalent to that guaranteed by the EU Charter…". The CJEU also concluded that the role of the Privacy Shield Ombudsperson is not enough to cure these deficiencies .
As a result, the CJEU declared the EU-US Privacy Shield to be invalid. This has immediate effect.
Standard Contractual Clauses Survive
The SCCs contain an important footnote, which recognises that a data importer may have to comply with national legislation applicable to it; the footnote states that this is "not in contradiction with the standard contractual clauses", provided that such national legislation does not go beyond what is necessary in a democratic society, i.a. to safeguard national security. The Irish Commissioner pointed out that the SCCs potentially allow the recipient to disclose personal data to public authorities, who will not themselves be bound by the SCCs. The Commissioner argued that this was the situation at issue in Mr Schrems' complaint – and that this mechanism meant that the SCCs themselves were deficient and should be invalidated .
As explained above, the Commission decision on the SCCs allows supervisory authorities to suspend or prohibit data transfers in certain circumstances. The CJEU concluded that its "examination of [the] Commission Decision.. has disclosed nothing to affect the validity of that decision". Accordingly, SCCs remain valid.
The role of commercial organisations, as parties to the SCCs
Organisations have been used to assuming that standard contractual clause can always be used – without more – as a means to provide adequate protection for personal data. The CJEU makes clear that this is not the case. If an organisation wishes to transfer personal data to a third country, where an adequacy decision is not in place, then GDPR places the responsibility for ensuring appropriate safeguards on that organisation; this includes an obligation to "take measures to compensate for the lack of data protection in a third country"; there must be "safeguards" and "enforceable data subject rights and.. effective remedies.." [131, citing Art.46(1))].
SCCs are one way of achieving this, but they may not be effective by themselves: in particular, if a third country allows public authorities to access data, then more will be required . In this situation, a party wanting to rely on the SCCs must consider relevant aspects of the third country's legal system – including the factors which are relevant in an adequacy decision, as described in Art.45(2). The CJEU also notes that these factors are non-exhaustive – leaving the door open for the CJEU to introduce additional factors into an assessment of adequacy . This assessment has to be made by the data exporter on a case by case basis .
The decision contains a brief reference as to what these additional measures could be – noting that recital 109 encourages the use of "other clauses or additional safeguards .. that supplement standard [data] protection clauses" . As the core problem here is access by public authorities to data; and as the decision notes that such authorities will not be bound by provisions agreed in contracts between data exporter or data importer – it is hard to see how the suggestion of contract terms would be of any use in practice. Technical methods - for example, use of tokenisation to render the data meaningless to those other than the data exporter, may be more helpful.
The decision looks in detail at the obligations of the parties to the SCCs, the data exporter and data importer.
- The data exporter has the obligation to ensure "appropriate safeguards"; under the SCCs it warrants that the processing is, and will remain, lawful; it must consider the law and practice of the third country – especially as regards public authority access to data. This must be done before transfers take place and must take into account any adequacy decisions made by the Commission , .
- If the data importer is subject to local obligations which would require it to provide EU originating data to intelligence services, or other public authorities – and if this does not meet requirements for such law and practice described above – then the importer would not be able to meet its obligations under the SCCs. In this situation, the importer has an obligation to notify the data exporter that it is unable to comply with its obligations under the SCCs .
- If a data exporter receives such a notice, the SCCs give it a right to suspend the transfer and/ or terminate the contract. The CJEU notes that this is not just a right, but an obligation , . If the data exporter determines that it does not need to suspend the data transfer, then the data exporter must provide a copy of this notice to the competent supervisory authority – which may then use its powers to investigate or to suspend data transfers .
Data Protection Authorities have a significant role in this: GDPR gives them significant powers and with this comes significant responsibility
The CJEU also emphasizes that supervisory authorities have significant obligations as regards data transfers made pursuant to the SCCs. The GDPR grants supervisory authorities extensive investigative powers and if an authority concludes that there is no an adequate level of protection, it is required to act to remedy this . Further, it must do so "with all due diligence"  – a statement Mr Schrems may find ironic, given that his complaint was first made in 2013.
The European Data Protection Board will have to issue decisions about data transfers
The Irish Commissioner had drawn attention to the practical problem that, if a data subject can complain to a supervisory authority about data transfers, and if the authority must then suspend or prohibit transfers, this could lead to supervisory authorities across the EU taking inconsistent decisions about the same third country. The CJEU did not see this as a reason for the supervisory authority not to exercise the responsibilities placed on it: in this situation, in order to avoid divergent opinions, the authority would use the consistency mechanism and refer the matter to the EDPB under Art.65(1)(c) of the GDPR.
A problem lurking in underwater cables: are almost all data transfers to the US illegal?
The CJEU decision places significant obligations on data exporters wishing to make effective use of the SCCs. But there is a bigger lurking problem with the decision.
Almost all data is transferred to the US by way of underwater cables. The CJEU notes that the Irish High Court had found that EO1233 allows the NSA to access these cables and to collect and retain data before it arrives in the US . The CJEU concludes that relevant law and practice – i.e. s.702 FISA, EO12333 and PPD-28 – does not correlate "to the minimum safeguards … with the consequence that the surveillance programmes based on those provisions cannot be regarded as limited to what is strictly necessary" . The CJEU goes on to note that: "In those circumstances, the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to the United States, which the Commission assessed in the Privacy Shield decision, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law…" .
This is a statement that US law & practice is – per se – incompatible with EU requirements. As all data passing to the US by way of undersea cable would appear to be susceptible to access via EO12333, given this statement, it is hard to see how any data exporter could conclude that there is adequate protection for the data. As the CJEU has underlined that data exporters must consider the law of the country to which data is transferred, this would also seem to affect data transfers made to the US via the SCCs – or indeed by other methods providing for "appropriate safeguards" such as BCRs.
The GDPR does allow data transfers to take place where a derogation applies (Art.49). However, in practice, it is difficult for organisations to rely on this. One derogation is explicit consent (49(1)(a)) but consent is revocable. Another is where the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures – but this is limited to situations where the transfer is "occasional".
The scope of the GDPR
Although of less significance than other aspects of the decision, the judgment also considers the interaction between the GDPR and law applicable to national security. It noted that, where one commercial organisation transfers data to another commercial organisation, the fact that the data may subsequently be accessed by national security authorities does not alter the fact that the GDPR applies to the processing and to the data transfer.
 Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18
 Schrems (C-362/14, EU:C:2015:650)
 Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46 (OJ2010 L39, p.5), as amended by Commission Implementing Decision (EU) 2016/2297 of 16 December 2016 (OJ 2016 L344, p.100).
 Commission Implementing Decision (EU) 2016/1250 of 12 July 2016.. (OJ 2016 L 207, p.1)