This is general legal information, nothing in this article should be considered advice.
The Court of Justice for the European Union has just this week published its decision on Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (C-311/18) or, as many in the data protection world will better know it as, Schrems II. The two headlines are Privacy Shield, like its predecessor Safe Harbor, is a dead duck and, Standard Contractual Clauses (SCC) can still be used, albeit with some caveats.
A short history behind the Shrems case?
If you want to read about the cases, have a read here – Max Schrems Wiki but to summarise Max Schrems, an Austrian, made some complaints to the Irish Data Protection Commissioner about Facebook, back in 2013, concerning how Facebook processed his data, in particular the transfers between Ireland (in the EU) and the United States. Schrems was/is concerned about how this data could be accessed by the US government surveillance apparatus. Privacy laws are different in the US and EU citizens are not afforded much in the way of protection.
Schrems also made a complaint to the Irish High Court against the Data Protection Commissioner and the way they had handled his complaint against Facebook – basically, the Irish DPA didn’t think there was a case to answer. The Irish Court didn’t feel they could answer the question without going to the CJEU and so the complaint got kicked across to Luxembourg – lots of air miles being gained!
Since that first complaint, rulings have trickled in. The first Schrems case (C-362/14) invalidated what was originally in place to safeguard EU-US data transfers – Safe Harbor. Safe-Harbor was essentially a self-certification scheme that held little weight. This was then replaced by Privacy Shield which was equally as useless. What was interesting at the time is that Facebook didn’t actually rely on Safe-Harbor but instead relied upon Standard Contractual Clauses (SCC). SCC are essentially contractual terms which are supposed to offer a means of judicial remedy for privacy issues. Schrems complained again to the Irish DPC that SCC were inadequate. The DPC decided this time that they would refer questions to the CJEU directly…and here we are…Schrems 2.0
What was the outcome of Schrems II?
As mentioned in the opening paragraph there were two primary points for businesses and a further point on the wider issue of how data protection operates in the United States. The first is that Privacy Shield is a dead duck. The Court invalidated a prior decision (2016/1250) on the adequacy of Privacy Shield.
The second outcome is that Standard Contractual Clauses are still valid as per a prior decision (2010/87) BUT the validity “depends on whether the decision includes effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law and that transfers of personal data pursuant to such clauses are suspended or prohibited in the event of the breach of such clauses or it being impossible to honour them.“
The third point is that the US doesn’t protect personal data, legally, to the same level as that afforded to EU citizens here in the EU. “In the view of the Court, the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country, which the Commission assessed in Decision 2016/1250, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.”
What does this mean for businesses?
The decision will have far-reaching impacts for years to come – watch out for Privacy Shield 3. It’s also likely that Standard Contractual Clauses, as we currently know them, will be revised. That means at some point all the current SCCs you have in place will need to be replaced.
For businesses who work with partners operating within the United States, you may already be impacted. If relying on Privacy Shield an organisation will need to identify another mechanism. If relying on SCC then the procuring Controller or Processor must carry out data protection due diligence on both the company AND also carry out due diligence on the legislative framework of the third country too.
For businesses who use US infrastructure to support your offering to other companies within the EU, it’s likely clients and customers are going to start asking what you’re doing to make yourself compliant. Might be useful to have something positive to say!
But the first step should be to understand your exposure and then develop a plan. Once you have a plan, communicate to your stakeholders If you need help with the impact of Schrems II, don’t hesitate to get in touch!
About Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing control frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
22301 22301:2019 article 28 awareness bcms BIA business continuity calculating risk change management ciso controller cybersecurity data breach data privacy Data Protection data protection by design data protection officer data protection service Data Subject Access Request DPO DSAR GDPR incident management information security leadership monitoring operational resilience Outsourced DPO Privacy processor risk risk appetite risk management ROI security security as a service small business strategic strategy Subject Access Request tools training transparency vciso virtual ciso
