Schrems, an Austrian national and privacy activist, started a complaint with the Irish DPA in 2013 in relation to Facebook Ireland transferring his personal data to the US for processing. Schrems was not satisfied that his personal data was adequately protected, due to the wide reaching surveillance powers of the US public authorities.
In 2015 the CJEU declared in Schrems’ favour, that EU-US Safe Harbor did not afford adequate protection (Schrems I).
The Irish Data Protection Commission then commenced further proceedings in 2016, to obtain clarity in respect of the Standard Contractual Clauses that Facebook Ireland largely sought to rely for its transfer of personal data to the US (Schrems II).
After the CJEU held Safe Harbor to be an invalid transfer mechanism, in 2016 the European Commission approved Privacy Shield as an alternative, replacement mechanism for transfers of personal data from the EU to the US.
The CJEU have now overruled this in the Schrems II decision.
On the basis that interference by US public authority surveillance is not proportionate, and EU data subjects do not have adequate means of enforcing their rights in the US, the CJEU held that certification with Privacy Shield is no longer an appropriate safeguard for the transfer of personal data to the US.
WHAT ABOUT USING STANDARD CONTRACTUAL CLAUSES?
The CJEU have ruled that Standard Contractual Clauses remain a valid transfer mechanism. However, the controller seeking to rely on the Standard Contractual Clauses, is required to satisfy itself that the personal data being transferred will be afforded an equivalent level of protection as it receives within the EU.
WHAT DOES THIS MEAN?
- For use of the Standard Contractual Clauses generally:
It is not enough to simply populate and sign the Standard Contractual Clauses – controllers need to go much further and conduct in-depth due diligence in relation to both the security standards adopted by the international data recipient, and the privacy laws in place in the third country where the recipient is based.
- For the transfer of personal data to the US:
The CJEU’s ruling in respect of privacy shield makes it clear that the privacy regime in the US does not afford EU citizens with the level of protection required under the GDPR. This causes difficulty when looking at alternative transfer mechanisms to implement and draws into questions whether Standard Contractual Clauses can be appropriate, where the US public authorities continue to have the same surveillance rights in respect of the imported personal data.
WHAT SHOULD WE BE DOING NOW?
- Companies currently transferring personal data to the US on the basis that the recipient is certified with Privacy Shield, should immediately take action to either implement an alternative, adequate transfer mechanism or cease transferring personal data to the US.
- Personal data exporters relying on Standard Contractual Clauses need to ensure that they have conducted appropriate due diligence on the data importer and have satisfied themselves that the personal data it is transferring is adequately protected.
- Consider whether you have the technical know-how to conduct due diligence on the security measures implemented by your international supply chain, and if not whether you need to outsource this function to ensure that you are meeting your legal obligations.
We are expecting to see the European Commission release an updated version of the Standard Contractual Clauses in the near future and will update once these become available. However, this will not change the need for controllers to evaluate the adequacy of the third country and third party to which it is transferring personal data - the decision is clear that data controllers are responsible for where and to whom personal data is transferred.
If you require any assistance in relation to your international data transfers, please contact the Ashfords Data Protection Team.