Authored By: Anushka Ukrani
On 16th July 2020, the Court of Justice of the European Union (CJEU) pronounced its judgment in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (C-311/18), popularly referred to as the ‘Schrems II’ judgment. In its decision the court has invalidated the Commission Decision 2016/1250 (EU-US Privacy Shield decision). The Privacy Shield is a framework designed to provide a legal mechanism for companies in EU and US to comply with data protection requirements when transferring personal data from EU to US. The judgment went on to uphold the validity of Commission Decision 2010/87, thereby upholding the validity of Standard Contractual Clauses (SCC) for transfer of personal data to non-EU countries. This means that companies established in EU seeking transfer of personal data of EU based customers to US based companies now have only one means of doing so- Through SCCs.
The purpose of this article is to analyse this judgment and its possible implications. However, before we proceed, it is pertinent to discuss the events that led to the judgment in question.
In 2013, Maximillian Schrems, an Austrian Activist, filed a complaint with Irish Data Protection Commissioner (DPC) against Facebook Ireland in order to prevent it from transferring personal data of EU based customers to its parent company in US as the practices and laws in the US do not provide any protection to data transferred to the country against surveillance by its intelligence agencies. The law in US gives priority to national security over privacy. Thus, he basically sought prohibition of Facebook’s dates transfer activities. Then the data transfers between EU and US companies were governed by the Safe Harbour Agreement, which is the predecessor of the privacy shield. His complaint was, however, rejected by DPC based on the Commission Decision 2000/520/EC, holding that under the ‘Safe harbour scheme’ the US ensures that there is adequate protection of the data transferred to it. Subsequently, Schrems went to the Irish high court questioning the DPC’s inaction in the case. Reference was made to the Court of justice of the European Union (“CJEU”). The CJEU in its 2015 ruling in Maximillian Schrems v Data Protection Commissioner (Case C-362/14) (‘Schrems I’) primarily held two things:
- Firstly, that the Commission Decision 2000/520/EC as well as the safe harbour agreement are invalid. This is because the agreement violates the privacy of EU citizens as it provides the US intelligence services access to the transferred information, constituting unnecessary interference. It also takes away from the citizens their right to effective legal remedy as it prevents them from being heard on the question of the surveillance and interception of their data in the US. The decision has also been struck down because it abridges the powers of the national supervisory authority.
- Secondly, that the national supervisory authority does not lose its power to examine data transfers to a third country even if there is a commission decision holding that the third country ensures adequate protection of data that is transferred to it. Keeping in mind the importance of data protection, the powers of national supervisory authority must not be disturbed and its independence must be maintained. Thus it was held that DPC is not empowered to curtail the powers of national supervisory authority.
In essence, the CJEU in Schrems I judgment has invalidated the Safe Harbour arrangement, and as a result of this annulment the decision of the commission that rejected Mr Schrems’ complaint was also annulled and he was asked to reformulate his complaint. In this subsequent complaint, Schrems sought to prevent Facebook Ireland from transferring his personal data pursuant to standard protection clauses set out in to Decision 2010/87 (Commission decision on SCCs).
Following the ruling in Schrems I, the US government and the European Commission started deliberation over a new framework to replace the now invalidated Safe Harbour agreement. On 8th July 2016, Andrus Ansip, Vice President of European commission made a statement declaring that “Member States have given their support to the EU-U.S. Privacy Shield, the renewed safe framework for transatlantic data flows.” The adequacy of the framework was upheld by the commission on 12th July 2020, and it came on the force the same day.
On 25th May, 2018, General Data Protection Regulation (GDPR) was enacted, replacing the more than two decades old, Data Protection Directives 1995. GDPR is a set of regulations for the protection of personal data and provides that data can be transferred to a non-EU country only if that country maintains adequate protection. It was enacted with the object of strengthening data protection norms by taking a progressive approach to how people’s data should be handled. Article 5 of GDPR lays down seven key principles that form its core: (1) Lawfulness, fairness and transparency (2) purpose limitation (3) data minimisation (4) accuracy (5) storage limitation (6) integrity and confidentiality and (7) accountability. It is presently the strongest data protection mechanism in the world.
Schrems II Judgment
On reference being made to it, the CJEU has held that General Data Protection Regulation (“GDPR”) applies to data transfers by economic operators in member states to non-member states. The two important points for consideration before the court were:
- Validity of SCC with respect to Article 7, 8 and 47 of the EU Charter of Fundamental Rights (The Charter)
- Validity of EU-US Privacy Shield in the light of Article 45 of GDPR.
- Validity of SCCs: The CJEU upheld the use of SCCs in data transfers. The court however placed dual responsibility on data exporters established in EU countries to ensure that the laws in the third country guarantee adequate protection under EU law and also that the level of protection required by EU law is respected in the third country. It was, thus, held that the level of protection has to be the same as that guaranteed within EU. The assessment in this regard has to be made based on both- the contractual clauses agreed to by the exporter and recipient and the relevant aspects of the law in the recipient country. This means that now the data exporters and importers transferring data under SCCs have to determine the adequacy of the safeguards provided on a case by case basis. It certainly places a heavy burden on data controllers. They are obligated to examine each transfer in detail which is beyond their capability and the difficulty would be even more serious when it comes to transfers to non-democratic countries. The judgment also places responsibility on data protection authorities to take enforcement action against companies that rely on SCCs, even though under the GDPR the DPAs do not approve the SCCs and generally will not even know that they are being used.
- Invalidity of Privacy shield: the privacy shield has been in operation since 2016 as a result of commission decision 2016/1250 which upheld its adequacy. It granted certified US companies access to personal data of EU customers. The court by its decision in Schrems II has invalidated the commission decision 2016/1250 and as a result the EU-US privacy shield too. The invalidation of the commission decision is based on the following grounds: (1) The law in US does not satisfy the requirements of privacy protection under EU law as it requires US based companies to provide access to personal data to its public authorities. There is a lack of safeguards against unnecessary interference by US public authorities; (2) The decision gives primacy to US national security concerns over the requirements of privacy shield; (3) Even though their are certain requirements that are to be complied by US under the privacy shield, there is a lack of effective remedy for EU based customers in US; (4) The appointment of an ombudsperson does not afford requisite judicial protection as it is not independent to adopt decisions that are binding on the US intelligence services. Therefore, it does not meet the requirements of providing adequate judicial remedy under European law. Based on these reasons, it has been held that US does not meet the proportionality requirement of European privacy laws and hence, the privacy shield has been invalidated. This means that as many as 5384 companies that have so far adhered and relied upon the privacy shield must now reconsider their options. They can now either stop receiving data from EU altogether or figure out another mechanism to do so.
Even though the decision is centred around the EU-US Privacy Shield, it has much wider implications. The judgment essentially means that now even if the data is to be transferred under the SCCs, if laws of the recipient country do not comply with the requirements under EU laws, the transfer of personal data will not be permissible. So businesses around the world that had expected to fulfil their obligations under GDPR by simply agreeing to SCCs, will now also have to ensure that the laws in their countries meet the standard of protection demanded by European laws. And that is a huge ask. A possible implication of this judgment could be ‘Data localisation’ which means European data may never leave Europe. How we perceive this judgment largely depends on our perspectives. It could either be seen as an unnecessary embargo on free flow of data or as a necessary step towards enforcing the importance of privacy.
Implication for India
The decision certainly holds global importance and affects the world at large including India. India, at present, does not have any frameworks for data protections and as a result largely relies on SCCs and BRCs. Like US, In India national security is a recognized exception to right to privacy. So if law enforcement agencies in India approach Indian companies, seeking access to personal data of EU-customers, they must comply irrespective of any contractual commitments. All data transfer at the moment between India and EU takes place under SCCs, but following the ruling in Schrems II it is no longer sufficient to constitute compliance with the obligations under GDPR if law enforcement agencies can compel the disclosure of this data.
What happens next?
Undoubtedly, the implications of the Schrems II judgment are vast also uncertain at the time. The court had ordered an immediate invalidation of the privacy shield which leaves data exporters and importers with no transition time. The companies can continue data transfers on the basis of SCCs but the judgment has imposed a rather heavy burden on data exporters who wish to keep using the SCCs. They are expected to assess the circumstances of each data transfer made by them and if they don’t the supervisory authority has been empowered to take action. Thus, long term use of SCCs also seems unlikely. Thus it maybe useful to explore other alternative mechanisms. For instance, Article 46 of the GDPR provides for certain additional export mechanisms such as Binding Corporate Rules (“BCR”). However, before relying on BCR, approval of DPA is required which can take upto two years and the entire process is very expensive, tedious and usually requires a lot of organizational changes to be made. Hence the possibility of relying on such alternatives is limited.
The decision not just impacts large conglomerates but smaller organizations as well. This is clear from the statement made by Wilbur Ross, US Secretary of Commerce where he has stated “hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments. Data flows are essential not just to tech companies- but to businesses of all sizes in every sector.”
Thus, it is important that EU and US negotiate and come up with a successor to the privacy shield to regulate data transfers. In this situation it is expected that the supervisory authorities should take a proactive approach and provide clear guidelines for the companies to adopt.
The author is a law graduate from the Campus Law Centre, University of Delhi