A decision of the Court of Justice of the European Union (CJEU), expected for this Thursday, may have major consequences on the dataflows coming from the EU to the United States, as well as to most of the other countries in the world. Two key legal mechanisms that ensure personal data of Europeans are protected when transferred from Europe to the US are under scrutiny: (1) the EU-US Privacy Shield framework (Privacy Shield) and (2) the Controller-Processor Standard Contractual Clauses (SCC) 2010 Decision of the European Commission. The latter also ensures that transfers of personal data originating from the EU to other countries elsewhere in the world enjoy safeguards.
If the Court decides that neither of these mechanisms meets the criteria for respecting fundamental rights under the EU Charter of Fundamental Rights, virtually all dataflows from EU Member States to the US will remain without a lawful ground and can potentially be suspended either immediately by the companies transferring data which will not want to risk hefty fines, or through orders from European Data Protection Authorities, until a new legal mechanism for transfers is put in place. An invalidation of the 2010 SCC Decision would also lead to transfers from the EU to other countries like China or India being left outside the law. The CJEU can potentially rule on the validity of both instruments, or only on the SCC Decision, leaving out the assessment of the Privacy Shield (as was recommended by the Advocate General of the Court in an Opinion published on December 19, 2019).
A complicated case
The CJEU was asked by the High Court of Ireland whether the European Commission’s Decision that establishes Controller-Processor SCCs is valid under EU law. A challenge to its validity was raised before the High Court in Ireland by the Irish Data Protection Commissioner (DPC) in a case concerning a complaint submitted to the DPC by Maximillian Schrems regarding the transfer of his personal data from Facebook Ireland (Europe) to Facebook Inc. (US). This transfer is being done relying on SCCs (standard clauses) that the two entities entered into, which are based on a Decision adopted by the European Commission.
As a rule, the EU General Data Protection Regulation (GDPR) allows transfers of personal data from the EU to countries outside the EU only if an adequate level of protection is afforded to the data, which should not undermine the level of protection that the GDPR confers to personal data of Europeans. Some countries’ legal frameworks are declared adequate by the European Commission at the end of a formal process, meaning that dataflows from the EU to those countries can occur with no restrictions. Where such adequacy decisions are not in place, SCCs allow for companies to enter into a contract with pre-determined content (established through the SCC Decision of the Commission) that provides safeguards for personal data once it is transferred from the EU to a country outside the EU.
Schrems takes the position that his personal data transferred to the US on the basis of the SCC Decision are not adequately protected due to the broad access to electronic communications data that US government agencies have under their national security mandate and a lack of effective judicial remedies for non-US persons in relation to these practices. In accordance with the SCC Decision and with powers granted by the General Data Protection Regulation, the Irish DPC can suspend a specific transfer if the Commissioner finds that the legal regime in the country of destination (in this case, the US) does not afford an adequate level of protection to personal data transferred from the EU.
The Irish DPC challenged the validity of the SCC Decision that sets up this mechanism, one of the arguments being that the SCC Decision does not ensure an effective judicial remedy against government access to data for Europeans once their personal data are transferred to the US. On the other side, Schrems maintains that the SCC Decision is valid under EU law and that the Irish DPC should use the powers granted to it by the SCC Decision and the GDPR to assess the level of protection granted by the US legal framework and eventually to suspend the transfer of his data to the US.
How could a ruling on SCCs affect the Privacy Shield?
The CJEU found in 2015, in the first iteration of this same case, that the predecessor of the Privacy Shield program, the EU-US Safe Harbor framework, was invalid since it did not ensure an adequate level of protection of personal data transferred to the US, in accordance with the fundamental rights of respect for private life and an effective judicial remedy under the EU Charter of Fundamental Rights. The European Commission and the US Government negotiated a new framework, the EU-US Privacy Shield, which was adopted in 2016. The Privacy Shield program was found by the European Commission to ensure an adequate level of protection for the personal data transferred to the US to those companies that are self-certifying with the Department of Commerce as participating in the framework. Currently, 5,378 companies have registered as transferring data from the EU to the US on the basis of the Privacy Shield, both from the US and from Europe, as shown in this recent study published by the Future of Privacy Forum.
The Privacy Shield may now be subject to scrutiny by the CJEU in addition to the SCC Decision, depending on whether the Court will find it useful or not to assess it for the outcome of the main proceedings in this case. A top advisor of the Court, Advocate General Saugmandsgaard Øe, recommended in a non-binding Opinion that the CJEU limits its assessment to the SCC Decision and declares it valid. However, he also mentioned that if the Court were to consider an assessment of the Privacy Shield necessary for the outcome of the case in Ireland, the Court should find that, similar to its predecessor, it does not respect the fundamental rights framework of the EU.
Possible outcomes of the case
From the outset it should be clear that the CJEU often finds original solutions to complicated questions, so it is challenging to predict how it will decide in an individual case. For example, in a landmark case from 2014, Digital Rights Ireland, it decided to invalidate the entire Data Retention Directive, even if only the validity of a specific provision of that directive was raised in the proceedings. The following paragraphs merely map out some of the different possible outcomes of the case and refer to potential consequences to global dataflows, but they are by no means exhaustive.
On Thursday, perhaps the only certainty is that the CJEU will provide a judgment on the validity of the 2010 SCC Controller-Processor Decision. It could follow the AG Opinion and declare it valid, or it could find that the Irish DPC is right, and declare it invalid.
Invalidation of the SCC Decision without a transition period: If the SCC Decision is declared invalid and the Court does not provide for a transition period, this means that all transfers of personal data from the EU to countries outside the EU relying on that SCC decision will become unlawful. It is also likely that, by analogy, the Controller-to-Controller SCC Decision will be declared invalid too. This will not only affect the personal data transferred to the US on the basis of SCCs, but also the data transferred elsewhere on the basis of SCCs, like China, Singapore, India, Brazil and all other countries which do not have an adequacy decision.
As a consequence, companies may decide they will proactively suspend all transfers based on SCCs, effective immediately, in order to not risk GDPR fines for unlawfully transferring personal data outside the EU. Another option is to continue the transfers in practice, but this would be outside of the law. Theoretically, they could also rely on a fallback plan, but there is no immediate solution to provide an alternative lawful mechanism for transfers. The other options provided by the GDPR, like Binding Corporate Rules, certification mechanisms and Codes of Conduct (CoC) take a long time to be approved by Data Protection Authorities and very few are in place (particularly BCRs; there are currently no CoC or certification schemes approved for data transfers). They could also rely on one of the derogations allowed by the GDPR, like consent of those individuals whose data is transferred, but this would also risk bringing them outside the law, since derogations need to only apply in exceptional cases and not for repetitive, nor massive transfers, as per guidance from the European Data Protection Board.
However, it should be noted that the European Commission has been working for the past year to update its SCCs decisions to take into account new GDPR provisionsand it is very likely that the Commission will soon, or even very soon, adopt the new updated SCCs once it will also bring them in line with the requirements of the Court as laid out on Thursday. So there is a possibility that there will only be a short gap before the new SCCs are adopted, even if the Court invalidates the 2010 SCC Decision.
Validity of the SCC Decision is recognized: If the Court upholds the validity of the 2010 SCC Decision, then the dataflows from the EU to the rest of the world based on SCCs can continue uninterrupted. The Commission will nonetheless publish updated SCCs sometime in the near future as expected in accordance with the GDPR, but there will be no gap during the transition from the old to the new ones. Upholding the SCC Decision also means the Irish DPC will likely have to act one way or another in relation to the original complaint submitted by Schrems regarding the transfer of his data to Facebook Inc. in the US. If the DPC suspends that transfer on account of the level of protection afforded to personal data in the US, this may lead to claims by other data subjects to suspend the transfer of their data as well to all companies in the US that rely on SCCs. Those requests will need to be dealt with on a case-by-case basis. Regardless of what decision the DPC makes, challenges to it should be expected from any of the parties involved.
Possible assessment of the Privacy Shield:As for the validity of the EU-US Privacy Shield, the Court has the option of whether to assess it or not. If it will follow the AG Opinion, then the Privacy Shield will not be assessed and the dataflows based on it will continue uninterrupted for now. If the Court decides to assess the Privacy Shield, the Commission will have new criteria for its future adequacy (re)assessments. If the Court finds it valid, it would be interesting to see how the Court differentiates this finding from its existing case-law under the first Schrems judgment in 2015.
Invalidation of the Privacy Shield without a transition period: If the Court decides to assess the Privacy Shield and finds it invalid, then all dataflows relying on this framework will become unlawful. Transatlantic dataflows have been in this position before, after the first Schrems judgment in 2015, but at that time, companies had as fallback plan the possibility to enter SCCs while the US Government and the European Commission were agreeing on a new general framework for transfers. If both the SCC Decision and the Privacy Shield are declared invalid by the same judgment, at the same time, lawful dataflows from the EU will come to a standstill for a while, unless they are going to one of the 12 countries which currently have an adequacy decision or are based on the few approved BCRs or the exceptional derogations.
Assessment of the Privacy Shield without a decision on its validity: One other possibility is for the Court to engage in an assessment of key provisions of the Privacy Shield as obiter dictumand without reaching a conclusion regarding its validity. Such assessment could serve as guiding principles for the European Commission in its next annual evaluation of the effectiveness of the Privacy Shield, as well as in (re)assessing the adequacy of countries or regions/states within federal countries.
Regardless of how the CJEU will rule in this case, the judgment will have consequences for the future of global dataflows.