On July 16, 2020, the Court of Justice of the European Union (CJEU) published its decision in the matter of Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (“Schrems II”). The matter, arising from the transfer of Schrems’ personal data by Facebook Ireland to Facebook Inc. in the United States, presented questions concerning the transfer of personal data from the EEA to a third country without an adequacy determination. The decision declares the EU-US Privacy Shield program invalid and affirms the validity of standard contractual clauses (SCCs) as an adequate mechanism for transferring personal data from the EEA, subject to heightened scrutiny.
The CJEU invalidated the Privacy Shield program on grounds that it fails to provide an adequate level of protection to personal data transferred from the EEA to the U.S. In support, it points specifically to three U.S. national security laws: FISA 702, E.O. 12.333, and PPD 28. The CJEU found the breadth of these bulk surveillance and monitoring laws violates the basic minimum safeguards required by the GDPR for proportionality: the U.S. government’s processing of EEA personal data is not limited to what is strictly necessary. The CJEU further noted these surveillance programs fail to provide EEA data subjects with enforceable rights and effective legal review comparable to applicable EU law. As of the date of the decision, data exporters and U.S. data importers can no longer rely on EU-US Privacy Shield certification as an adequate mechanism to transfer personal data from the EEA to the U.S. There is currently no grace period. However, since a grace period was enacted shortly after the EU-US Safe Harbor was invalidated, it is conceivable one will be announced as the EU and U.S. assess the implications of this decision.
The CJEU affirmed the validity of controller-processor standard contractual clauses (SCCs) as an adequate mechanism for transferring personal data from the EEA to a third country lacking an EU adequacy decision. In affirming the validity of SCCs, the CJEU highlighted three stakeholder obligations:
- the data exporter’s responsibility to verify the importer’s ability to provide an essentially equivalent level of protection in the third country;
- the data importer’s responsibility to notify the exporter immediately if it cannot comply with the SCCs, including situations where it is compelled to produce EEA data at the request of law enforcement; and
- the data exporter’s responsibility to immediately suspend or terminate the transfer upon notice from the importer that it cannot comply with the SCCs.
Based on these requirements, the SCCs may not be an adequate transfer mechanism in every case, or may require the negotiation of additional provisions to satisfy these obligations.
The CJEU further highlighted the affirmative obligation of supervisory authorities to identify and suspend or terminate transfers based on SCCs where the importer cannot provide EEA data with an adequate level of protection.
Under the GDPR, an impermissible transfer can result in fines up to €20,000,000, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. In addition, EEA data subjects may bring a private cause of action for an illegal transfer, either individually or as part of a class action.