July is set to be a busy month in Luxembourg. On the first and second of the month, the General Court of the European Union (which is part of the Court of Justice of the European Union (CJEU)) will hear a case against the EU-U.S. Privacy Shield brought by three French NGOs, La Quadrature du Net, French Data Network and Fédération FDN. A week later, on 9 July, the CJEU will hear arguments in Schrems II, in which the Irish High Court has referred 11 questions relating to whether the European Commission’s Standard Contractual Clauses (SCCs) provide an adequate level of protection for personal data which is transferred to the US.
Both cases have their genesis in the CJEU ruling in Schrems I (C-362/14), where the CJEU found that transfers of personal data to the USA under the old Safe Harbor scheme did not provide such an adequate level of protection, and therefore that transfers under that scheme were unlawful. In response to that ruling, the European Commission authorised a new scheme in collaboration with the US government, the Privacy Shield, which came under challenge from the French NGOs listed above in November 2016.
In essence, the NGOs’ complaint regarding Privacy Shield is that it does not prevent the processing of EU citizens’ personal data by US surveillance authorities, which was a key reason for the finding in Schrems I that the Safe Harbor scheme did not provide sufficient protection for EU citizens’ personal data. The NGOs acknowledge that Privacy Shield is a less vague scheme and, implicitly, that it is more protective than Safe Harbor was, but nonetheless have concerns about the effect of US law. They consider that US law permits what they consider to be ‘mass surveillance’, so there is no ‘essentially equivalent’ level of protection for personal data transferred to the US. This claim will be heard by the EU’s General Court in July, and after the ruling is handed down, it may be appealed to the General Court of the CJEU.
Similarly, the questions referred by the Irish High Court in relation to the SCCs focus on whether personal data transferred under the SCCs will be subject to an adequate level of protection purely by virtue of entering into the SCCs, or whether an additional analysis of the legal order in the country to which personal data is transferred is required.
We expect to receive judgments in these cases towards the end of 2019, or perhaps at the start of 2020, which could potentially see either or both of the Privacy Shield and SCCs invalidated as a mechanism for transferring personal data outside the EU, in a similar manner to the invalidation of Safe Harbor in 2015.
In such circumstances, the practical solution for companies relying on these transfer mechanisms remains an open question. The European Commission announced on 13 June 2019 that it will update the SCCs, which will provide a ready-made contractual mechanism for international transfers. This will also help reduce confusion about use of the SCCs, as the existing versions still refer to the Data Protection Directive and, in the case of the controller-processor SCCs, do not contain all the elements required by Article 28(3) GDPR. However, it is not clear whether this work will be completed prior to the court’s rulings, and future clauses may be subject to a challenge similar to that in Schrems II, on the basis that updated SCCs will not affect the underlying legal order of a non-EU jurisdiction.
For intra-group transfers within multinationals, Binding Corporate Rules are likely to become an increasingly attractive option, but the approval process can take some time, and companies will likely need an interim solution before approval is granted. Furthermore, alternative solutions may be required for transfers outside the group, although groups that act as processors for their clients can rely on their BCR to receive personal data outside the EU from those clients.
Other alternatives include the derogations set out in Article 49 GDPR, although in line with the EDPB guidelines, these are intended only to be used in limited circumstances, and in many cases may not be practical. For example, it would be extremely difficult to obtain consent to transfers from affected individuals (in particular employees) or to obtain approval from a competent supervisory authority for specific transfers, which has historically not been something they have done. Although the EDPB guidelines consider this to be a last resort for use only where no other mechanism is available, the cases above may mean that this does become a relevant alternative.
Companies with operations in the UK should also consider the Brexit dimension. If the UK leaves the EU without an agreement on 31 October 2019, transfers from the EU27 to the UK will be considered transfers to a ‘third country’ under the GDPR, and will require some mechanism to legitimise them. The forthcoming judgments, particularly in relation to the SCCs, could seriously restrict the options for continuing lawful data flows into the UK after Brexit. At this stage, the most sensible course of action is to keep a close eye on these cases as they develop, whilst at the same time, suitable alternatives to Privacy Shield and the SCCs are considered.