CJEU Issues Judgment On SCCs And Privacy Shield
Yesterday, the Court of Justice of the European Union (‘CJEU’) – the EU’s highest court – delivered its much awaited ruling on the validity of the Privacy Shield and the EU Commission’s Standard Contractual Clauses (‘SCCs’). Both are mechanisms which facilitate the lawful transfer of personal data outside the EU (and in the case of the Privacy Shield, between the EU and the US).
How Did The CJEU Rule?
The CJEU’s key findings were that:
- the Privacy Shield is invalid; and
- the SCC’s are valid and remain an effective tool for transferring personal data outside the EU.
However, the CJEU also provided clarification regarding the use of SCCs. In particular, it made it clear that the SCCs are not a ‘magic wand’. Where they are used, controllers must consider whether the level of protection required under the SCCs will actually be recognised and upheld in the recipient country (or whether, for example, public authorities in that country have unjustifiably broad rights to access the personal data). If the required level of protection can’t be assured, controllers should not be proceeding or continuing with the relevant transfers or will need to ensure that other protective measures are implemented to ensure an adequate level of protection for the personal data concerned. Similarly, data protection authorities should be requiring the suspension/cessation of international personal data transfers where they become aware that the protections for personal data set out in the SCCs cannot be adhered to in practice.
What Does This Mean For Businesses?
- Businesses which currently rely on the Privacy Shield to transfer personal data between the EU and US will, at some point in the near future, need to start relying on one of the other safeguards listed in the GDPR if they wish to continue making such transfers. It is not yet clear what period of grace will be given to such businesses to put new arrangements in place;
- Before relying on the SCCs as their new ‘fallback’ data transfer mechanism, such businesses will need to consider carefully whether the reasons behind the CJEU’s ruling in respect of the US Privacy Shield means that they are equally prevented from relying upon the SCCs (i.e. because of the extent of the US government’s powers to access the personal data of EU citizens which is transferred to the US);
- Businesses which already rely on the SCCs need to ask themselves whether the legal framework in the recipient country means that the level of protection contradicts that expected under the SCCs. If that is the case, consideration should be given as to whether any of the other safeguards are available or, if not whether such transfers can continue;
- Businesses planning to rely on the SCCs in future need to think about carrying out due diligence in relation to the laws that apply in the recipient country. Is there a risk that such laws might reduce the level of protection for the personal data to be transferred below that expected by the SCCs?
- Businesses who go ahead and use SCCs should think about imposing a contractual obligation on the data importer to notify them if the data importer becomes aware that it cannot adhere to the requirements of the SCCs.
Will There Be Further Guidance?
Yesterday’s decision gives rise to a lot of uncertainty, in particular as to:
- whether and if so how, businesses can transfer personal data between the EU and US based on the SCCs; and
- the additional precautions that all businesses which use the SCCs will need to take in the future.
Hopefully, national data protection authorities, in particular the ICO, will be quick of the mark to produce practical guidance on how the CJEU’s ruling should be acted upon by businesses in practice.