On 16 July 2020, the Court of Justice of the European Union published its judgment in the case of Data Protection Commissioner v (1) Facebook Ireland Limited and (2) Maximillian Schrems C‑311/18 in which Mr Schrems challenged, amongst other things, the validity of the so-called Privacy Shield mechanism for the lawful transfer of personal data to the United States in the context of the transfer of his personal data by Facebook Ireland to Facebook Inc. in the US, and the validity of reliance on standard contractual clauses (SCCs) to justify such transfers.

The Privacy Shield enabled US entities to self-certify and publicly commit to the Privacy Shield Framework requirements, 23 Privacy Shield Principles relating to the use and treatment of personal data received from the EU under the Framework as well as the access and recourse mechanisms that must be provided to EU data subjects. Compliance with the commitment to these requirements would be enforceable under US law. The consequence of a Us entity committing to the Framework was that the European Commission acknowledged that this legitimised the transfer of personal data to the US without the requirement for further safeguards, or an overarching adequacy decision/so-called white-listing in respect of the US. The framework was overseen by the Privacy Shield Ombudsperson, whose role was to provide an additional avenue of redress for all EU data subjects whose data is transferred from the EU or Switzerland to the U.S. under the EU-U.S. and the Swiss-U.S. Privacy Shield Frameworks, respectively.

The Privacy Shield Framework was itself a replacement for the previous Safe Harbor arrangements, whereby the Commission had declared that that US law ensured an adequate level of protection, and which had been declared invalid by the CJEU in October 2015 after Mr Schrems challenged those arrangements on account of the access to personal data available to US government entities and associated surveillance activities for national security purposes. In particular, section 702 of the US Foreign Intelligence Surveillance Act (FISA) provides the basis for the US Foreign Intelligence Services Court to authorise the surveillance programmes PRISM and UPSTREAM to gather foreign intelligence information on an annual certification basis. PRISM includes the requirement that internet service providers (ISPs) provide the NSA with certain data, some of which is also transmitted to the FBI and CIA, and UPSTREEAM requires telecommunications undertakings to allow the NSA to copy and filter internet traffic flows to acquire communications data comprising of both metadata and content. In addition, Executive Order 12333 permits the NSA, without legislation, to access data in transit to the US prior to its arrival whereupon it would be subject to FISA.

The Court determined that:

- while Article 2(2) GDPR makes clear that its provisions do not apply to activities falling outside the scope of EU law or to Member States carrying out activities relating to security and defence, that did not exempt a transfer of personal data from the EEA to a third country from its requirements even if at the time of that transfer or thereafter, the data was liable to be processed by the authorities of the third country in question for those purposes;

- while the Commission’s decision on SCCs was valid, even where SCCs are being relied upon, any transfer must nevertheless comply with the requirement of Article 44 GDPR that the level of protection afforded to data subjects must be essentially equivalent in the country of import having regard to the fundamental rights set out in the Charter of Fundamental Rights of the EU (such as the Article 7 right to respect for private and family life and the Article 8 right to the protection of personal data), including but not limited to there being appropriate safeguards, enforceable rights, and effective legal remedies;

- in the absence of a Commission decision as to the adequacy of a third country, any supervisory authority which determines that the SCCs cannot be complied with in that third country is required to suspend or prohibit such transfers and protection of the personal data cannot be ensured by other means;

- the communication of personal data to a third party, such as a public authority, and the retention and access to such data, constitutes an interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter, and since s702 FISA and EO12333 did not create effective and enforceable rights against the US authorities, transfers would not meet the minimum necessary safeguards including because the Ombudsman could not be considered an independent and binding tribunal; and,

- the Commission’s Privacy Shield decision was invalid.

Following the judgment, in a statement on 27 July 2020, the Information Commissioner’s Office indicated that entities conducting relevant international transfers should “take stock of the international transfers you make and react promptly as guidance and advice becomes available”, but no practical guidance has as yet been issued.

The European Data Protection Board has confirmed that there is no grace period for finding an alternate basis to transfer personal data, and that the Privacy Shield was invalidated with immediate effect and at the same time there is no guarantee as to the compliance of Standard Contractual Clauses.

In the meantime, Amazon’s German entity is reported by Politico to be facing proceedings over claims that it has continued to transfer personal data to the US relying on Privacy Shield, so data exporters cannot afford to be complacent.

Data controllers need to take urgent action to review their international data transfers, particularly but not exclusively to the US. Where Privacy Shield has been relied upon, an alternate ground for transferring the data must be identified and implemented. If it is intended to rely on SCCs, or SCCs are already relied upon, an assessment of the propriety of the transfer must be undertaken. While there is currently no guidance on what such an assessment should consider or the circumstances in which a transfer might be appropriate, relevant factors to consider would include: the nature of the lack of equivalence; what avenues of redress are available to data subjects in the relevant country; the existence and efficacy of a supervisory authority in the relevant country; and the wider legal framework in the relevant country; as well as noting the frequency of the transfer, the volume of data being transferred, the number of affected data subjects, the categories of personal data being transferred, the nature of the services being provided, and, the extent to which it is necessary to transfer to the relevant entity. Your assessment of the risks associated with the transfer, and mitigating measures or other available safeguards, should be recorded, but will not necessarily be sufficient to avoid censure.

Should you require assistance in identifying and reviewing international data transfers or in conducting assessments, please contact us: info@handleygill.com