Shrems v US
- By James Ferguson
The European Court of Justice (CJEU) recently handed down its latest judgment on the transfer of data outside of the EU in Schrems 2.0.
Max Schrems is an Austrian lawyer and privacy activist. In Schrems 1.0 he established that the Safe Harbor framework used by Facebook to transfer personal data from the EU to the United States was invalid. The Safe Harbor framework had been the accepted practise between the US and EU since 2000. It was subsequently replaced by the EU-US Privacy Shield.
Shrems then reformulated his complaint to tackle data transfers from the EU to US on foot of Standard Contractual Clauses (SCCs). These were alternative arrangements developed by Facebook in light of Schrems 1.0.
The Data Protection Commissioner (DPC) in Ireland concluded that US laws did not provide EU citizens with ‘an equivalent judicial remedy’. This could not be remedied with the use of SCCs. The DPC brought proceedings before the High Court in Dublin, which were then referred to the CJEU for a preliminary ruling.
Under the General Data Protection Regulation (GDPR), and the Data Protection Directive it replaced, person data can be transferred to a third country if there is an adequate level of data protection. In this context, ‘adequate’ can be read as ‘equivalent’. The European Commission (EC) had approved the EU-US Privacy Shield and SCCs for data transfers to the United States.
The CJEU concluded that, although SCCs may provide a valid data transfer mechanism, the protections afforded by US law were not adequate. Adequacy under GDPR would include such aspects as the rule of law, human rights and independent, and international, oversight.
The ICO recently updated its guidance:
…you should take stock of the international transfers you make and react promptly as guidance and advice becomes available
The EDPB [European Data Protection Board] has recommended that you must conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework, whether the transfer is to the US or elsewhere. The receiver of the data may be able to assist you with this.
The judgment says that …supervisory authorities have an important role to play in the oversight of international transfers. We are therefore taking the time to consider carefully what this means in practice. We will continue to apply a risk-based and proportionate approach in accordance with our Regulatory Action Policy.
The ICO understands the many challenges UK businesses are facing at the present time and we will continue to provide practical and pragmatic advice and support
For SCCs, it is not all bad. Essentially, it is a matter of proceeding with some caution on a case-by-case basis to ensure that the recipient country has adequate protections for data subjects.
That said, there will be implications for countries outside the EEA, including a post-transition UK.
For more information about this article, or any other aspect of our business and personal legal solutions, get in touch. There is no charge for initial, informal, advice.