Schrems II: Is the transfer of personal data to the USA still allowed?

In a long awaited decision (C-311/18), delivered on 16 July 2020 and already widely publicised, the Court of Justice of the European Union had to rule on the validity of the standard contractual clauses for the transfer of personal data to processors established in third countries (Decision 2010/87, as amended by Decision 2016/2297, more commonly referred to as the “Model Clauses”), respectively on that of the EU-US Data Protection Shield (Decision 2016/1250, more commonly referred to as the “Privacy Shield”).

While the model clauses were narrowly saved, this ruling does, however, sound the death knell for “Privacy Shield”.

I. Reminder of the principles underlying the transfer of data to a third State

As a preliminary point, it should be recalled that the transfer of data from an EU Member State to a third country requires either that the recipient country has been recognised by the Commission as offering a level of protection considered adequate (Article 45 GDPR; for a list of these countries, of which Switzerland is currently a member, see here), or that the controller has provided appropriate safeguards (Article 46 GDPR).

In addition to the model clauses, expressly accepted as an appropriate form of guarantee allowing transfer to the United States (Art. 46 para. 2 lit. c GDPR), the United States had hitherto been recognised as offering an adequate level of protection with regard to companies that had decided to voluntarily submit to the “Privacy Shield” (for a list of such companies, see here).

II. Reminder of the facts that led to the dispute

In substance, Maximillian Schrems, an Austrian national, argued that the transfer of his personal data by Facebook Ireland to Facebook Inc. in the United States did not offer the necessary insurance guarantees as the US surveillance legislation violated Articles 7 (right to respect for private and family life), 8 (protection of personal data) and 47 (right to an effective remedy and to have access to an impartial court) of the Charter of Fundamental Rights of the European Union.

Two particular acts are at issue: first, Art. 702 FISA (Foreign Intelligence Surveillance Act), under which the Attorney General and the Director of National Intelligence may jointly authorize the surveillance of non-U.S. nationals outside the United States for the purpose of obtaining “foreign intelligence information”; This provision forms the basis for the PRISM (which directs Internet service providers to provide the NSA, and to some extent the FBI and the CIA, with all communications sent and received by a particular individual) and UPSTREAM (which directs telecommunications companies operating the Internet “backbone” to allow the NSA to copy and filter Internet traffic flows to collect communications sent by or received by the particular non-U.S. national) surveillance programs. Second, E.O. 12333, which allows the NSA to access data “in transit” to the United States, by accessing submarine cables laid on the Atlantic floor, and to collect and store its data before it arrives in the United States and is submitted to FISA.

III. Validity of model clauses

As a preliminary point, the Court had to rule on the question whether data processing carried out for security reasons was not excluded from the scope of the GDPR, more particularly in the light of Article 2(2)(a), which, when interpreted, excludes the application of the GDPR when the data processing is carried out by authorities for reasons of national security. The Court answers in the negative, considering that it is not the possible processing by the US authorities that is at issue here, but rather the transfer between two economic entities (namely Facebook Ireland on the one hand, and Facebook Inc. on the other). The possibility that personal data transferred between two economic operators for commercial purposes may, during or as a result of such transfer, be processed for public security purposes does not have the effect of removing such transfer from the scope of the GDPR.

With this preliminary issue settled, the Court turns to the question of whether the Model Clauses can be considered an “appropriate safeguards” permitting transfer to the United States as provided for in Art. 46 GDR. In essence, its reasoning is as follows:

• The question of whether “adequate safeguards” and “enforceable data subject rights and effective legal remedies” are satisfied within the meaning of art. 46.1 GDPR must be considered in light of the fundamental rights guaranteed by the Charter, which is the basic benchmark for judging a country’s adequacy under Art. 45 GDPR.
• In this framework, if the content of the Model Clauses can constitute “appropriate safeguards”, the controller must still ensure that the possibilities of access to the data by the public authorities of the recipient country and the legal remedies made available to the individuals concerned can be considered acceptable, a question that will be examined in the light of the criteria laid down in Art. 45.2 GDPR.
• The fact that the Commission has adopted Model Clauses as allowed by Art. 46.2 lit. c GDR does not mean that the examination of these clauses by the supervisory authority and the possibility for this authority to take, if necessary, the measures provided for by 58.2 lit. f and j GDPR do not apply. However, a distinction must then be made according to whether the country of destination has been the subject of a decision of adequacy in the sense of Art. 45.1 GDPR or not:
• Where the recipient country has been recognised as offering an adequate level of protection within the meaning of Art. 45.1 GDPR (a case in which it is difficult to see the point of resorting to the Model Clauses), a supervisory authority may not of its own motion adopt measures contrary to such a decision on adequacy; however, such a decision does not prevent an individual whose data have been transferred from lodging a complaint in violation of his fundamental rights with the competent national supervisory authority, as permitted by 77 GDPR.Thus, where a matter is referred to it by an individual, the supervisory authority must be able to examine independently whether the transfer carried out complies with the requirements laid down in the GDPR and, if necessary, to bring an action before the national courts for a preliminary ruling by the latter, if necessary, to the Court of Justice for the purpose of examining its validity. However, it is only once the decision has been invalidated by the Court that the supervisory authority may then suspend or prohibit the transfer of data to the country in question pursuant to Art. 58 GDPR.
• Where the recipient country does not benefit from such an adequacy finding, however, the answer is different. The Court points out that Model Clauses are certainly binding only on the parties, to the exclusion of the authorities of the country of destination, which are obviously not a party to the contract. The fact that the authorities are not bound does not, however, mean that those clauses are invalid. On the other hand, as long as the content of these clauses is standard and as such does not necessarily take into account the legislation of the recipient country, in particular as regards its possibilities of interference, it is incumbent on the controller to carry out an analysis of the applicable regulations in order, if necessary, to supplement these Model Clauses on one point or another.

In other words, incorporating a Model Clause is not sufficient to ensure that the transfer has adequate safeguards. The legislation of the recipient country must also provide effective means for individuals to complain about a possible violation of their rights under Art. 47 of the Charter. If this is not the case, then recourse to the Model Clauses without any kind of supplement must be considered insufficient. In such a case, the supervisory authority may then intervene directly on the basis of Art. 58 GDPR to suspend or prohibit the transfer.

Art. 4 lit. a of the Model Clause in fact requires the controller to ensure that the legislation of the recipient country allows the recipient to comply with the obligations contained in the Model Clause. However, Art. 5 lit. a of the Model Clause is a welcome help to the controller in this context, since the importer must inform him as soon as possible of his possible inability to comply with his obligations contained in the said Clause, while Art. 5 lit. b reinforces this obligation by providing that the importer must also confirm that he has no reason to believe that the applicable law prevents him from complying with these obligations.

If, on the other hand, the importer is unable to comply with its obligations, the Court considers that Art. 4 lit. a of the Model Clause then requires the controller to suspend or prohibit any transfer, it being specified that Art. 12 additionally requires that data already transferred be returned or destroyed. In the event of a change in the law, of which the importer should inform the controller, the controller may decide to continue the processing, but must then inform the supervisory authority, in accordance with Art. 4 lit. g of the Model Clause. Again, it will then be open to the supervisory authority to suspend or prohibit any processing, in accordance with Art. 58 GDPR.

In view of the system thus established by the operation of Art. 4 and 5 of the Model Clause, the Court considers that the clause provides for effective means that meet the requirements of Art. 7, 8 and 47 of the Charter. In so doing, the Court thereby confirms the validity in principle of the Model Clauses.

IV. Lack of adequacy of the Privacy Shield

While the combination of Art. 4 and 5 of the Model Clause saves its validity, such a mechanism is not provided for in the Privacy Shield. In the Court’s view, the Privacy Shield does not offer appropriate guarantees of protection in two respects:

• Point 1.5 of Annex II expressly states that adherence to the principles may be limited by, inter alia, “national security, public interest and law enforcement requirements”. This primacy of state interference over fundamental rights is not counterbalanced by any limitations contained in the PRISM and UPSTREAM monitoring programs based on Art. 702 FISA and E.O. 12333. In so doing, US law contravenes the principles of necessity and proportionality and, more broadly, Art. 7, 8 and 52 of the Charter, from which it follows that any interference with fundamental rights must be subject to a definition as to the scope of the limitation on the exercise of the right concerned, provide for clear and precise rules governing the scope and application of the measure in question and impose minimum requirements.
• The establishment of an Ombudsman, as provided for in Appendix III, cannot be regarded as an effective means of judicial review within the meaning of Art. 47 of the Charter, since the Ombudsman reports directly to the Secretary of State and is an integral part of the United States Department of State, without any means of appeal to a body offering guarantees comparable to those provided for in Art. 47 of the Charter.

In the light of the foregoing, the Court declares Decision 2016/1250 invalid.

V. Practical implications

What should one think about the outcome of this case?

• First of all, it should be recalled that companies that have joined the Privacy Shield, notwithstanding the invalidation of Decision 2016/1250, continue to be subject to it and, as such, must continue to meet their obligations under it. However, it is doubtful whether these companies will have any interest in maintaining their adhesion to the Privacy Shield, since the main objective of this adherence is now irrelevant. It is therefore likely that they will prefer to start a withdrawal process. Time will tell.
• Secondly, the judgment delivered is essentially based on an examination of the compatibility of the contested decisions with the Charter of Fundamental Rights of the European Union, which is not applicable to Switzerland. It would, however, be naive to conclude that the judgment will have no impact in Switzerland. Although the Federal Commissioner has not yet formally pronounced himself on the impact of this judgment with regards to the validity of the Swiss-US Privacy Shield, it is difficult to imagine that he would take a different stance in light of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (more commonly known as Convention 108). Swiss companies whose activities involve processing in the United States will therefore most likely have to consider the situation in the same way as any company based in the European Union.
• In this respect, the following stages of analysis should be noted:
  1. A first batch of companies, usually fairly large ones, were already doubling their adherence to the Privacy Shield with the execution of the Model Clauses. For these companies, the urgency appears to be less.
  2. A second batch, having anticipated the possible invalidation of the Privacy Shield, had expressly provided that in this case the parties would resort to a Model Clause. For these companies, it is now a matter of getting in touch and entering into such a Model Clause.
  3. A third batch, already doubtful about the validity of the Privacy Shield, had decided to use only the Model Clauses from the outset.
  4. However, it is no longer enough to benefit from an existing or future Model Clause. Each data controller, assisted in this by the importer, will have to ensure that existing legislation in the recipient country enables the importer to comply with its obligations and provides effective means for the data subjects to complain about possible violations of their fundamental rights.

With regard to the transfer to the United States, it is difficult to see how the legislation could devote effective means in the light of Art. 47 of the Charter when the controller uses a Model Clause, whereas this provision would be violated in the light of the Privacy Shield. Unless the data are anonymized, the transfer of data to the United States is therefore likely to give stakeholders a hard time from now on, unless they are willing to accept the resulting risk-taking. A careful analysis will therefore be necessary here.

This beinig said, this approach applies not only to the United States, but to all countries that do not offer an adequate level of protection, in fact a very large majority of States. Thus, the data controller will have to assess the risks by asking himself in particular about : (i) the scope of the processing, (ii) the manner in which the data are processed, (iii) the powers of the authorities likely to want to access the data, and (iv) the possibility of opposing such a request (if necessary in court).

Should this risk assessment lead to the conclusion that the legislation in question does not offer sufficient guarantees, the controller should then endeavour to complete the Model Clauses to remedy these shortcomings.

At this stage at least, it must be admitted that it is difficult to see how legislative shortcomings could, by contractual means, make it possible to remedy State interference…More precise clauses and additional obligations on the importer are probably at least likely to reflect the efforts made by the controller to identify and remedy problems and thus reduce the adverse consequences that any lack of assessment could have on him. The European Data Protection Board is expected to provide some guidance in this respect in the near future.

In the end, however, embarking on such a risk assessment seems to be the prerogative of the largest market players. Although understandable in some respects, however, the arguments put forward by the ECJ fail to take into account the economic reality and the enormous costs that a systematic risk assessment for any country that does not offer an adequate level of protection will lead to for the vast majority of companies. Will “third country” providers agree to swallow the costs of this analysis, which data controllers will very often invite them to carry out in order to offer them the necessary guarantees, or to integrate them commercially in their pricing model?

Assuming that such an assessment is systematically necessary, as the Court’s reasoning leads us to believe, does such a burden not contravene the very purpose of the Model Clause and the ease of implementation sought in order to dispense with the prior agreement of the supervisory authority? It goes without saying that the performance of any risk assessment and the resulting decision will have to be documented, which adds another layer of burden from a management and governance standpoint. In this case, would it not be better to seek prior approval by the supervisory authority, which is precisely what the Model Clauses were intended to avoid?

Admittedly, times have changed since the adoption of the Model Clauses, and interference with national security is, for many States, a means of excessive surveillance. In its effects, the Court’s judgment is thus likely to encourage a re-nationalisation of markets, a vision that is certainly possible, but which is still far from the reality of an economy that is, and will certainly remain for a long time to come, largely globalised. Does this mean that this ruling will remain largely impracticable unless the Model Clauses are revised to bring them up to date? That remains to be seen.

In any event, in the light of the above, unless it is possible to completely anonymise the data processed, which is an increasingly difficult task, it seems reasonable to assume that the vast majority of stakeholders will prefer for the time being to adhere to the Model Clauses without further analysis and take the resulting risks rather than systematically embarking on such a risk assessment. In any case, this position is likely to prevail as long as the European Data Protection Board and the supervisory authorities have not worked together to issue guidelines on how this judgment will now be applied in practice.

Let us bet that the attitude of the supervisory authorities will be a vector here as elsewhere as to the attitude to be adopted: if the ICO already seems willing to show a certain pragmatism, it is not the same in Berlin, where the Commissioner has informed that the data controllers must now comply with the ruling and seek, particularly with regard to the use of cloud providers, alternatives allowing data to be migrated back to Europe.

In a future article, we will examine how transfers to the United States can, potentially, take place.