One of the most anticipated court cases in data protection, the Court of Justice of the European Union (CJEU) decision on C-311/18: Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems, the so-called “Schrems II” case, will be delivered on July 16. The case will determine whether standard contractual clauses (SCCs) are a valid mechanism to transfer data to the U.S. or globally, and may decide the future of the EU-U.S. Privacy Shield. The court’s decision will have significant implications for how data will be permitted to travel across the Atlantic, with direct, meaningful impacts on the ability of firms established in the EU to conduct business globally, and a particular impact on the largest commercial relationship in the world. Moreover, given the General Data Protection Regulation’s (GDPR) global influence, these decisions could impact how other countries approach data governance.
The implications of this ruling will also have impacts beyond the realm of data protection. A negative ruling would create enormous legal uncertainty, negatively affecting trade and the economy during the most significant health crisis of this century. It would also erode trust in the EU’s landmark GDPR, which legally codified several different mechanisms for the predictable outbound transfer of data. Among those, SCCs are surely relied on by more companies globally than any other.
What are SCCs and the EU-US Privacy Shield? Why are they important?
The GDPR codifies a range of data transfer mechanisms widely utilized by companies, including consent, Binding Corporate Rules (BCRs), SCCs, and codes of conduct. SCCs are sets of template contract clauses approved by the European Commission with certain requirements that offer sufficient safeguards on data protection for the data to be transferred internationally. The European Commission created this mechanism as a rigorous tool for ensuring the protection of personal data while allowing for its necessary movement. SCCs are relatively easy to use amongst approved data transfer mechanisms. They remove the need for negotiating individual contract terms, meaning companies rely on them heavily for day-to-day business operations to facilitate trade and provide privacy protection for data transfers across borders.
The Schrems II case began with Max Schrems, an Austrian privacy advocate, who decided to challenge the legitimacy of SCCs. In an opinion released on December 19, 2019, the Advocate General (AG) Henrik Saugmandsgaard Øe stated that SCCs are a valid mechanism to sufficiently protect personal data in outbound transfers from the EU to third countries, but questioned the U.S. approach on national security protections and the level of privacy protections for European individuals under the EU-U.S. Privacy Shield. Though the opinion is not legally binding, it does provide insights into the upcoming ruling as the CJEU often follows the reasoning of the AG’s opinion.
Whereas SCCs are a tool for EU-based entities to transfer data anywhere in the world, the EU-U.S. Privacy Shield is a separate, bilateral mechanism that facilitates transatlantic data transfers. A European Commission decision on July 12, 2016 established the EU-U.S. Privacy Shield as an adequate mechanism to enable data transfers and provided companies across the Atlantic with a mechanism to comply with data protection requirements when transferring data. To join the EU-U.S. Privacy Shield, U.S.-based organizations are required to self-certify to the U.S. Department of Commerce that they comply with the relevant requirements, including informing individuals about data processing, providing accessible recourse to dispute resolution, and ensuring accountability. Today, there are over 5,000 certified organizations relying on this mechanism to build trust and promote innovation. Thanks in part to the European Commission’s ongoing work and the U.S. government’s increased commitment to the effort – including to establish an Ombudsperson and repopulate the Privacy and Civil Liberties Oversight Board (PCLOB) – the EU-U.S. Privacy Shield continues to perform well and deliver on its objectives. Though the mechanism can be improved further, it has become an integral tool for both U.S. and European companies to extend the protection of personal data as fundamental rights outside of the EU.
The SCCs and EU-U.S. Privacy Shield are both essential mechanisms for international business operations, allowing firms around the world to provide robust assurances on the protection of personal information and enabling the transparent, non-discriminatory, and necessary movement of data across borders.
During the COVID-19 pandemic and economic crisis, interrupting data flows would be another obstacle to recovery. Cross-border data flows play an essential role in combating the pandemic through data sharing and finding solutions across nations, and both mechanisms ensure there is privacy protection in place. Even when several data protection and privacy authorities have issued guidance to clarify the flexibilities within their regulatory framework, the SCCs and EU-U.S. Privacy Shield continue to enshrine fundamental rights while allowing data to flow freely.
What are the potential scenarios and implications for the Schrems II case ruling?
The CJEU has not been asked to give a direct decision on the validity of the EU-U.S. Privacy Shield, though it could still do so. We see five possible outcomes from this month’s ruling. The court could:
- 1. Uphold the SCCs and secure the status of EU-U.S. Privacy Shield and keep both mechanisms valid.
- 2. Maintain the SCCs as a valid data transfer mechanism but strike down EU-U.S. Privacy Shield.
- 3. Find that some or all transfers to the U.S. are problematic and further invalidate SCCs, but keep the EU-U.S. Privacy Shield valid for now and leave it to the case T-738/16: La Quadrature Du Net and Others v Commission, a forthcoming French court ruling directly on the validity of EU-U.S. Privacy Shield.
- 4. Invalidate some or all SCCs transfers to the U.S. and further strike down EU-U.S. Privacy Shield.
- 5. Invalidate some or all SCCs transfers globally, and further strike down EU-U.S. Privacy Shield.
The only positive outcome for the Schrems II case ruling would be the first scenario, under which companies could continue to rely on both SCCs and the EU-U.S. Privacy Shield for data transfers between the EU and U.S. If the second scenario occurs, companies would face a situation similar to when the Safe Harbor program ended in 2015 and would have to turn to SCCs and BCRs – these however are more costly at the outset and cannot offer an immediate alternative as solutions. Other possible alternatives, such as the GDPR codes of conduct or certification, are not currently available. It is possible that EU and U.S. authorities would negotiate a successor to the EU-U.S. Privacy Shield in the future. However, if the CJEU invalidates the SCCs in scenarios 3, 4 and 5, companies would face many difficulties, including suspending some data transfers to avoid risking GDPR fines. It may also create an untenable situation where data transfers via SCCs are invalid to the U.S., but not to other third countries with more pervasive surveillance, including China. The precise impact would depend on the specific terms of the ruling, and how the U.S. and EU would respond to mitigate the negative commercial consequences.
Overall, if SCCs are invalidated, very limited alternatives remain for international data transfers, and the decision would potentially hit small and medium-sized enterprises (SMEs) the hardest. Such a ruling might also create a precedent that would increase the possibility of the invalidation of the EU-U.S. Privacy Shield ruling in the La Quadrature Du Net case later this year. A negative CJEU ruling will have a catastrophic impact on global data flows and the global economy if it invalidates both the SCCs and EU-U.S. Privacy Shield.
SCCs and EU-U.S. Privacy Shield do not only effectively protect individual privacy when transferring personal data internationally, they are essential mechanisms to enable growth and innovation across all sectors of the economy. Predictable data transfer mechanisms – founded on providing the strongest protections for personal information – are what make GDPR a successful regulatory model. The invalidation of SCCs and potentially the EU-U.S. Privacy Shield would call into question the viability of GDPR as a workable legislative framework in a global economy that requires transparent mechanisms for the movement of data across borders.