Schrems II: A new era in cross border data transfers

The C-311/18 Case of the Data Protection Commissioner v Facebook Ireland Limited & Maximilian Schrems has been undoubtedly consolidated as a benchmark in respect of the appropriate safeguards for the transfer of personal data from the EU to the US. The GDPR stresses that the transfer of personal data to a third country is permissible only if the latter ensures an adequate level of protection. The transfer of personal data to the US was grounded on a European Commission decision adopted in 2000. (‘Safe Harbour Decision’).

Maximilian Schrems whose personal data have been transferred by Facebook Ireland to servers of Facebook Inc which are located in the United States lodged a complaint in alliance with the Irish Supervisory Authorities attempting to prohibit the aforementioned transfer but the latter didn’t accept it due to the existence of the ‘Safe Harbour Principles’. Nevertheless, the CJEU held that the existence of an Adequacy decision cannot eliminate/reduce the powers of national supervisory authorities because they encroach primary law of the EU (Art.8 EU Charter of Fundamental Rights & Art.16 Treaty on the Functioning of the EU). Therefore, the restriction of Supervisory Authorities’ power led CJEU to the declaration of the Safe Harbour decision as invalid.

After the annulment of the Safe Harbour arrangement, the European Commission and the US agreed on a new framework known as the EU-US Privacy Shield. In particular, the Privacy Shield scheme includes data protection obligations for companies receiving personal data from the EU, mechanisms of redress and protection for individuals (Ombudsperson mechanism), and finally an annual joint review for the scheme’s implementation.

On 16th July 2020, the CJEU delivered its cornerstone judgment in Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited & Maximilian Schrems (Schrems II) declaring the EU-US Privacy Shield invalid and bringing Standard Contractual Clauses (SCC) under scrutiny as well. In particular, the Court stressed that an essential component for the above-mentioned invalidity is the fact that the limitations on the protection of personal data arising from the domestic law of the US are not tailored in a way that the prerequisite of an essentially equivalent with the EU level of protection is respected and, thus, the fundamental EU principles of proportionality and necessity are being neglected. Moreover, the Ombudsperson mechanism which was included in the Privacy Shield didn’t provide data subjects with guarantees substantially equivalent with those required by the EU law.

In respect to the transfers based on the SCC the Court specified that prior to each transfer there must be an assessment of its framework including the legal system of the third country, the nature of the data being transferred and the potential privacy risks emanating from these transfers. Furthermore, the data importer is now obliged to inform the data exporter of any potential inability to comply with the SCC and in case of inability of compliance, the data transfer must be suspended/terminated. Finally, even though the SCC remain valid, a procedure corresponding to this of the data protection impact assessment (DPIA) must be conducted in order to guarantee an adequate (current and future) level of protection.

This landmark judgment modifies substantially the EU-US data protection scenery and affects significantly many companies/organizations throughout the world. Even though some EU Member State Supervisory Authorities have reacted to the decision, the Hellenic Data Protection Authority has not yet published official guidance with regards to the Schrems II decision but it is shortly expected.