GDPR decision slaps down Privacy Shield and imposes strict conditions on Standard Contractual Clauses – implications for Australian organisations
A recent landmark decision of the Court of Justice of the European Union has sent international shockwaves and caused a headache for those relying on popular transfer mechanisms to comply with their obligations under the General Data Protection Regulation.
The court declared that the EU-US Privacy Shield is no longer a valid mechanism for data transfers outside of the European Economic Area (EEA) and imposed strict conditions for organisations relying on the Standard Contractual Clauses (SCCs) to transfer data outside of the EEA. In this article our GDPR experts cut through the hype to explain the real impacts for Australian entities who are either directly subject to the GDPR or are otherwise receiving personal data from the EEA.
Chapter V (Articles 44-47) of the General Data Protection Regulation (GDPR) governs the transfer of personal data to countries outside the EEA. Chapter V seeks to ensure that, when transfers are made to countries outside the EEA, the level of protection afforded to individuals by the GDPR is not undermined.
On 16 July 2020, the Court of Justice of the European Union (CJEU) published its judgment in the landmark case Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18 (Schrems II).
The CJEU declared:
- the EU-US Privacy Shield to be immediately invalid – causing headlines and a major headache for the 5000 plus organisations who registered to use the EU-US Privacy Shield privacy shield as a transfer mechanism – because US national security laws (such as the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333) effectively trump privacy protections, and data subjects do not have actionable rights against US authorities
- the Standard Contractual Clauses approved by the European Commission remain an adequate mechanism for transferring personal data outside of the EEA, subject however to certain conditions being met, as explained below.
The invalidation of the EU-US Privacy Shield has rightfully caused concern for organisations who rely on it for the transfer of data out of the EEA, including many large US based tech companies and their customers. Since the decision, civil rights group Noyb has filed 101 complaints against European companies who continue to transfer data to Google and Facebook despite the ruling, and also against Google and Facebook in the US.
Perhaps even more significant for Australian entities are the broader impacts for entities relying on the SCCs, whether they are subject to the GDPR (e.g. because they offer goods or services to people in the EEA, monitor the behaviour of people in the EEA or have an office in the EEA) or are simply receiving and processing personal data from the EEA.
Validity of the SCCs
The CJEU held that the SCCs remain valid because they allow for personal data transfer to be suspended or prohibited if the data importer cannot comply with obligations equivalent to the GDPR, for example if local surveillance laws undermine the privacy protections. However, to rely on the SCCs (and to avoid such suspension or prohibition), parties to the transfer must ensure the following conditions are met:
- prior to any transfer, the parties (i.e. the data exporter and data importer) to the SCCs must verify on a case-by-case basis whether the laws of the country where the data importer is based ensure adequate protection for personal data essentially equivalent to that guaranteed within the EU by EU law
- where the law of the data importer falls short, the parties are encouraged to enter into 'other clauses or additional safeguards' to supplement those offered by the SCCs.
When carrying out an assessment of whether there is adequate protection, the parties must consider the SCCs agreed between the data exporter and the data importer. The parties must also consider relevant aspects of the legal system of the third country in which the data importer is located, including whether its public authorities are permitted to access the data (as was found to be the case in relation to the US).
The decision highlights the obligation on data importers to satisfy themselves that their legal system allows for them to comply with their obligations under the SCCs. Where data importers are unable to do so (e.g. if local surveillance laws preclude this), they must notify the data exporter who must consider suspending the transfer and/or terminating the SCCs.
The practical impact of this change is that transfers to Australia are likely to undergo greater scrutiny than before. Parties can no longer simply agree to the SCCs as a matter of course, and Australian based entities wishing to receive EU personal data under the SCCs will need to have robust privacy and security measures in place, essentially equivalent to the GDPR (even if such organisations are not directly captured by the GDPR themselves).
Finally, the CJEU determined that supervisory authorities must suspend or prohibit transfers where they take the view that the data to be transferred to a third country will not have the level of protection which is required by the GDPR, and where the data exporter has not themselves suspended the transfer after receiving a notice from the data importer regarding an inability to comply with the SCCs.
Privacy Shield: No longer a valid transfer mechanism
The CJEU held that the EU-US Privacy Shield is no longer a valid mechanism for transferring personal data to US entities, with immediate effect.
Following a review of US surveillance laws, the CJEU found that the requirements under such laws and certain programs enabled US authorities to access personal data transferred from the EU to the US for national security reasons and did not give data subjects actionable rights before US courts. This means that the level of protection afforded under US law is not equivalent to that under EU law.
The European Data Protection Board (EDPB) has clarified its position following the decision, confirming that there is no grace period for entities still using the EU-US Privacy Shield for data transfers from the EU to the US.
Many US based tech companies rely on the EU-US Privacy Shield. The decision has forced these companies to recalibrate their privacy policies and terms and conditions. In lieu of the EU-US Privacy Shield, tech companies, including Box, Fitbit and cloud software company Domo, have updated their data transfer agreements to include the SCCs and sent email or in-app notifications to impacted customers to review and execute these.
What should organisations be doing now to comply with this decision and the GDPR?
Organisations covered by the GDPR should begin taking the following steps to ensure they are compliant with this decision:
Review your data processing agreements which involve data being transferred to countries outside of the EEA, and identify the circumstances of, and mechanisms for, such data transfers.
|If you are using the EU-US Privacy Shield, put in place alternative mechanisms for data transfers as soon as possible (such as SCCs or, for intra-group transfers, Binding Corporate Rules (BCRs)).|
|If your organisation is using SCCs or BCRs, do not rely on using these mechanisms alone to meet the GDPR’s data transfer requirements. The data importer needs to undertake an assessment as to whether the law of the country where the data importer is based provides adequate protection for personal data. Australian-based companies will need to undertake an analysis of Australian law.|
|If your assessment is that the laws of the country may not provide adequate protection, consider whether other supplementary measures could be implemented. The EDPB and other supervisory authorities are expected to publish further guidance on what other supplementary measures should be taken.|
|Consider whether any derogations under Article 49 of the GDPR apply. For instance, is the transfer necessary for the performance of a contract, or can explicit consent be obtained from the data subject (after informing the subject of the risks)? Derogations can be a good alternative, but are not always easy to rely on.|
This judgment could potentially impact the lawfulness of transfers to any other non-EEA country that has not achieved adequacy status, including Australia. As such, data importers (organisations receiving data transfer from the EEA) should consider taking the following steps:
- Review your data transfer agreements with organisations based in the EEA, and identify the circumstances of, and mechanisms for, data transfers from the EEA.
- Be prepared for the data exporter to be in touch, as they are now required to ask you to undertake an assessment as to whether your country’s laws will provide adequate protection for personal data.
- Where necessary, you may be asked to enter into additional clauses and supplementary measures to supplement the SCCs/BCRs.
Want to read more on GDPR developments?
Maddocks has a team of GDPR experts and has also published several chapters on complying with the GDPR in the Lexis Nexis Practical Guide to Cyber Security Data Protection & Privacy (Australian chapters).
What is the legal status of an accredited practitioner? Part II
What is the legal nature of the relationship between a private hospital and its accredited practitioners?
ACCC updates advertising and selling guide
By Laura Cantillon
The ACCC has updated its guidance to Australian businesses on what is required to ensure compliance with the ACL
Managing climate change-related risks in the financial system
By Patrick Ibbotson & Jessica Dorricott
Risks posed by climate change to the stability of the US financial system.
Franchisors, it’s time to update your disclosure documents
Key considerations when updating the franchising disclosure documents as per the Franchising Code of Conduct (Code).