Maximillian Schrems is two-for-two. Or, as Austrian complainant Schrems puts it, “The Court clarified for a second time now that there is a clash between EU privacy law and US surveillance law.”
Thanks to a different legal challenge from Schrems, in its 2015 Schrems decision, the Court of Justice of the European Union (CJEU) had already invalidated the previous Safe Harbor framework governing personal data flows between the EU and United States. Now, in a July 16 judgment, the CJEU has invalidated Safe Harbor’s data protection-enhanced reincarnation, Privacy Shield, in a decision colloquially termed Schrems II.
Specifically, the court invalidated Decision 2016/1250, the European Commission’s 2016 decision that Privacy Shield was adequate to enable data transfers under EU law. The recent CJEU decision also flew in the face of the commission’s subsequent three years’ worth of reports confirming that Privacy Shield passed muster. It is worth noting, though, that the commission has not always approved of Privacy Shield, with a specific sticking point being the commission’s belief in the need for a permanent ombudsperson—as emphasized in its second review—that could better fill the role of “tribunal” within the meaning of Article 47 of the EU Charter. This disagreement is pertinent to the questions of judicial review and recourse that arose in Schrems II.
The Schrems II decision means that the EU-U.S. Privacy Shield framework is now an insufficient mechanism to ensure compliance with EU data protection requirements. This decision is a thorn in the side of the “$7.1 trillion transatlantic economic relationship” between the EU and the U.S., and it affects more than 5,300 Privacy Shield participants. (For more on the U.S. and geopolitical ramifications of the Schrems II decision, see here and here.)
The CJEU also struck a blow to the other means through which companies used to establish compliance with EU data protection rules. The court ruled valid Commission Decision 2010/87 on standard contractual clauses (SCCs) for personal data transfer to third-country processors. What are the consequences of that ruling? It means, in principle, that personal data transferred subject to these contractual obligations between data controllers and data processors still is sufficiently protected (notably, the decision did not consider SCCs for controller to controller transfers; see Decision 2001/497/EC and Decision 2004/915/EC). In other words, SCCs still can be a valid way to ensure data protection. However, the CJEU’s overall reasoning does call into question the future utility of SCCs as a panacea to international data sharing. Per Schrems II, the court is requiring new case-by-case due diligence on behalf of companies, and tech companies and other firms are issuing divergent opinions about what this change means for their current customers and partners.
There’s been much talk about the impact of the ruling on U.S.-EU data transfers. But what will the impact of Schrems II be for the U.K., especially after the end of the Brexit “transition period” that expires December 31?
For the U.K.’s part, the government voiced its disappointment in the invalidation of Privacy Shield but has expressed support for the court’s determination regarding SCCs. The U.K. Information Commissioner’s Office, the arm of the government charged with upholding information rights in the public interest, notes that it is “considering the judgment” and is “stand[ing] ready to support UK organisations.” The office also commented that it “will be working with UK Government and international agencies to ensure that global data flows may continue and that people’s personal data is protected.” While it reviewed its guidance regarding Privacy Shield and SCCs, the office initially asked that those currently using Privacy Shield for U.K.-U.S. transfers continue to do so, but that no new users begin to employ the framework. However, it has now updated its statement to point U.K. controllers and processors to new European Data Protection Board guidance on the topic. So, what does Schrems II actually mean for the U.K.?
EU/EEA-U.K. Data Transfers
According to the most current numbers on the subject, 75 percent of U.K. cross-border data flows are with the EU. Until Dec. 31, 2020, the end of the Brexit transition period, data transfers between the U.K. and the EU/European Economic Area (EEA) remain regulated by the General Data Protection Regulation—this is the same as EU/EEA data transfers for any EU member state. And in its 2018 Data Protection Act, the U.K. implemented much of the General Data Protection Regulation anyway, codifying into domestic law many components of EU privacy law.
But the Schrems II decision nonetheless calls into question two of the U.K.’s most commonly used mechanisms for data transfers with the EU post-2020.
What does Schrems II mean for an EU adequacy decision for the U.K.?
The U.K. has several options for EU/EEA-U.K. data transfers after the transition period ends. The first—and, until Schrems II, most likely—is that the U.K. receive an “adequacy decision” from the European Commission certifying that the U.K. provides an “essentially equivalent” protection standard in comparison to those in the EU. Twelve countries already have adequacy decisions with the EU (before Schrems II, the U.S. Privacy Shield framework was the 13th).
Unfortunately for the U.K., the European Commission does not automatically provide adequacy decisions for countries exiting the EU. However, both a November 2018 EU-U.K. nonbinding draft political declaration and a January 2020 presentation published by its Task Force for Relations with the United Kingdom confirmed that the commission was planning to assess the U.K.’s standards on the basis of the EU’s adequacy framework by the end of 2020. Interestingly, in his February written statement on U.K./EU relations, Prime Minister Boris Johnson spoke of the U.K.’s view that the EU’s assessment on data adequacy is “technical and confirmatory of the reality that the UK will be operating exactly the same regulatory frameworks as the EU at the point of exit.” In the same statement, Johnson also confirmed the U.K.’s future plans to develop “separate and independent policies” in areas including data protection. Such separate policies could pose a challenge for the U.K.
However, the Schrems II decision has cast doubt on the likelihood of the European Commission’s granting of an adequacy decision. This decision compounds concerns that arose after the chair of the European Data Protection Board noted in June a number of potentially problematic U.K.-U.S. data-sharing agreements that would need to be factored into the EU’s evaluation of U.K. data protection safeguards. Remember, the Schrems II decision invalidated Privacy Shield because of two essential reasons. First, the Court determined that:
[N]either Section 702 of the [Foreign Intelligence Surveillance Act], nor [Executive Order] 123333, read in conjunction with [Presidential Policy Directive 28], correlates to the minimum safeguards resulting, under EU law, from the principle of proportionality, with the consequence that the surveillance programmes based on those provisions cannot be regarded as limited to what is strictly necessary (¶184).
Essentially, this means that the protection of personal data transferred from the EU into the U.S. would not satisfy EU requirements. Second, the court found that EU citizens do not have available means to contest a decision, nor rights actionable in courts to obtain effective remedy in a way substantially equivalent to those required under EU law. The court explicitly noted that this was a reference to the introduction of a permanent Privacy Shield ombudsperson in 2019—announced in January, and confirmed by the U.S. Senate in June—after months of calls from the EU. Specifically, the court determined that the Privacy Shield ombudsperson “cannot be regarded as a tribunal within the meaning of Article 47 of the Charter” (¶168).
The full impact of Schrems II on an EU adequacy decision for the U.K. will not be realized until the U.K.’s domestic data policies—including its Data Protection Act, Investigatory Powers Act, and Data Protection, Privacy and Electronic Communications Regulations—are evaluated by the European Commission before the end of the year. The Investigatory Powers Act, in particular, could cause trouble. Nicknamed the “Snoopers’ Charter,” the act’s predecessor legislation was ruled unlawful by a U.K. court for provisions related to “access to retained data” in January 2018. And in April 2018, the U.K. High Court found the power it gave the U.K. government to order communications data to be stored with private companies breached citizens’ right to privacy. Although the High Court did not find the law incompatible with the Human Rights Act (the U.K.’s domestic implementation of the General Data Protection Regulation) in a July 2019 decision, U.K. rights group Liberty is appealing that decision.
With the European Parliament and European Data Protection Supervisor having already questioned whether U.K. laws are up to par and warning of the “obstacles” any further deviation from EU law might pose, Schrems II perhaps represents a further nail in this proverbial data coffin.
And complicating this all is the U.K.’s role in the Five Eyes alliance, especially if this decision is to be read as a broader European reaction against the surveillance culture predominant in a number of countries, including the U.S.
What does Schrems II mean for standard contractual clauses between the U.K. and EU?
A second option, if the U.K. can’t receive an adequacy determination, would be to allow individual data controllers and processors to adopt their own adequate protections for personal data transfer out of the EU, using standard contractual clauses or binding corporate rules (see General Data Protection Regulation Article 45.3, as referenced in Article 46). (For the European Data Protection Board’s most recent information on post-Brexit binding corporate rules, see here and here.)
In upholding the validity of SCCs in principle, the court in Schrems II mainly followed the CJEU advocate general’s nonbinding opinion, issued in December 2019, and said that SCCs do provide sufficient protection for EU personal data. (Kenneth Propp covered that opinion for Lawfare here.) But, EU law does require those controllers or processors relying on SCCs “to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses” (¶ 134). This aspect of the decision means that entities using SCCs must assess and ensure, on a case-by-case basis, that recipient country laws are sufficient to protect personal data. If they are insufficient, entities must adopt additional safeguards before the data can be transferred. It is unclear whether companies will have the financial means or technical expertise to do so, and it is also difficult to say which EU regulatory authority could provide companies with the assurance that such an individual transfer would be lawful. The European Data Protection Board notes that it endeavors to provide more information on these and related topics in due course.
What about U.K. to EU/EEA data transfers?
U.K.-U.S. Data Transfers
Despite the U.K.’s having left the EU on Jan. 31, much EU law still applies to the U.K. until the Brexit “transition period” is over at the end of the year. As such, until Schrems II, Privacy Shield had enabled many U.K.-U.S. data transfers and, as I mentioned earlier, continued to enable existing Privacy Shield certified data importers until the Information Commissioner’s Office published its newer guidance.
Beginning in the new year, the U.K. and the U.S. could technically continue use of Privacy Shield—an option that the U.S. Privacy Shield website currently contemplates. This is because Schrems II does not bind the U.K. after it completes the transition period. Of course, choosing to maintain Privacy Shield with the U.S. would likely have ramifications for the EU-U.K. relationship, as the EU might worry about the “onward transfers” of its own citizens’ data—from the U.K. on to the U.S.—through a mechanism just ruled invalid in Schrems II.
A further option would be an unrestricted data flow agreement—an option endorsed by the United States. See here for a discussion of other prospects for a U.K.-U.S. trade deal, all of which remain formally still on the table even after Schrems II.
So, what’s next? Concerned parties will anxiously wait for advice and interpretation from the Information Commissioner’s Office, EU member state data protection authorities, the European Data Protection Board and the European Commission.
And what of the CLOUD Act, the 2018 U.S. act providing cross-border communications data access? This act both provides U.S. law enforcement agencies access to foreign stored communications data and enables federal officials to enter into executive agreements that allow foreign governments to request access to data stored in the U.S. (Some civil society organizations have raised concerns about this arrangement.) The U.S. has already concluded one such agreement with the U.K. It is likely too early to predict the decision’s effect on the CLOUD Act, though the U.K.-U.S. Cloud Act Agreement has only just entered into force. If past is prologue, this might be an area for future worry: a 2018 European Parliament resolution calling for Privacy Shield’s suspension also expressed concerns about the CLOUD Act’s potential conflict with EU data protection laws.
Although Schrems II will certainly affect the U.K.’s future data protection landscape, the decision’s effects on the nation are not as catastrophic as some observers may have feared. However, seen alongside the end of the Brexit transition period, big changes might be in store for the U.K. But, in a welcome reprise for the Anglophiles in the room, at least at this point, Schrems has joked that he will steer clear of the “craziness” of Brexit.