Data Flows: What’s Really at Stake in the “Schrems II Case”
The transfer of data is an intricate part of our digitised economy and society. But in Europe, there are only a few ways to send personal data overseas. In fact, the vast majority of companies in Europe can only use two instruments to transfer data, and one of them, EU-approved model contracts, is now at risk of being invalidated by the EU Court of Justice. Yet those model contracts are arguably the most vital instrument for Europe to remain globally competitive and avoid data isolation.
Last week, the EU Court of Justice (CJEU) held a hearing in a referring case brought by the Irish High Court. The case originally involved Facebook’s Standard Contractual Clauses (SCCs) to transfer European citizens’ personal data to the United States. SCCs are model contracts designed by the European Commission whereby firms must provide appropriate safeguards when transferring data outside the EU. SCCs are used by thousands of European and international companies across the world for their commercial and internal operations, from payroll and HR, to providing real-time customer services, online communications, online payments, and more.
In short, the Irish data protection authority did not take issue with Facebook’s own SCC but rather the instrument as a whole. The Irish judge referred the matter to the EU Court of Justice and enquired whether the SCC decision of the European Commission provides sufficient safeguards to protect European citizens’ data whenever it leaves European soil. Critically, the Irish High Court conflated the test of legality of SCCs with that of an adequacy review of the country of destination.
If the Court accepts the premise put forth by the Irish judge, the CJEU could decide to invalidate SCCs and potentially look into the validity of the EU-U.S. Privacy Shield in doing so. This could have grave implications on the continuity of digital services in Europe. That would include most of the visible parts of digital services Europeans enjoy today, e.g. mobile apps, social networks, search engines, websites, cloud-based software used by public authorities and businesses, as well as the hidden chunk of the Internet, from content delivery network services to cloud infrastructure.
The reality on the ground is that SCCs have been widely used by thousands of companies in Europe and across the world to transfer data overseas, in part because unlike country-specific adequacy decisions, SCCs can be used globally and it should not matter whether the country of destination benefits from an adequacy decision. As a matter of law, the GDPR allows standard data protection clauses “appropriate safeguards” precisely “in the absence of an (adequacy) decision” (Article 46(1)). It is then the sole responsibility of the parties to the contract to determine and implement sufficient protection during and after the data is transferred to any third-country jurisdiction. It should be up to the data protection authority (DPA) to enforce this contract, and in the worst case scenario, suspend data transfers should the safeguards not be appropriate or should the DPA demonstrate that (a) data subjects cannot exercise their rights, and (b) they do not have effective legal remedies to seek redress.
In other words, SCCs should not be susceptible to changes of laws or practices of foreign jurisdictions that would otherwise materially affect their adequacy status.
This is another reason why SCCs have become increasingly popular across industries as uncertainties around adequacy decisions emerge. Take for instance the EU-U.S. Safe Harbor adequacy decision. When the EU Court of Justice invalidated this instrument back in 2015, most companies quickly turned to SCCs to ensure the uninterrupted flow of personal data between the EU and the United States and service continuity in the EU. Similarly, if the Commission does not consider the UK post-Brexit to be offering adequate protection, whether it’s in the short or longer term, SCCs become the default solution. In fact, European data protection authorities on both sides of the channel have explicitly recommended using SCCs to maintain data flow between the EU27 and the UK.
On paper, there are other instruments beyond SCCs and adequacy decisions to transfer European personal data, including Binding Corporate Rules and a few limited derogations to international data transfer rules of the GDPR. But in practice, they are either particularly onerous and only affordable for a select few companies, or they are simply unfit for large scale and repetitive transfers such as processing of HR and payroll data, or any kind of processing for commercial purposes. This reflects the industry understanding of the EU’s data protection rules and what European data protection authorities have consistently and strongly advised.
All in all, the possible invalidation of SCCs would leave the thousands of European and international firms with few possibilities of transferring data abroad. Despite the European Commission’s recent pledge to review the adequacy of other countries, SCCs remain a crucial instrument for Europe to remain globally competitive and avoid data isolation.