One of the most important data protection related news this summer is the European Court of Justice's judgment in Schrems II case published on 16th of July (Case C-311/18, Data Protection Commissioner v Facebook Ireland Ltd, and Maximillian Schrems).

The judgment contains the following main findings:

• the Privacy Shield Decision (i.e. Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield) is invalid;
• Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries (i.e. Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council) is valid. However, the Court specifies that the assessment of that level of protection must take into consideration both the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the data transferred, the relevant aspects of the legal system of that third country. 

What does the judgment mean in practice?

Under the GDPR, personal data may only be transferred to a third country or to an international organization if the protection of personal data is ensured after the transfer to an adequate level equivalent to that within the European Union (see Chapter V of the GDPR). The conditions for the lawfulness of data transfer can be ensured by data controllers and data processors in several different ways. The easiest way of transferring data if there is an adequacy decision regarding the country where the data is transferred to (GDPR, Article 45). If there is no adequacy decision in place, another frequently used tool is the so-called standard data protection clauses (GDPR, Article 46 (1) c)). 

One of the legal bases for the transfer of data to the United States was the so-called Privacy Shield. This provided a mechanism to ensure an adequate level of protection even in the case of transfers of personal data to the US. (It replaced the Safe Harbor adequacy decision after it was also declared invalid by the European Court of Justice in 2015 in the Schrems I case.)

Given that the Privacy Shield has been invalidated by the Court, personal data may no longer be transferred to the US based on this adequacy decision. (There are currently 5,390 organizations on the Privacy Shield list.)

The judgment also states that another key means of data transfer to the US, the standard data protection clauses remain valid. That is true, but the Court has also ruled 

That validity depends, however, on whether, in accordance with the requirement of Article 46(1) and Article 46(2)(c) of the GDPR, interpreted in the light of Articles 7, 8 and 47 of the Charter, such a standard clauses decision incorporates effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law and that transfers of personal data pursuant to the clauses of such a decision are suspended or prohibited in the event of the breach of such clauses or it being impossible to honour them. (Judgment, Point 137)

The Court finds

[....] that the SCC Decision provides for effective mechanisms which, in practice, ensure that the transfer to a third country of personal data pursuant to the standard data protection clauses in the annex to that decision is suspended or prohibited where the recipient of the transfer does not comply with those clauses or is unable to comply with them. (Judgment, Point 148)

However, it means that 

[....] decision imposes an obligation on a data exporter and the recipient of the data to verify, prior to any transfer, whether that level of protection is respected in the third country concerned and that the decision requires the recipient to inform the data exporter of any inability to comply with the standard data protection clauses, the latter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the former. (Press release, p. 3)

The transfer based on standard data protection clauses (SCC) cannot therefore be automatic either, but must be preceded by an assessment on the adequacy of the level of protection in the third country.

The case was based on data transfers by Facebook (as in the Schrems I case). This means that the adequacy decision regarding US and the level of data protection in the United States have been scrutinized in the first place. However, the findings of the judgment go far beyond the scope of transfers to the US and in the case of transfers to any third country, it is necessary to examine whether the level of protection is adequate. This effect of the judgment is highlighted also by several data protection authorities in their first communication on the judgment. For example, the Berlin Data Protection Commissioner pointed out that similar concerns may arise in relation to transfers of data to China, Russia and India ("Auch bei der Übermittlung von Daten in andere Staaten wie etwa China, Russland oder Indien wird zu prüfen sein, ob dort nicht ähnliche oder gar größere Probleme bestehen.") The EDPB draws attention to the fact that "if the result of this assessment is that the country of the importer does not provide an essentially equivalent level of protection, the exporter may have to consider putting in place additional measures to those included in the SCCs. The EDPB is looking further into what these additional measures could consist of."

What about binding corporate rules (BCRs) and other transfers subject to appropriate guarantees (Article 46 of the GDPR)?

The judgment itself deals with the Privacy Shield and the SCC. However, it should not be forgotten that it also sets out aspects that should be taken into account in case of the application of other data transfer mechanisms. The wording of the judgment also indicates that, in the absence of a decision on adequacy (or when it is invalid) and in the absence of appropriate guarantees under Article 46, derogations for specific situations under Article 49 of the GDPR may be considered. (According to paragraph 202 of the judgment; "[...] the Court notes that, in any event, in view of Article 49 of the GDPR, the annulment of an adequacy decision such as the Privacy Shield Decision is not liable to create such a legal vacuum. That article details the conditions under which transfers of personal data to third countries may take place in the absence of an adequacy decision under Article 45(3) of the GDPR or appropriate safeguards under Article 46 of the GDPR"). Attention is also drawn to Article 49 of the GDPR in the statement of the European Data Protection Board and to the fact that it has previously issued guidelines on its application (Guidelines no. 2018/2).

Can supervisory authorities prohibit the transfer of data?

Yes, it can happen. Article 4 of Commission Decision 2010/87 explicitly states that "[....] the competent authorities in the Member States may exercise their existing powers to prohibit or suspend data flows to third countries in order to protect individuals with regard to the processing of their personal data in cases where:

• it is established that the law to which the data importer or a sub-processor is subject imposes upon him requirements to derogate from the applicable data protection law which go beyond the restrictions necessary in a democratic society as provided for in Article 13 of Directive 95/46/EC where those requirements are likely to have a substantial adverse effect on the guarantees provided by the applicable data protection law and the standard contractual clauses;
• a competent authority has established that the data importer or a sub-processor has not respected the standard contractual clauses in the Annex; or
• there is a substantial likelihood that the standard contractual clauses in the Annex are not being or will not be complied with and the continuing transfer would create an imminent risk of grave harm to the data subjects." (Article 4)

Based on Article 58 (2) of hte GDPR, supervisory authorities also have the power to order the suspension of data flows to a recipient in a third country or to an international organisation.

The Board's press release also addresses this possibility, and several data protection authorities highlight the role of supervisory authorities in relation to international data transfers.

What should data controllers do now?

Data controllers should review their international data transfers, taking into account Schrems II judgment. Of course, data transfers to the US should be given special attention, especially if they are based on the Privacy Shield or SCC, but the review should not be limited to transfers to the US, as the findings of the judgment are much more widely applicable.

It is worth carefully analyzing which mechanism can serve as a basis for data transfer under Article 46 of the GDPR (in the absence of an adequacy decision, as it is already the case for the US according to the judgment). Consideration should be given to the adequacy of the level of protection in the country of destination (e.g. whether there is any legislation that allows public bodies to access data processed under the GDPR in a similar way to the US). It is important to emphasize that in the case of the US, it is also necessary to examine which organizations are subject to legislation that allows data to be made available under the state surveillance program (e.g. the Foreign Intelligence Surveillance Act; FISA), because in such cases, the applicability of SCC or other Article 46 mechanisms can also be questioned.

If, in the absence of an adequacy decision, the mechanisms under Article 46 cannot be applied either (because, for example, the level of protection is not sufficient for transfers under the SCC), derogations for transfers in specific situations may apply (see Article 49 of the GDPR). However, these need to be examined on a case-by-case basis, as the European Data Protection Board also points out. (In connection with the derogations applied in special situations, it is worth conducting the assessment in accordance with the Board's guidelines no. 2018/2). 

What can be expected from the authorities?

Several authorities and the European Data Protection Board have also published their primary reactions. These typically refer to the need for a deeper analysis of the judgment (see, for example, the statement of CNIL); however it seems from the supervisory authorities' communications that in the future, there may be more  attention to international data transfers.

Does the judgment affect transfers of data to the United Kingdom?

With regard to Brexit, after the transitional period, the United Kingdom should also be treated as a third country for the purpose of data transfers from the EU. The judgment in Schrems II case will have effect on how data can be transferred to the UK and what aspects the Commission should consider in an adequacy decision. (The UK Government also responded to the ruling in a brief statement ("UK Government response to the European Court of Justice decision in the Schrems II case"), highlighting the importance and economic role of international data transfers.

Does the judgment affect data transfers between Switzerland and the US?

The judgment does not directly affect the mechanism allowing the transfer of data between Switzerland and the US, however, the Swiss Data Protection Authority indicated that it examines the judgement in detail and comments on it in due course.

Is this a step towards European data sovereignty?

The judgment raises the question of what indirect or long-term effects are to be expected. It is obviously difficult to give an exact answer to this, but the more cumbersome and risky nature of international data transfers may give a boost to the processing of personal data within the EU and the use of European data assets locally, in line with the Commission's data strategy published in February and initiatives such as GAIA-X project, launched by its initiators as a step towards a European digital ecosystem and technological sovereignty. From the comments of the authorities published on Schrems II judgment, the title of the press release issued by the Berlin Data Protection Supervisor speaks for itself: "Nach „Schrems II“: Europa braucht digitale Eigenständigkeit" that means 

"After Schrems II: Europe needs digital independence".

Further useful resources

• Collection of statements from supervisory authorities on Schrems II at OneTrust's DataGuidance website: International: Schrems II: What you need to know, and Europe: Data protection authorities react to Schrems II judgment
• Collection of guidence issued by the DPAs from HoganLovells: EU Data Exports After Schrems II – Guidance by data protection authorities
• EDPB's statement (17.07.): Statement on the Court of Justice of the European Union Judgment in Case C-311/18 - Data Protection Commissioner v Facebook Ireland and Maximillian Schrems
• EDPS' statement (17.07.): EDPS Statement following the Court of Justice ruling in Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd and Maximilian Schrems (“Schrems II”)
• noyb's (Mr. Schrems' NGO) page on data transfer to the US: EU-US Data Transfers
• Commission's first reaction to the judgment (16.07.): Opening remarks by Vice-President Jourová and Commissioner Reynders at the press point following the judgment in case C-311/18 Facebook Ireland and Schrems
• International law frims' first assessments of the judgment: e.g. HoganLovells, Morrison Foerster, CMS, Bird&Bird
• Summaries on IAPP's homepage: CJEU invalidates EU-US Privacy Shield; SCCs remain valid, and The 'Schrems II' decision: EU-US data transfers in question