Landmark ruling by the Court of Justice of the EU (CJEU) concerning the transfer of personal data outside the EU

The CJEU recently handed down a landmark decision concerning the transfer of personal data by organisations in the EU to ‘third country’ processors. This decision dramatically effects the way in which data service providers and organisations operate from here on out. In particular, the court ruled on the validity of standard contractual clauses for cross-border data transfers (SCC’s) which are the most commonly used mechanism for overcoming the restriction on transfers of personal data outside of the EU. In summary, the court ruled that SCC’s are a valid and appropriate measure of safeguarding transfers of personal data, however, data protection authorities in the EU can prohibit or suspend transfers under these SCC’s if the third country’s legal system does not provide a level of personal data protection equivalent to that in the EU.

Background of the Ruling

This important ruling stems from the ‘Schrems I case’ in which a complaint was lodged against Facebook Ireland attempting to prohibit the transfer of personal Facebook data (and that of EU citizens generally) to the United States. The complainant essentially challenged Facebook Ireland’s reliance on the SCC’s as a legal basis for transferring personal data to Facebook Inc in the U.S. This was asserted on the basis that SCC’s do not ensure an adequate level of protection for EU data subjects, as U.S. legislation does not explicitly limit interference with an individual’s right to protection of personal data in the same way as the GDPR.

In this case, the High Court of Ireland referred certain questions to the Court of Justice for a preliminary ruling, who on 6 October 2015, subsequently declared the decision of the High Court invalid on the basis that sufficient protection was offered by the U.S. Mr Schrems was then requested to reformulate his complaint who sought prohibition of the future transfer of personal Facebook data from the EU (Ireland) to the U.S. Again, certain questions were referred to the Court of Justice for a preliminary ruling which mainly grappled with whether the EU Commission’s SCC’s were an effective mechanism for cross-border transfers to processors in third countries without adequacy status (a status granted by the EU Commission to countries outside the European Economic Area (EEA) who provide a level of personal data protection comparable to that provided in European law).

The Court of Justice were also requested to rule on whether:

(i)                 the GDPR applies to transfers of personal data pursuant to the SCC’s;

(ii)               what level of protection is required by the GDPR in connection with such a transfer; and

(iii)              what obligations are incumbent on supervisory authorities in those circumstances.

The Decision of the CJEU

Firstly, the Court of Justice ruled that the GDPR does in fact apply to the transfer of personal data for commercial purposes from an EU member state to a processor in a third country (even if processed for the purpose of national or public security).

Secondly and in terms of the level of protection, the Court of Justice ruled that the third party country to which data is transferred must offer at least the same level of protection to that guaranteed by the EU under the GDPR. This determination shall take into account several factors relating to the contractual clauses agreed between the two commercial operators and the legislative framework of the third country involved.

Thirdly, the Court ruled that in the absence of a valid adequacy decision by the Commission, the relevant supervisory authorities are required to suspend or cancel a transfer of data if the SCC’s are not or cannot be complied with in the third country concerned.

What does this mean for my organisation which transfers personal data?

The SCC’s can still be used to transfer data outside of the EU, however, organisations now face significant due diligence requirements to determine the adequacy of the protection of certain data streams. The burden rests on organisations relying on this mechanism to now conduct their own assessments and be able to evidence this for every data stream to each third country concerned. It is expected that these due diligence requirements will entail, among others, assessing the application of surveillance laws, government access, individual rights, technical and legal solutions in each third country to protect the personal data concerned.

What can I do to protect my organisation?

It is important for organisations to critically review and evaluate their GDPR compliance programme, as well as the current data transfers taking place throughout one’s supply chains and group structure. This will allow you to understand to which countries data is being transferred and the particular mechanism relied upon, which, in the absence of transfers to the US, will most likely be the SCC’s.

After you have determined which mechanisms are relied upon and one has an inventory of all data streams, it is important to look into (considering the multitude of factors mentioned above) the overall package of data protection offered by the third country compared to the standards of the EU and the GDPR.

For assistance with these and other related issues, please contact Blenheim’s corporate team.m.

Published articles