Decision in Schrems II (Data Protection Commissioner v Facebook Ireland Ltd) (European Court of Justice) – 16 July 2020

Under the GDPR, data may only be transferred to a “third country” (ie outside the EEA) where, broadly,

  • there is a European Commission adequacy decision
  • there are appropriate safeguards in place, such as standard contractual clauses (“SCCs”) or binding corporate rules
  • the data subject has given their explicit consent.

In the original case, Mr Schrems challenged Facebook’s transfer of his personal data to the US, broadly on the basis that it would not be appropriately protected from US intelligence surveillance. The CJEU agreed, declaring the Commission’s adequacy decision on the protection provided to personal data by the US “safe harbour” privacy principles to be invalid. As a result, the Commission adopted the EU-US Privacy Shield for subsequent data transfers to the US.

Following a reformulated complaint from Mr Schrems, the CJEU has now decided that the Commission decision on controller-to-processor SCCs is valid, so these can continue to be used. However, the transferor must ensure that the data subjects are “afforded a level of protection equivalent to that guaranteed within the EU” by the GDPR. The CJEU explained that this requires the transferor to consider both the contractual clauses it has agreed and, “as regards any access by the public authorities of [the] third country to the personal data transferred, the relevant aspects of [its] legal system”.

The CJEU also took the further step of declaring the Commission’s Decision on the adequacy of the Privacy Shield to be invalid as, in brief, US national security requirements were still given primacy.

This decision impacts data transfers to the US. While SCCs may still be used, any pension schemes making such transfers should liaise with their administrators to ensure that appropriate protections are in place.

The ICO has issued a statement which explains that it is considering the judgment and states that it is “ready to support UK organisations and will be working with UK Government and international agencies to ensure that global data flows may continue and that people’s personal data is protected”. A note on the ICO’s Privacy Shield webpage states that organisations currently using the Shield should continue to do so until new guidance is available, but that organisations not currently doing so should not start to use it during this period.