The Schrems II decision and the future of Standard Contractual Clauses

Introduction
On 16 July 2020, the Court of Justice of the European Union (The Court) handed down it’s judgment in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (Schrems II).  In this case privacy activist Max Schrems complained to the Irish Data Protection Commissioner concerning Facebook’s transfer of personal data out of the EU. The Irish Data Protection Commissioner found in favour of Schrems and the case eventually made its way to the highest court of appeal in Europe.

Privacy Shield Invalidated
The big take out for US based companies is that the Court has invalidated the Privacy Shield scheme. This scheme regulated to data transfers between the EU and the US so that these transfers were GDPR compliant. Privacy Shield was introduced after its predecessor, the Safe Harbour framework, was invalidated by the Court in 2015 after Schrem’s first challenge.

Standard Contractual Clauses
Of much greater significance to Australian businesses are the observations made by the Court concerning the Standard Contractual Clauses (SCCs).

What are the Standard Contractual Clauses?      
The SCCs are standard terms which are designed to protecting personal data leaving Europe and being transferred to jurisdictions that do not adequately protect the rights and freedoms of data subjects. Australia privacy law is not considered provide adequate protection. 

For Australian Companies, the SCCs are important in two situations:  

  • The first is where an Australian company falls within the GDPR’s jurisdiction as a data controller. If that company’s operations involve moving data from Europe to Australia, they will usually need to adopt the SCCs (or consider other mechanisms such as Binding Corporate Rules).

  • The second – and much more common – situation is where an Australian company is acting as a Data Processor for a European Data Controller pursuant to a data processing agreement. Such agreements have usually annexed the SCCs where the Data Processor is based outside of Europe.    

What did the Court say about the clauses?
The CJEU’s decision stated that SCCs were valid in principle, but only if companies using them: 

  1. conduct due diligence on the company; and

  2. conduct due diligence on the country’s law and practice to ensure that data is protected in a manner equivalent to that guaranteed in the EU. 

These due diligence requirements are onerous.  

Moreover, in situations where the SCCs conflict with the obligations of the country’s law, the Data Controller must suspend data transfers. This means that careful examination needs to be undertaken by all companies relying on the SCCs to ensure that safeguards implemented fulfil requirements set out in the GDPR. 

What are the implications going forward?
The Schrems II decision has consequences for all company relying on SCCs as their primary mechanism for transferring their data outside the EU as it could be suspended or prohibited. As SCCs are preferred route of many companies, this decision has left unclear how they should navigate the legal systems of countries outside the EU to ensure adequate compliance with the GDPR requirements. This will inevitably involve a detailed analysis of the Australian legal framework to ascertain whether equivalent protection with the GDPR currently exists and whether additional contractual protections are required. 

If you control the personal data of individuals located in Europe and rely on the SCCs, it would be prudent to re-assess whether the privacy law environment in Australia offered adequate protection to the rights and freedoms of those individuals.  

If you are a GDPR Data Processor, thought should be given to establishing a process that would allow European clients to efficiently undertake the requisite due diligence. 

If you would like further advice on the applicability of the SCCs or the GDPR to your business please contact out privacy and data security law specialist Sam Hartridge