On 16 July 2020, the Court of Justice of the European Union (“CJEU”) struck down the framework of the EU-US Privacy Shield (“Privacy Shield”) (in Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18, commonly known as “Schrems II Judgment”) whilst reiterating that the Standard Contractual Clauses (“SCC”) issued by the European Commission (“Commission”) before the EU General Data Protection Regulation (“GDPR”) came into force enabling the transfer of personal data from data controllers established in the EU to data controllers and processors outside of the EU were still valid.
The Cross-border / boundary Data Transfer
The GDPR provides that the transfer of personal data to a third country may, in principle, take place only if the destined country ensures an adequate level of protection afforded by the GDPR. Such a mechanism is largely similar to that of section 33 of the Personal Data (Privacy) Ordinance (“PDPO”), though not yet in force. The Commission may find the laws of a third country ensure an adequate level of protection by way of an adequacy decision (e.g. the Privacy Shield) (Article 45 of the GDPR). Alternatively, such a transfer may take place if the transferor established in the EU has provided appropriate safeguards, for instance, by adopting the SCC promulgated by the Commission; coupled with the fact that the data subjects have enforceable rights and effective legal remedies in that third country (Article 46(1) and 46(2)(c) of the GDPR).
The invalidation of the Privacy Shield
The Privacy Shield was formulated to facilitate transatlantic transfer of personal data from the EU to the US, after the CJEU had invalidated the US-EU Safe Harbour Framework (in Case C362-14, commonly known as “Schrems I Judgment”) in October 2015.
In the present judgment, the CJEU declared the Privacy Shield (in Decision 2016/1250) invalid as it considered that a level of protection essentially equivalent to that required by the GDPR could not be afforded to EU citizens when read in light of the EU Charter of Fundamental Rights (“Charter”) for respect of private and family life, personal data protection and the right to effective judicial protection. The two major findings by the CJEU in these respects are:- (i) the absence of clear limitations imposed upon the access to personal data transferred from the EU by the US surveillance authorities; and (ii) the lack of avenues of judicial redress for EU citizens.
The CJEU observed that the statutory provisions and rules on surveillance programmes of the US did not indicate clear limitations on the powers that they conferred to implement those programmes, or the existence of guarantees targeted at non-US persons and hence being contrary to the principle of proportionality concerning interference with fundamental rights. The CJEU further observed that EU citizens were not given actionable rights before the Courts against the US authorities. The lack of effective judicial protection for EU data subjects further led to the invalidation of the Privacy Shield by the CJEU.
The validity of the SCC
The CJEU considered that the SCC formulated by the Commission in the pre-GDPR era (in Decision 2010/87), when viewed from the perspective of the GDPR concerning appropriate safeguards, enforceable rights, effective legal remedies and the Charter in particular, still offered an adequate level of protection to the individuals required under the GDPR.
In arriving at the conclusion, the CJEU stressed that assessment of the appropriate level of protection required looking into:- (i) the contractual clauses agreed between the data exporter in the EU and the recipient of the personal data in the third country; and (ii) the possibility of an access by the public authorities of the third country to the data transferred including the relevant aspects of the legal system of that third country.
In contrast with its analysis of the Privacy Shield, the CJEU considered that the SCC had in practice incorporated effective mechanisms to the extent that there was nothing to affect the validity of the Commission’s decision even though the SCC did not bind authorities of third countries. The CJEU further considered that the SCC provided a mechanism such that supervisory authorities in the EU might suspend or prohibit the transfer if compliance with the SCC or protection required under the EU law could not be guaranteed; and the SCC remain in principle a valid transfer mechanism. In contrast, given that such mechanism was not practicable under the Privacy Shield even in circumstances where it was believed that the personal data protection might be undermined by the US surveillance activities, the Privacy Shield was considered as failing to provide adequate protection to EU citizens.
The way forward
With the Schrems II Judgment whereby the CJEU declared the Privacy Shield as invalid, it appears that any future data transfer from the EU to the US can only be made pursuant to some other arrangements, such as the SCC and binding corporate rules. In such circumstances, the burden will rest upon data controllers to critically evaluate the circumstances of their transfer, including the adequacy of protection in the third country to which the data will be transferred and the parties processing the data. The US Department of Commerce and the European Commission are known to have initiated discussions around mid-August to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework to comply with the Schrems II Judgment. We shall wait and see how the EU and the US will react in facilitating transatlantic transfer of personal data in future.
On a different note, it is observed that contractual clauses are commonly adopted in cross-border / boundary data transfer from companies in Hong Kong to an outside jurisdiction. While section 33 of the PDPO has not yet come into operation, we are now reviewing the “Guidance on Personal Data Protection in Cross-border Data Transfer” with a view to updating the same.