ECJ case again upsets data transfers between the EU and the USA

02 November 2020

The European Court of Justice has for a second time invalidated a protocol intended to permit transfers of personal data between the European Union and the United States. It is likely that this will again tighten the focus of EU based organisations on the data protections that can be offered by Australian organisations which receive personal data from the EU.

Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Schrems II) https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf decided that the EU-US Data Protection Shield could not be regarded as providing an adequate level of data protection. (The EU-US Data Protection Shield was developed after the EU-US Safe Harbour Principles were declared invalid in a 2015 ECJ case, in which Mr Schrems was also the complainant.)

The decision in the Schrems II case raises questions about how organisations that are subject to the Regulation (EU) 2016/679 (General Data Protection Regulation) (GDPR) will comply with the GDPR’s stringent obligations when there is a need to disclose outside the EU.

The GDPR:

  • Imposes obligations onto any person who targets or collects data related to people in the EU; and
  • Mandates that the transfer of personal data from the EU or about an EU data subject can only take place where the handling of that data provides data subjects with protection equivalent to those contained in the GDPR. These protections include, amongst others, the requirement that data is only processed with consent (Article 6), a right of erasure (Article 17), a right to request that a controller ceases processing information (Article 18) and a right to lodge a complaint with a supervisory authority (Article 77).

In essence, the transfer of personal data can only be made:

  • On the basis of an adequacy decision (Article 45);
  • To a third country or international organisation which has been approved by the European Commission (the regulatory body that governs the GDPR); or
  • Where the data is subject to appropriate safeguards (Article 46) such as the standard contractual clauses set out in Directive 95/46/EC1 or binding corporate rules which have been approved by the competent supervisory authority.2

As Australia has never been the subject of an adequacy decision or an approval, the standard contractual clauses will usually be the only basis for a transfer of information.

In Schrems II, an Austrian citizen, Maximilian Schrems disclosed his information to Facebook Ireland Ltd who subsequently transferred his information to Facebook Inc. in the United States. The transfer of this personal data was authorised under an adequacy decision, the “Privacy Shield”, which had applied to the transfer of information to the United States. However, Presidential Policy Directive 28 (PPD-28) effectively allows US authorities to collect personal data by ‘bulk’ collection and does not grant data subjects any actionable rights before the courts. This was found to contravene EU protected freedoms in Article 7 (Respect for private and family life) Article 8 (Protection of personal data) and Article 47 (Right to an effective remedy and to a fair trial) of the Charter of Fundamental Rights of the European Union. In response to questions raised, the US Government has conceded that data collected under PPD-28 does not afford data subjects actionable rights before the courts.

As a result, the Court declared the Privacy Shield invalid on the basis that it does not satisfy the GDPR Article 45(2)(a) requirement that a finding of equivalence (that is, a finding that the protection afforded by one jurisdiction is equivalent to the protections afforded by the GDPR) depends on whether data subjects have effective and enforceable rights.

The decision makes clear that where information subject to the GDPR is transferred outside the EU, the lawfulness of the transfer will depend on whether those rights are supported by the other regulations and laws which exist in the destination jurisdiction. Organisations based in or carrying on business in the EU face significant penalties if they do not ensure that personal data is handled appropriately both by themselves and the organisations to which they make disclosures. When dealing with Australian counterparties, EU based organisations are more likely to insist on strict compliance with the standard contractual clauses at note 1.

This article was written by James Moore, Partner and Kim Yen Nguyen, Solicitor.

1 https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087
2 Article 47(1) GDPR.

James Moore

Partner | Sydney

Important Disclaimer: The material contained in this publication is of general nature only and is based on the law as of the date of publication. It is not, nor is intended to be legal advice. If you wish to take any action based on the content of this publication we recommend that you seek professional advice.

Subscribe to HWL Ebsworth Publications and Events

HWL Ebsworth regularly publishes articles and newsletters to keep our clients up to date on the latest legal developments and what this means for your business.

To receive these updates via email, please complete the subscription form and indicate which areas of law you would like to receive information on.

Contact us

GET IN TOUCH