International transfers of personal data are under the spotlight again following a recent decision of the European Court of Justice that reviewed the legal means of transferring personal data from the EU to the United States: Data Protection Commissioner v Facebook Ireland and Max Schrems (Case C-311/18; 16 July 2020).

The Schrems litigation has again sent international shock waves in striking down a key EU/US arrangement designed to facilitate data flows known as the Privacy Shield.

Schrems I 2015

To recap, the first Schrems decision of the European Court (2015) was concerned with a complaint by the Austrian privacy advocate Max Schrems about Facebook transferring his personal data to the United States under EU law, relying on the Safe Harbour arrangement between the EU and the US in place at the time.

Mr Schrems argued that the Edward Snowden revelations about United States intelligence agencies indicated a lack of protection against surveillance under US law. In this case, the CJEU invalidated the Safe Harbour arrangement due to a lack of adequate safeguards required under EU law.

More information about the first Schrems decision is available here on our blog.

Following the first Schrems decision, the EU and US negotiated a replacement arrangement in 2016, known as the Privacy Shield. This was developed as a new recognised basis for data flows to meet the requirements of EU law.

Schrems II 2020

The recent Schrems II decision is concerned with the validity of the Privacy Shield. The European Court has now declared this EU/US arrangement is also invalid.

US surveillance powers were again a key issue. The Court considered that certain programmes enabling access by US authorities to personal data transferred from the EU for national security purposes create limits on the protection of that personal data. These limits mean there is a lack of protection that is “essentially equivalent” to EU law, and that data subjects do not have actionable rights before the courts against US authorities.

Standard contractual clauses

The Court in Schrems II also examined the validity of standard contractual clauses as a means of transferring personal data. Transfers on this basis have not been invalidated, but the Court emphasised the obligations on the parties to verify whether there are impediments to complying with these provisions and, if so, the necessity for considering supplementary measures.

More information about Schrems II is available from the European Data Protection Board. 

Does the decision affect personal data transfers between the EU and New Zealand?

Not directly, because transfers of personal data from the EU to New Zealand are conducted on the basis of the adequacy decision in place (article 45 of the EU General Data Protection Regulation).

The European Commission formally ruled in December 2012 that New Zealand’s privacy law provided an ‘adequate level’ of privacy protection to meet European standards.

This adequacy status means that personal data information can legally be sent here from Europe for processing without special additional measures being taken by the European companies.

But the influence of this decision on international data transfers more generally is likely to be significant and we will be monitoring developments in this area and its impact on international consensus building. The Court’s decision is a significant development in the context of international data transfers and is likely to have a lasting impact on the international framework for data flows.

Model contract clauses in New Zealand

We will also be considering the decision in Schrems II as we develop model contract clauses under the new Privacy Act 2020. Now that the new Privacy Act 2020 has been passed (coming into force on 1 December 2020) New Zealand has new limits on international transfers of personal information (new IPP 12).

One way to comply with the new IPP 12 will be by adopting model contract clauses to safeguard personal information when disclosing it to a foreign counterpart or business. 

We have commissioned Chapman Tripp to work with us to develop a set of standard model contractual clauses that will be available free of charge to all businesses needing to transfer personal information to parties in other jurisdictions.

Image credit: Laptop with European Union logo via Norton Rose Fulbright

International, General Data Protection Regulation (GDPR)