On July 16, 2020, the Court of Justice of the European Union held that the EU-US Privacy Shield (the “Privacy Shield”), the privacy framework—used by over 5,300 companies to meet the European Union’s (“EU”) data protection requirements when transferring personal data from the EU to the US—is invalid. However, the court held that standard contractual clauses (“SCCs”) adopted by the European Commission are valid, but with major caveats. The consequences of this decision cannot be overstated. These consequences are already felt both by organizations that have relied on the Privacy Shield and organizations that routinely enter into SCCs to transfer personal data from the countries of the European Economic Area (“EEA”) to the US and worldwide.
In this Alert, we will:
- briefly offer some context for how Shrems II decision1 came about;
- note some of many key points made by the court; and
- identify some practical actions companies can consider now while awaiting guidance from the EU data protection authorities.
The General Data Protection Regulation (“GDPR”) is the EU’s principal data protection regulation governing the processing and transfer of EU residents’ personal data. Under the GDPR, personal data may be transferred from the EU to third countries only if at least one of three conditions are met:
- the European Commission, the executive body of the EU, decides that the third country has an adequate level of protection (an “adequacy decision”);2
- in the absence of an adequacy decision, the personal data exporter provides “appropriate safeguards” by using, in pertinent part, the European Commission’s SCCs;3 or
- in the absence of an adequacy decision or appropriate safeguards, data is transferred pursuant to specific situations permitted under the GDPR.4
The United States Department of Commerce and the European Commission designed the Privacy Shield together in order to help facilitate the transfer of data between the EU and the United States. And in 2016, the European Commission issued an adequacy decision finding that the Privacy Shield provided an adequate level of protection to enable data transfers under EU law.
In Schrems II, Maximillian Schrems, a European privacy advocate, lodged a complaint with the Irish supervisory authority, seeking to prohibit personal data from being transferred from Facebook Ireland to Facebook, Inc. in the United States. Citing to government surveillance programs primarily authorized under the Foreign Intelligence Surveillance Act (“FISA”), Schrems argued that the US’s laws and practices do not offer sufficient protection to transfer data to the US.
The court noted that, in general, in order to transfer personal data from the EU to third countries, these countries must provide an adequate level of protection essentially equivalent to those provided under EU law. After examining the European Commission’s 2016 adequacy decision, the court concluded that the Privacy Shield does not provide this adequate level of protection in light of FISA, the GDPR, and the fundamental rights and freedoms established under the Charter of Fundamental Rights of the European Union. The court explained that the requirements of US national security, public interest, and law enforcement have primacy, and therefore condone interferences with the rights of persons whose personal data are transferred to the US. The court explained that the US surveillance programs and the access and use of EU personal data by US public authorities are not limited to what is strictly necessary. Also, EU data subjects are not provided with any cause of action or other judicial redress that would offer guarantees essentially equivalent to those required by EU law. For these reasons, the court held that the Privacy Shield was invalid.
Despite the court’s decision, the United States Department of Commerce has stated that they “will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield frameworks and maintaining the Privacy Shield list” and that the court’s decision “does not relieve participating organizations of their Privacy Shield obligations.”5
The court did hold that SCCs are still valid and may be used to permit the lawful transfer of personal data from the EU to the US, although reliance on SCCs for transfers to the US would seem to raise the same concerns about US surveillance laws as did the Privacy Shield. At least that’s the position taken by Max Schrems in his interpretation of the court’s decision: US companies will be hard pressed to satisfy their compliance obligations with the SCCs.6
But the court went to some length to explain what is expected when relying on SCCs for a lawful transfer. Data exporters and recipients are required to verify, prior to initiating a transfer of personal data, whether the receiving country provides a level of data protection essentially equivalent to the GDPR. Data recipients are required to inform the data exporter if they are unable to comply with the SCCs. If they are not, then the data exporter is required to suspend the transfer of data or terminate the contract with the recipient. The court also emphasized the role of the EU Member States’ data protection authorities in enforcing compliance with the terms of the SCCs.
There are other mechanisms available to lawfully transfer personal data from the EU to the US, including Binding Corporate Rules ("BCRs") for intra-company transfers and “derogations” for specific situations,7 such as transfers with the data subject’s explicit and informed consent or transfers necessary for the performance of a contract between the data subject and the data controller. However, these each carry serious restrictions and appear to present the same potential for problematic US government surveillance as the Privacy Shield and SCCs. Still, these may be useful alternatives in specific situations and may be looked to by the various Member States’ data-protection authorities as they grapple with the commercial disruption created by the Schrems II decision.
Although predicted by prescient observers, the Court of Justice of the European Union has thrown a grenade into transatlantic personal data transfers and thrown down a gauntlet to US law makers to change US national security surveillance law and practices. Where does that leave the “average” business or organization (i.e. apart from Facebook and the telecommunications and internet service companies that are directly subject to legal process under FISA) that are trying to keep doing business as usual? While we wait and see what guidance the EU data protection authorities may publish, here are some short-term considerations:
- If your company has relied on the Privacy Shield for intra-company and/or third-party transfers, the privacy pundits and commentators recommend maintaining compliance because:
- US, UK and Switzerland have not invalidated the Privacy Shield and will be issuing guidance
- There is some possibility of a grace period
- The court did not criticize the commercial protections of the Privacy Shield, which remain strong evidence of the importer’s good faith efforts to protect the data.
- Prepare to enter into appropriate SCCs to cover transfers formerly made in reliance on the Privacy Shield, even though there are serious questions about their long-term efficacy.
- Inventory and review your existing third-party contracts that have (or should have) SCCs in place (i.e. involve transfers of personal data from the EEA to the US and other countries that do not have an adequacy determination under the GDPR); confirm that the contract formalities are fully observed (accurately completed and executed); work with contract counter-parties to enter into SCCs where none are currently in place.
- Start planning for case-by-case assessments. The court identified case-by-case assessments as a way to support a decision to rely on SCCs for each transfer. Those assessments will need to be well-documented and demonstrate the parties’ understanding that they are accountable for their obligations under the SCCs. The case-by-case assessment should cover how the specific data to be transferred is protected from foreign government intrusion, both legally and practically.
- Assess your data transfers in light of national security surveillance concerns. There are protections the importer and exporter should consider now when relying on SCCs, including:
- Implementing strong encryption of the personal data while in transit
- Determining whether the types of transferred data have not historically been sought by the government for national security purposes and are not likely to be of interest in the future for national security purposes
- Evaluating data flows to pinpoint the use of third-party telecommunications and internet hosting subprocessing services (directly subject to legal process under FISA).
- Consult with data protection counsel about available strategies including alternative mechanisms that may be appropriate for specific data transfers such as adopting BCRs, relying specific situation derogations, seeking pre-approval of additional data protection provisions for SCCs, and even localization of data processing where feasible.
We will continue to monitor the response of US and EU authorities to the Schrems II decision and the impacts on US organizations. For more information about this decision and steps you can take to continue to transfer personal data in light of this decision, contact the authors of this alert.
- Data Protection Commissioner v. Facebook & Max Schrems Case C-311/18 (“Schrems II”).
- GDPR, Art. 45.
- GDPR, Art. 46.
- GDPR, Art. 49.
- GDPR, Art. 49.