Despite three annual reviews by European Union Commissioners, the European Court of Justice (CJEU) invalidated the Privacy Shield and called into question many transfers of personal data pursuant to the Standard Contractual Clauses on July 16. At stake are transfers of EU personal data to thousands of U.S. companies that rely on personal data being transferred from the EU. The case is colloquially known as “Schrems II” as it is the second case involving Maximillian Schrems (Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems). Mr. Schrems’ first case resulted in an invalidation of the EU-US Safe Harbor, the Privacy Shield’s predecessor in 2015.
The CJEU’s rationale in Schrems II hinges primarily on U.S. law enforcement access to EU personal data (i.e., via the Foreign Intelligence Surveillance Act) and EU individuals’ lack of meaningful rights to redress against U.S. authorities. The CJEU also raised the lack of independence of the Privacy Shield Ombudsman, who is appointed by the U.S. Secretary of State (but could be removed at any time) and is not vested with any power to enforce decisions against U.S. intelligence agencies. It likely did not lend credence to the U.S. taking privacy seriously that it did not appoint a permanent Privacy Shield Ombudsman for a couple of years after the Privacy Shield came into effect.
As to the Standard Contractual Clauses (“SCCs”) promulgated by the European Union, the CJEU found the SCCs to be valid in principle, subject to various factors and conditions. Specifically, the court reiterated that the safeguards to be taken by the controller or processor must be capable of ensuring that data subjects whose personal data are transferred to a third country pursuant to the SCCs are afforded, as in the context of a transfer based on an adequacy decision, a level of protection essentially equivalent to that which is guaranteed” within the EU. A recipient of EU personal data outside of the EU must therefore inform the data exporter of any circumstance that would prevent it from complying with the SCCs, and in such cases, as highlighted by the CJEU, the data exporter must suspend the transfer. The CJEU also called out the role of the relevant supervisory authority to prevent such transfers, which, practically speaking, is not only unrealistic but likely to lead to a fragmented application of the GDPR. Companies are cautioned not to adopt a “sign it and forget it” approach with SCCs – which is too often the case in practice. As a result, data exporters in the EU must carefully consider and document the laws of the data importer’s country (e.g., the U.S.), along with the type of personal data at issue and the importer company’s history of being subject to U.S. National Security requests for data. Certain types of personal data and industries are subject to such requests at higher rates than others. Depending on the case by case analysis, if the SCCs are used, additional terms may need to be added. EU exporters will also likely request logs or information as to the importer’s history in relation to U.S. National Security requests.
U.S. companies that relied on the Privacy Shield and/or the SCCs must review their data processing contracts and determine how to move forward. At the core of this ruling is the conflict between the U.S. government’s inherent ability to request and access personal data of EU data subjects and the protections of the GDPR – and this conflict will not simply “vanish” where companies switch from relying on Privacy Shield to a different transfer mechanism such as the SCCs. It’s also important to note that the court’s analysis applies to any third country or territory outside of the EU that is not deemed adequate. For some companies with complex transfers, this will require quite a bit of renewed data mapping and legal analysis. Aside from beefing up SCCs based on an analysis of the validity of the transfer, derogations or exceptions must be considered. However, derogations are intended for one-time transfers and so the decision leaves wide gaps for businesses that constantly and consistently transfer data. Other options, of course, for companies that have the resources, include re-locating all personal data to the EU and ensuring that data is only accessed from the EU (lest we forget what constitutes a restricted transfer), or entering into Binding Corporate Rules for multinational corporations, international organizations, and groups of companies making intra-organizational transfers of personal data across borders.
We expect that EU regulators and/or the European Data Protection Board (EDPB) will offer more guidance as to how to strengthen the SCCs in due time. Given that the SCCs have not been updated to account for the GDPR, we hope that this will speed up the EU’s revisions to the SCCs as they have been working to issue a new set of SCCs to address the GDPR. Thus, it appears likely that companies will end up entering into enhanced SCCs and then have to update them yet again once the EU issues a new GDPR set of SCCs. We also expect to see Data Protection Authorities in the EU indicate those countries where importers should not rely on the SCCs. Indeed, just a day after the Privacy Shield decision last, Berlin’s Data Protection Commissioner issued a statement effectively stating that EU controllers should not transfer any data to the U.S. under the SCCs and that data should remain localized in the EU.
It should be noted that the Department of Commerce has stated that U.S. companies will still be required to continue to treat personal data collected under the Privacy Shield in accordance with the Privacy Shield Principles and continue to follow such principles.