On July 16, 2020, the Court of Justice of the European Union (CJEU) released its ruling in Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillan Schrems (Schrems II). CJEU's ruling states that the EU-U.S. Privacy Shield is invalid but upholds the validity of Standard Contractual Clauses (SCCs) as a legal transfer mechanism for transatlantic data transfers, provided that the parties to the data transfer verify that the level of protection in the destination country ensures adequate protection under European Union (EU) law, and if not, implement safeguards in addition to those provided in the SCCs. Organizations that rely on the EU-U.S. Privacy Shield for data transfers to the United States (U.S.) will need to immediately implement alternative transfer mechanisms. It is unclear whether the EU Data Protection Authorities will permit a grace period before enforcement of the CJEU’s decision.
In response to the decision, the U.S. Department of Commerce, which administers the Privacy Shield program, stated that it will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List, and that the decision does not relieve participating organizations of their Privacy Shield obligations. It is unclear what benefit exists to companies that continue to participate.
The General Data Protection Regulation 2016/679 (GDPR) permits personal data transfers to non-EU countries if the third country ensures an adequate level of data protection. In the absence of an adequacy decision, a transfer may take place if appropriate safeguards are implemented and data subject rights are enforceable. The EU-U.S. Privacy Shield Framework was a 2016 agreement between the EU Commission and the U.S. Department of Commerce, which permitted data transfers between the jurisdictions and provided a mechanism to comply with data protection requirements of the GDPR.
The Legal Dispute
The Schrems II case originated from the 2015 CJEU decision in Case C-362/14 Maximillian Schrems v Data Protection Commissioner (Schrems I) which invalidated the EU-U.S. Data Protection Safe Harbor decision from 2000 (Safe Harbor) for the transfer of personal data from Europe to the U.S. The suit was brought by an Austrian privacy activist, Max Schrems, a Facebook user who challenged the legality of Facebook’s handling of his personal information under European privacy law.
Schrems later filed a complaint with the Irish Data Protection Commissioner, challenging Facebook Ireland’s reliance on the SCCs as a legal basis for transferring personal data to Facebook servers in the U.S. The Irish Data Protection Commissioner, who investigated Schrems’ complaint, brought proceedings against Facebook. In Schrems II, the Irish Data Protection Commission argued that the SCCs did not constitute an adequate level of protection of personal data because they lacked suitable safeguards against U.S. government surveillance. Ireland’s High Court referred questions to the CJEU on the validity of the SCCs as well as the EU-U.S. Privacy Shield Framework.
The CJEU confirmed the European Commission’s Decision 2010/87/EU is valid and that the EU SCCs provided appropriate safeguards for international transfers of personal data. The CJEU emphasized the existing obligation incumbent on both data exporter and importer to verify there is an effective level of protection prior to a data transfer. EU organizations may implement additional safeguards over and above those contained in SCCs to ensure an adequate level of protection for transferred personal data. If there is an inadequate level of protection, the data exporter or importer must suspend the transfer and/or terminate the contract.
The CJEU held that the EU-U.S. Privacy Shield does not include satisfactory limitations in order to ensure “essentially equivalent” protections of EU personal data to those found in the EU. The CJEU noted that the Privacy Shield could not prevent access and use of personal data by U.S. government authorities. The CJEU also held that the EU-U.S. Privacy Shield does not provide individuals with any cause of action, and the Ombudsperson mechanism in particular does not provide substantially equivalent guarantees to those required by EU law. The CJEU questioned the Ombudsman’s independence and observed a lack of authority to make binding decisions on U.S. intelligence services. The CJEU therefore invalidated the EU-U.S. Privacy Shield Decision, which can no longer be relied upon for EU-U.S. data transfers with immediate effect.
Next Steps to Legitimize EU-U.S. Data Transfers
- Adopt Alternative Safeguards. If your business relied on its Privacy Shield certification to transfer personal data from the EU, you should evaluate whether an alternative transfer mechanism, including the SCCs or Binding Corporate Rules (BCRs), will provide adequate safeguards for the continued transfer of the personal data.
- Evaluate Local Laws in Recipient Country. Businesses should evaluate the local privacy laws in the country to which EU personal data is transferred and determine whether safeguards exceeding those set forth in the SCCs are required under the Schrems II decision.
- Uphold Privacy Shield Commitments. If your business is certified under EU-U.S. Privacy Shield, maintain your commitments. The U.S. Department of Commerce affirmed in its July 16 press release that it will uphold current certifications, and the U.S. Federal Trade Commission is still actively monitoring compliance and privacy representations.
- Monitor EU DPA Guidance: EU data protection authorities (DPA) are issuing statements in response to the decision and taking positions regarding data transfers. If your company is specifically concerned about data transfers from a particular EU member state, monitor guidance issued by the DPA in the relevant member state. The European Data Protection Board is also likely to issue guidance concerning the legality of data transfers to the U.S.
- Monitor U.S. Department of Commerce Guidance. The Department is evaluating the CJEU’s decision and could issue further guidance to organizations certified under the EU-U.S. Privacy Shield at any time.
- Evaluate Service Provider Agreements. If your business engages a service provider or vendor who utilizes the EU-U.S. Privacy Shield as its transfer mechanism to move personal data from the EU to the U.S., ask the service provider to enter into a revised agreement which adds the SCCs and any additional safeguards required to comply with the Schrems II decision.
- Revisit Customer Agreements and Data Protection Addendums. Customer agreements and data protection addendums will need to reflect the new data transfer mechanism relied upon by the business to perform legal data transfers and include an executed copy of the SCCs. In addition, customers may request more robust safeguards in the customer agreement or data protection addendum in order to address individual EU member state privacy laws.
- Enhance GDPR Data Protection Program. Customers are likely to seek assurances that the SCCs are supported in practice. Businesses should ensure their GDPR compliance programs, including all internal policies and procedures, mirror the SCCs provisions, and where necessary, add additional safeguards to comply with the privacy laws of individual EU member states.
The invalidation of the EU-U.S. Privacy Shield will have implications for future data transfers between the European Union and the United Kingdom after the post-Brexit transition period expires on December 31, 2020. The CJEU reasoned that U.S. surveillance practices supported the invalidation of the EU-U.S. Privacy Shield. In 2018, the European Court of Human Rights found that the United Kingdom had breached human rights protections in its mass surveillance program, which was afforded legitimacy by the Regulation of Investigatory Powers Act (RIPA). The United Kingdom’s surveillance practices could pose a threat to the legitimacy of any possible or future data transfer agreement between the United Kingdom and the EU.