Barely one month after the Court of Justice of the European Union (CJEU) issued its Schrems II decision striking down the EU-U.S. Privacy Shield Framework (Privacy Shield), Austrian privacy activist Max Schrems has filed 101 complaints with 30 different EU regulatory bodies alleging that dozens of well-known companies in e-commerce, telecommunications, banking, higher education, and other industries are improperly continuing to transmit data to U.S. companies like Google and Facebook in violation of the Schrems II decision and EU data privacy laws. The complaints represent an effort by Mr. Schrems and his nonprofit organization, NOYB (None of Your Business), to leverage the Schrems II decision to prohibit transfers of personal data from the EU to the United States and other countries, which he argues do not have adequate levels of protection in place. 

Given the number of European regulatory bodies involved and the complexity of the legal questions at issue, it is possible that a patchwork of regulatory responses could develop across the continent over the coming months and years. As a result, companies seeking to navigate this rapidly changing legal landscape—especially large technology companies and cloud-based service providers—should perform a thorough internal risk assessment, consult experts to develop comprehensive compliance strategies, and identify and implement best practices as they develop over time.

Background

The 101 regulatory complaints represent the most recent examples of coordinated legal action by Mr. Schrems and NOYB to advance EU privacy protections over personal data. Leading up to these filings, Mr. Schrems had filed litigated two important decisions in Schrems I and Schrems II, which raised concerns about the adequacy of protection afforded to EU citizens whose information is transferred to the United States.

In Schrems I, decided on October 6, 2015, Mr. Schrems successfully petitioned the CJEU to invalidate the U.S.-EU Safe Harbor Framework (Safe Harbor), which had been in place since 2000, and provided a legal basis for EU entities to transfer personal data to the U.S. The CJEU invalidated Safe Harbor, finding U.S. legislation (1) failed to afford EU data subjects sufficient legal remedies, (2) authorized the storage of all EU personal data without differentiation or limitation based on specific objectives, and (3) failed to limit interference with individual privacy rights to what is strictly necessary, among other reasons. Following the invalidation of Safe Harbor, the U.S. and EU adopted the EU-U.S. Privacy Shield Framework, in order to ensure adequate protections were in place for the transfer of personal data sent from the EU to the U.S. U.S. Companies participated in EU-US Privacy Shield by self-certifying with the Department of Commerce and publicly committing to compliance with Privacy Shield’s safety and security principles. Before Schrems II, more than 5,300 companies were using the EU-U.S. Privacy Shield Framework as the legal basis to transfer personal data from the EU to the U.S. 

In Schrems II, decided on July 16, 2020, Mr. Schrems petitioned the CJEU to invalidate EU-U.S. Privacy Shield. [1] The CJEU invalidated EU-U.S. Privacy Shield on the basis that the Privacy Shield failed to provide protections that were “essentially equivalent” to the protections afforded to EU residents, including “effective administrative and judicial redress for the EU data subjects whose personal data are being transferred.” In particular, the CJEU found that U.S. surveillance programs conducted pursuant to Section 702 of the Foreign Intelligence Surveillance Act (FISA) or Executive Order 12333 do not grant surveilled individuals adequate rights of redress before an independent and impartial judicial body, as required by Article 47 of the EU Charter of Fundamental Rights. The CJEU also found that the bulk data collection practices by or on behalf of U.S. intelligence agencies pursuant to Section 702 of FISA and Executive Order 12333 lacked proportionality, as required by EU law, including the General Data Protection Regulation (GDPR).

The CJEU also concluded in Schrems II that although Standard Contractual Clauses (SCCs) remain a valid alternative mechanism for transferring personal data outside of the EU, companies relying on SCCs must nevertheless self-police to ensure adequate protections for EU data subjects, as required under the GDPR. SCCs are a set of contractual agreements between the exporter and importer of personal data that are issued by the European Commission, and require each party to provide adequate protections for the personal data transferred between them. If an importer of EU data is not able to comply with the SCCs, the importer must inform the data exporter, at which point the data exporter must suspend data transfers if there are no other safeguards in place that would provide an adequate level of protection. In other words, any EU organizations that use SCCs have an affirmative obligation to proactively ensure, before any transfer of data, that there is in fact an adequate level of protection as informed by EU law.

New Regulatory Complaints

Mr. Schrems’s new regulatory complaints are intended to leverage the CJEU’s holdings in Schrems II, with respect to both the invalidation of EU-U.S. Privacy Shield and the affirmative obligations of companies relying on SCCs to provide adequate data privacy protections, in order to further expand the privacy rights and protections afforded to EU data subjects. The complaints allege that the named EU companies are erroneously continuing to rely on the invalid EU-U.S. Privacy Shield, to engage in cross-border data transfers. The complaints also allege that, based on an analysis of the HTML source code contained in their webpages, the named EU companies are improperly continuing to use Google Analytics or Facebook Connect, despite the fact that both Facebook and Google are subject to U.S. surveillance laws, again contrary to the CJEU’s decision in Schrems II. Specifically, the complaints contend that EU companies continuing to rely on SCCs when transferring personal data to Google and/or Facebook servers in the United States cannot be doing so lawfully because Google and Facebook are subject to U.S. surveillance laws such as FISA 702, which violate fundamental privacy rights recognized in the EU.

Over the coming months and possibly years, the EU Data Protection Authorities (DPA) located in each EU member state will be tasked with investigating the complaints and determining whether to take action against any of the named data-exporting companies. The new complaints should put pressure on DPAs to provide further guidance on the use of SCCs going forward. They also should serve as motivation for EU and U.S. regulators to agree upon a new framework for the lawful cross-border transfer of data from the EU to the U.S.

That said, a consistent and coordinated response to the complaints is unlikely. Given the number of European regulatory bodies involved and the complexity of the legal questions at issue, it is possible that a patchwork of regulatory responses could develop over the coming months and years. In the interim, affected companies may be forced to continue operating with significant uncertainty as they attempt to navigate the EU regulatory landscape.

The CJEU’s Schrems II decision and the recent wave of regulatory complaints that Mr. Schrems filed may prompt the European Commission to release updated SCCs with additional protections for EU data being transferred to the U.S. The European Commission last issued SCCs applicable to transfers of data from EU controllers to non-EU or EEA controllers in 2004, and issued SCCs applicable to transfers of data from EU controllers to non-EU or EEA processors in 2010, so both are due for an update. The issuance of updated SCCs, if sufficiently comprehensive, could help to ameliorate the current uncertainty surrounding whether and under what circumstances reliance on SCCs will be sufficient to comply with Schrems II, the GDPR, or other aspects of EU privacy law. 

Conclusion

Ultimately, Schrems II and the recently filed regulatory complaints will force the EU and U.S. to develop and implement a successor to EU-U.S. Privacy Shield. In the interim, however, without the benefit of predictable data protection framework, companies involved with importing personal data from the EU face significant regulatory risks and compliance challenges. To address these risks and compliance challenges, Troutman Pepper’s Cybersecurity, Information Governance and Privacy Practice Group has been working with clients on the use of lawful grounds to effectuate cross-border transfers including the expanded use of SCCs with protocols for internal risk assessments to ensure adequate protections exist for EU data subjects whose data is transferred to the United States. Other alternatives include keeping EU data on servers in the EU as well as scrutinizing and limiting the data of EU subjects transferred to the U.S. only to what is minimally necessary and/or de-identify or anonymize personal data prior to such transfer.

[1] Troutman Pepper previously issued guidance in response to the CJEU’s Schrems II decision and regulatory responses resulting from the invalidation of Privacy Shield. See CJEU Invalidates Privacy Shield; OKs Standard Contractual Clauses Subject to Greater Scrutiny, available at https://www.troutman.com/insights/cjeu-invalidates-privacy-shield-oks-standard-contractual-clauses-subject-to-greater-scrutiny.html (July 17, 2020); Regulators React to Invalidation of Privacy Shield, available at https://www.troutman.com/insights/regulators-react-to-invalidation-of-privacy-shield.html (August 13, 2020).