CJEU Invalidates Privacy Shield; OKs Standard Contractual Clauses Subject to Greater Scrutiny

Wynter Deagle, Alex Nisenbaum, Karen Shin, Angelo Stio III
Troutman Pepper
Contact
LinkedIn
Facebook
X
Send
Embed

Troutman Pepper

On July 16, 2020, the Court of Justice of the European Union (CJEU), the supreme court of the European Union on matters involving European Union law, issued its long anticipated decision in the “Schrems II” case ( case C-311/18) and invalidated the EU-U.S. Privacy Shield Framework (Privacy Shield). The CJEU found the Privacy Shield failed to provide “effective administrative and judicial redress for the EU data subjects whose personal data are being transferred.” The CJEU also concluded that the use of standard contractual clauses (SCCs) remains a valid mechanism for the transfer of personal data to processors outside of the EU but cautioned that companies must police their SCCs to assure adequate protections for EU data subjects.

Background

The Schrems II case involves a challenge by Austrian privacy activist Max Schrems to the use of SCCs as a legal basis to transfer personal data from the EU to the U.S. Schrems alleged that the SCCs do not ensure an adequate level of protection for EU data subjects. In 2015, in the Schrems I case, the CJEU invalidated the U.S.-EU Safe Harbor Framework, in part because of similar concerns that Mr. Schrems raised concerning the level of protections the U.S.-EU Safe Harbor Framework afforded EU data subjects. Following Schrems I, the Privacy Shield was quickly put in place by U.S. and EU officials. The Privacy Shield provides a set of principles to protect the personal data of EU data subjects. Unlike SCCs, which are contractual obligations between the exporter and importer of personal data that require each party to provide adequate protections for the personal data transferred between them, companies joined the Privacy Shield by self-certifying, and publicly committing to, compliance with the Privacy Shield’s principles. The Privacy Shield is used by over 5,300 companies as the legal basis to transfer personal data from the EU to the U.S.

The CJEU’s Advocate General previously issued a non-binding opinion in December 2019 regarding Mr. Schrems’ current challenge to the Privacy Shield, which upheld the validity of SCCs and recommended that the CJEU not directly rule on the issue of the Privacy Shield’s validity. However, the Advocate General did describe concerns with the Privacy Shield as a data transfer mechanism and questioned the European Commission’s conclusion that U.S. surveillance laws do not infringe the privacy rights of EU data subjects whose information has been transferred pursuant to the Privacy Shield.

Decision

The CJEU did not follow the Advocate General’s guidance regarding the Privacy Shield. Instead, it analyzed the Privacy Shield and ruled that it is invalid. The CJEU found that the protection of personal data from access and use by U.S. authorities are not “essentially equivalent to those required under EU law, by the principle of proportionality, in so far as” surveillance by U.S. authorities is broader than what is permitted in the EU and not limited to what is strictly necessary. In particular, the CJEU noted that Section 702 of the U.S. Foreign Intelligence Surveillance Act authorizes U.S. authorities to engage in surveillance programs based on annual certifications prepared by the Attorney General and the Director of National Intelligence that the programs relate to the objective acquisition of foreign intelligence information, but such certifications do not cover whether “individuals are properly targeted to acquire foreign intelligence information” in the first place. The CJEU also found that the Privacy Shield does not grant data subjects actionable rights before the courts against the U.S. authorities who engage in surveillance of data subjects, and therefore does not provide an adequate remedy for violations equivalent to EU law’s protections on the fundamental privacy rights of its citizens.

The CJEU then addressed SCCs and generally followed the Advocate General’s non-binding opinion finding SCCs provide adequate protections for EU data subjects. Like the Advocate General, the CJEU also stated that EU organizations that use SCCs have an obligation to proactively ensure, prior to any transfer, that there is in fact an adequate level of protection. The CJEU suggested that data exporters may implement additional safeguards that go beyond those in the SCCs to ensure such adequate level of protection. Additionally, the CJEU noted that the SCCs require data importers to inform data exporters if they are unable to comply with the SCCs, at which point the data exporter is required to suspend transfers if there are no other safeguards in place that would provide an adequate level of protection. Finally, the CJEU stated that supervisory authorities may suspend transfers if “they take the view that the SCCs are not or cannot be complied with” in a particular country.

The U.S. Department of Commerce immediately responded to the CJEU’s decision, with U.S. Secretary of Commerce Wilbur Ross stating that the Department will “remain in close contact with the European Commission and European Data Protection Board” and “hope to limit the negative consequences [of the decision] to the $7.1 trillion transatlantic economic relationship.”

Next Steps for Businesses

  • Organizations that currently rely on the Privacy Shield as the legal basis for the transfer of personal data from the EU to the U.S. are advised to move away from the Privacy Shield, and to reevaluate international data flows into the organization to determine the best mechanism to use for each. In the short term, SCCs or specific derogations for certain purposes, such as consent, may be used. Longer term, organizations may seek to put in place binding corporate rules (BCRs). However, BCRs apply only to the transfer of data within the organization itself and require regulatory approval that can take years to obtain.

  • Because derogations are narrow and BCRs take significant time and expense to implement, the CJEU decision is likely to drive organizations to use SCCs where use of that transfer mechanism is possible. The European Commission has been working on updating the SCCs to align them with the GDPR that took effect in May 2018, long after the current form of SCCs were approved by the European Commission. Companies should follow European Commission actions relating to SCCs and keep good contracting records so that SCCs can be replaced by updated versions if and when needed. In the meantime, consider supplementing SCCs to include a process if a party cannot comply with SCCs due to a government access request.

  • Additionally, businesses should anticipate greater collective redress/class actions by individual data subjects. To better prepare, companies should document their efforts to adequately protect the privacy and security of EU data subjects.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Troutman Pepper | Attorney Advertising

Written by:

Troutman Pepper
Troutman Pepper
Contact
more
less

Troutman Pepper on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide