On July 16, 2020, the Court of Justice of the European Union (“ECJ”), EU’s highest court, issued a judgment which (i) immediately invalidated the EU – U.S. Data Privacy Shield Framework (“Privacy Shield”) and (ii) maintained – albeit with new obligations on data controllers and processors – the validity of Standard Contracts Clauses (“SCCs”). As a result, Privacy Shield is no longer a valid transfer mechanism for organizations transferring EU personal data from the EU to the U.S.
“The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield,” wrote the ECJ in its judgment in Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18 (“Schrems II”).
The Privacy Shield was challenged in a long-running dispute between Facebook and Austrian privacy activist Max Schrems, who has campaigned about the risk of U.S. intelligence agencies accessing Europeans’ data after such data has been transferred to the U.S. The ECJ found that “the requirements of U.S. national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country,” finding that the methods put in place to protect EU citizens’ data in the U.S., such as an ombudsperson role to handle EU citizens’ complaints, did not meet the required legal standard of “essential equivalence” with EU law.
This is the second time that the ECJ has invalidated an agreement between the U.S. and the EU regarding the transfer of EU citizen personal data to the U.S. In 2015, the ECJ invalidated the “Safe Harbor” agreement (Schrems I), which led to the subsequent Privacy Shield framework.
This judgment has significant ramifications for any business transferring EU personal data outside the European Economic Area (EEA). The ruling effectively ends the privileged access U.S. companies had to EU personal data putting the U.S. on a similar footing to other nations outside the EEA, meaning data transfers are likely to face closer scrutiny than before. For now, the roughly 5,300 U.S. businesses that previously relied upon the Privacy Shield as a valid transfer mechanism of EU personal data must immediately pivot to an alternative, with SCCs as the most likely substitute – for now.
Not surprisingly, the U.S. Department of Commerce expressed its disappointment with the ruling, stating that it would “continue to administer the Privacy Shield program, including processing submissions for self-certification and recertification to the Privacy Shield Frameworks and maintaining the Privacy Shield List.” Similarly, U.S. Secretary of State Mike Pompeo said that he was “deeply disappointed” by the ECJ’s ruling. Adding that the U.S. would continue to work closely with the EU to find a mechanism “to enable the essential unimpeded commercial transfer of data from the EU to the [U.S.]” In the meantime, impacted businesses are left scrambling in the wake of the immediate invalidation of the Privacy Shield to ensure lawful transfers of impacted data.
Background on EU Personal Data Transfer Mechanisms
By way of background, transfers of EU personal data to the U.S. are not permitted unless made pursuant to an approved data transfer mechanism that complies with EU data protection requirements. Such transfer mechanisms include:
- EU Model Clauses/Standard Contractual Clauses (“SCCs”) - These are model, non-negotiable, data protection contractual clauses that have been approved by the European Commission and are attached to a commercial contract.
- Binding Corporate Rules (“BCRs”) - These are intra-corporate global procedures used for international transfers within multinational corporations, international organizations and groups of companies that are approved by data protection authorities in each EU member state where such BCRs are relied upon. However, the time, energy and costs associated with BCRs make it an impractical solution to all but the biggest multinational corporations with deep pockets.
- Adequacy decision from the European Commission - An adequacy decision means that the European Commission has decided that a country outside the EEA or an international organization ensures an adequate level of data protection for EU personal data.
- GDPR Consent – These are narrow exceptions available under Article 49 of the EU General Data Protection Regulation (“GDPR”) where such transfers are considered “necessary” or under Article 6, where a person has provided explicit consent for the international transfer.
- EU-U.S. Privacy Shield Framework (Note: this mechanism was invalidated by Schrems II)
Adequacy of SCCs called into Question
The ECJ’s decision also cast doubt on whether SCCs can meet the appropriate level of protection for EU personal data transferred outside the EEA. Although the ECJ found that SCCs are still valid, they are no longer automatically sufficient safeguards for data transfers, meaning that an organization should consider re-assessing any transfer of personal data outside the EEA made on the basis of SCCs.
Although, SCCs were not invalidated by the ECJ’s ruling, the ECJ warned that SCCs should be suspended if the guarantees in them are not upheld. The ECJ indicated that the data controller (or data processor in subprocessor scenarios) must verify, on a case-by-case basis and in collaboration with recipient data processor (or data subprocessor, as applicable), whether the law of the country where the data will be transferred to ensures adequate protection of such EU personal data transferred pursuant to SCCs, including additional safeguards to the SCCs. Importantly, the ECJ’s commentary around incompatibility of U.S. law and practice with EU requirements calls into question whether any data exporter could conclude there is adequate protection in the U.S. This commentary highlights an underlying distinction in the way the U.S. and the EU view privacy: the U.S. views privacy as a property right, while the EU views it as a fundamental human right. Individual EU member state data protection authorities are empowered to evaluate the adequacy of SCCs adopted in any case and can suspend or ban data transfers pursuant to SCCs if deemed inadequate.
What Happens Next? Practical Implications of Schrems II
The precise contours of what is now required after Schrems II are not sharply defined. Companies must now reassess how to maintain or reestablish means for data transfers without the Privacy Shield to facilitate them. Businesses which seek to mitigate risk associated with EU personal data in their possession and control may need to deploy additional resources towards protecting this data to ensure protected, lawful transfers, including:
- having a clear understanding of whose data they have;
- the residency of such data;
- where such data is stored;
- location of data center(s);
- where data is transferred;
- and data maps outlining inflows and outflows.
Any organization that wants to transfer EU personal data outside the EEA may want to consider making an informed, documented and case-by-case determination about the level of protection of the EU personal data to be transferred. Establishing clear policies and procedures to address the new requirements will be key to complying with the new obligations created by the invalidation of the Privacy Shield.
Further, for businesses that outsource components of EU personal data transfer, storage and/or processing, this may mean revising legacy vendor relationships reliant on the Privacy Shield to incorporate SCCs.
We expect both significant uncertainty in the short term and ongoing pressure to provide appropriate protections for personal data being transferred from the EU. We will continue to monitor guidance as it becomes available. The ECJ decision reinforces the need for impacted organizations to stay up-to-date on data protection law developments globally.
Stay tuned for further developments.