The Court of Justice of the European Union (CJEU) recently declared that the EU-U.S. Privacy Shield is invalid because it does not provide an adequate level of protection for the transfer of personal data from the European Union (EU) to the United States. In the CJEU’s Schrems II (Case C-311/18) decision, the CJEU held that standard contractual clauses (SCCs) for the transfer of personal data from the EU to countries outside the EU remain valid. However, according to the July 16, 2020, judgment, companies relying on SCCs have several obligations to ensure compliance with EU data protection requirements.
The case stems from a complaint that Maximillian Schrems, an Austrian citizen, filed with the Irish Data Protection Commissioner to prevent the transfer of his personal data to the United States under the Safe Harbor Framework. The CJEU, in 2015, decided in his favor. According to the CJEU, the European Commission’s decision that the Safe Harbor Framework provided adequate protections for personal data transferred from the EU to the United States was invalid.
Employers now commonly use the Privacy Shield, which replaced the Safe Harbor Framework in August 2016—along with SCCs—in order to transfer personal data outside of the EU.
The Privacy Shield
The primary reason that the CJEU ruled that the Privacy Shield is not legally valid concerns the access that U.S. intelligence agencies have to EU data. Particularly, the court found that:
- S. national security, public interest, and law enforcement take precedence over the fundamental rights of persons whose data is transferred to the United States.
- S. surveillance programs do not limit their use of data to what is strictly necessary.
- Affected individuals have insufficient judicial protection in that the mechanisms available to them are not binding on U.S. intelligence agencies and are not equivalent to the standard used in the EU.
The CJEU also confirmed that SCCs continue to be valid tools for the transfer of data, but highlighted that data controllers are still obligated to assess the level of data protection provided by the country to which the data is being transferred. Specifically, data controllers must do the following:
- Determine whether the data protection laws of the recipient country fail to provide adequate protection for data subjects (with the help of data processors and data subjects).
- In addition to the protections afforded by the SCCs, take measures (such as ensuring that data subjects have enforceable data subject rights and access to effective legal remedies) to compensate for any failings.
- Suspend or end the transfer of data from the EU to the United States, where such additional measures to guarantee adequate protections cannot be taken.
U.S. Reaction to the Ruling
Secretary of the U.S. Department of Commerce Wilbur L. Ross, Jr. issued a statement on the Schrems II ruling, expressing disappointment and claiming that the Department is “studying the decision to fully understand its practical impacts.”
Impact on Other International Data Transfers
The Schrems II decision applies only to the EU-U.S. Privacy Shield Program. The Swiss data protection commissioner, however, is expected to soon discontinue the Swiss-U.S. Privacy Shield program, which is based on the EU-U.S. Privacy Shield program.
Additionally, several countries outside of the EU have either recognized the EU SCCs or adopted similar model contract clauses as legal mechanisms for transferring data. These countries may now expect their data controllers to conduct assessments of the data protection laws of relevant countries and, depending on the results of these assessments, to provide safeguards for any data protection deficiencies as outlined in Schrems II.
It is hoped that the European Commission or U.S. Department of Commerce will provide further guidance on Schrems II. Ultimately, the decision may lead to a change in U.S. surveillance laws or the monitoring practices of U.S. intelligence agencies. In the meantime, companies are required to continue to ensure that their privacy practices and procedures comply with the requirements of EU data protection laws when they implement alternate transfer methods.
What does this mean for employers? As a result of Schrems II, companies can no longer rely on the Privacy Shield under the presumption that it provides adequate protections. The decision also implies that employees and customers may file complaints regarding a transfer of personal data under the Privacy Shield’s standards. Moreover, such complaints would subject companies to investigations by data protection authorities in addition to possible enforcement actions and penalties.
Given Secretary Ross’s position, U.S. companies that are certified under the Privacy Shield may want to carefully evaluate whether to discontinue their participation in the program. While the court’s decision takes immediate effect, the EU will likely provide a grace period before enforcing it (as it did in 2015 when the Safe Harbor Framework was invalidated). Companies that rely solely on the Privacy Shield may want to review other legal means to transfer personal data. In addition, they may now need to implement contractual clauses based on an assessment of a country’s data protection laws and provision of additional safeguards.
Companies may also want to either consider using binding corporate rules that permit intracompany transfers, using the derogations provided by the General Data Protection Regulation (GDPR), including transferring information in connection with entering into or administering a contract, or obtaining consent from individuals.