Decision of the Court of Justice of the European Union
On July 16, 2020, the Court of Justice of the European Union (CJEU) issued its judgment in the so-called “Schrems II” case (click here for the decision and here for the accompanying press release). The Court concludes that (i) the EU-U.S. Privacy Shield program (“Privacy Shield”) does not provide adequate safeguards and the European Commission’s adequacy decision which facilitates the ability of participating companies to transfer personal data from the European Union (EU) to the United States is invalid; and (ii) Standard Contractual Clauses (SCCs) remain a valid mechanism for such transfers, although a case-by-case evaluation of their sufficiency may be required by local data protection authorities as well as controllers and processors.
This decision follows the Schrems I decision in 2015, which invalidated the U.S.-EU Safe Harbor program as a mechanism for transferring personal data from the EU to the United States. The case arose when Austrian privacy advocate, Maximillian Schrems, lodged a complaint with the Irish Data Protection Commissioner challenging the transfer of his personal data from Facebook’s Irish subsidiary to Facebook’s servers located in the United States. After Schrems I invalidated the Safe Harbor program, the EU-U.S. Privacy Shield was negotiated to take its place by EU and U.S. authorities.
In its decision, the CJEU invalidated Privacy Shield based on its determination that the program does not sufficiently protect the personal data of EU data subjects from government surveillance in the United States. The Court states that Privacy Shield does not satisfy the EU law requirement that surveillance programs be limited to what is “strictly necessary to achieve the legitimate objective” with regard to data collection for national security and law enforcement purposes. In addition, the Court found Privacy Shield does not ensure that EU data subjects have sufficient judicial redress and protection, holding that the Ombudsperson role established by Privacy Shield is not sufficiently independent. The decision was driven by the CJEU’s evaluation of U.S. law and surveillance practices in the context of GDPR requirements rather than any commercial practices of Facebook with respect to the data.
Standard Contractual Clauses as an Alternative
While Schrems II upholds SCCs as a valid mechanism for international data transfers, it adds that a “supervisory authority is required…to suspend or prohibit a transfer of personal data to a third country if, in its view, in light of all the circumstances of that transfer, the [SCCs] are not or cannot be complied with in that third party and the protection…required by EU law cannot be ensured by other means.” (Para. 113). The Court further provides, “[i]t is therefore, above all, for [the] controller or processor to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law.” (Para. 134). In short, while the SCCs have been upheld as a general matter, the CJEU found that data protection authorities (which are required to consider data subject complaints), as well as the parties to the SCCs themselves, could conclude that in light of all of the circumstances, the law of the third country involved does not provide adequate protection for the personal data involved. Companies utilizing standard contractual clauses should consider whether there are additional safeguards that might be implemented to help insulate data transfers using the clauses from case-by-case challenges. While transfers of personal data from the EU to the United States were the specific focus of the case before the CJEU, use of the SCCs to transfer personal data to any country that does not have an EU adequacy decision is potentially subject to similar challenges.
Current State of the EU-U.S. Privacy Shield as well as the Swiss-U.S. Privacy Shield
Privacy Shield is currently in use by over 5,000 companies as a legal basis for transferring personal data from the EU to the United States. According to a statement from the U.S. Department of Commerce (click here), the Department will continue to administer the Privacy Shield program despite the CJEU’s decision and all current Privacy Shield participants must continue to meet their obligations under the program. The Swiss-U.S. Privacy Shield program remains unaffected by the CJEU’s decision, however, Swiss authorities may choose to adopt the EU’s stance. The decision did not address Binding Corporate Rules (BCRs) and derogations, both of which remain legitimate mechanisms for international data transfers under the EU’s General Data Protection Regulation (GDPR), as do SCCs, subject to a case-by-case analysis.
Companies currently operating under Privacy Shield will need to transition to one of these other international data transfer mechanisms. It is not yet clear whether European Union data protection authorities will exercise enforcement discretion as Privacy Shield participating companies seek to transition to other data transfer mechanisms. It also is not yet clear whether the European Commission and the United States will attempt to negotiate a new program to replace Privacy Shield.