Over the last few days, the European Data Protection Board (EDPB), the European Data Protection Supervisor (EDPS) and various Supervisory Authorities (SAs) across Europe issued statements addressing the decision of the European Court of Justice (ECJ) to invalidate the EU-U.S. Privacy Shield framework (Schrems 2.0). Below we summarize some of the main reactions.
The EDPB is working on a set of FAQs that will hopefully provide some level of clarification on key issues that companies now face. The EDPB is meeting on July 22 and 23, and we expect the FAQs to be published shortly thereafter. We will report on these FAQs as soon as they are issued.
On July 16, 2020, the ECJ invalidated the EU-U.S. Privacy Shield framework (Privacy Shield) but upheld the use of Standard Contractual Clauses for data transfers (SCCs), while adding stricter diligence requirements on their use (see our client alert, "ECJ Invalidates EU-U.S. Privacy Shield and Upholds the Standard Contractual Clauses"). The ECJ found that the Privacy Shield did not offer adequate protection for EU data in light of the potentially broad disclosure of personal data to U.S. intelligence services and public authorities. The ECJ further held that companies relying on SCCs must verify, before any transfer is made, whether the level of protection required by EU law is respected in the importing country.
EDPS and EDPB Highlight Responsibilities
The EDPS and the EDPB both issued statements welcoming the ECJ's decision. The EDPS highlighted that it had repeatedly expressed concerns about the Privacy Shield in the past, which the ECJ confirmed in its judgment. It reiterated the importance of European SAs suspending or prohibiting transfers of data to third countries where appropriate.
The EDPB stressed that, when considering whether to enter into SCCs, data exporters and importers are required to conduct an assessment of the data transfer. They must evaluate the circumstances of the transfer and the legal regime of the data importer's country, in light of the non-exhaustive factors for adequacy set out in the GDPR (e.g., the existence of rule of law, and independent and effective supervisory authorities).1 If the data exporter finds that the importer country's legal system does not provide a level of protection essentially equivalent to the GDPR, the SCCs must be supplemented with additional measures to safeguard data. Further, if parties cannot demonstrate that they can comply with the SCC's obligations, the data exporters must suspend the data transfer, terminate the SCCs, or notify the competent SA if it intends to continue transferring data.
SAs Across Europe Weigh In
A number of SAs have also issued statements in response to Schrems 2.0. We have summarized below some of the main reactions:
- United Kingdom—ICO / UK government: The ICO released a short statement that it is still considering the decision, and is willing to work with UK companies in response to the ECJ's ruling. It further noted that companies should not sign up to Privacy Shield, but companies that are currently using it should continue to do so until new guidance becomes available. Separately, the UK government acknowledged that it will work with the ICO and support UK organizations on international data transfers.
- Ireland—DPC: The DPC explained in its statement that it will further examine the practical implications for SCCs since each transfer must be assessed on a case-by-case basis. It also intends to liaise with other European SAs to develop a common position.
- France—CNIL: The CNIL indicates that it is currently analyzing the judgment to provide guidance as soon as possible on the consequences of the ruling for data transfers from the EU to the U.S.
- Germany—BfDI and other state level SAs: The response across Germany varies on both the federal and state level, although the German SAs generally follow a strict interpretation of the ECJ's decision. Certain German SAs expressly state that the judgment applies without any formal grace period for companies to adapt.
- At the federal level, the BfDI notes that companies and authorities must now take "special safeguards" when transferring data to the U.S., and that it would push for a "rapid implementation" of the judgment for particularly relevant cases.
- The Berlin SA notes that the commonly-held perception that a company may enable data exports to third countries merely by entering into SCCs is incorrect. It calls for organizations established in Berlin to immediately transfer personal data formerly stored in the U.S. back to Europe. It further mandates all organizations using cloud services in the U.S. to immediately switch to service providers located in the EU or in a country with an appropriate level of data protection.
- The Hamburg SA states that the present situation mirrors the invalidation of Safe Harbor five years ago, albeit with the ECJ now "passing the ball" to European SAs to suspend or prohibit data transfers based on the SCCs.
- Conversely, the Rhineland SA concludes that organizations have a primary role to play, as their accountability increases when relying on SCCs. The Rhineland SA has also published FAQs which note, among others, that i) there is no transition period and that data transfers relying on Privacy Shield have been made illegal since Schrems 2.0, ii) if organizations switch to an alternative data transfer mechanism, they should adjust their privacy notice wording as required under the GDPR,2 iii) contracts containing SCCs do not have to be changed, nor does the ECJ's decision necessarily mean that SCCs cannot be used for data transfers to the U.S., but data exporters and importers must fulfill their responsibilities under the SCCs, and iv) it cannot rule out a further impact on other data transfer mechanisms such as Binding Corporate Rules (BCRs).
As European SAs further examine and unpack the ECJ's decision, companies can expect further guidance and statements in the near future.
Reaction in the U.S.
In the U.S., the Department of Commerce and the State Department both issued statements that they were "deeply disappointed" by the decision. The Commerce Department also pointed out that it will continue to administer the Privacy Shield program, including processing submissions for self-certification and recertification to the Privacy Shield Frameworks, and that the decision would not relieve participating organizations of their existing Privacy Shield obligations. Although it invited companies to continue applying for Privacy Shield certification, it remains unclear what the benefit could be of such future certifications under EU data protection law in the wake of Schrems 2.0.
The impact of Schrems 2.0 will be significant for companies doing business on both sides of the Atlantic. Companies that rely exclusively on Privacy Shield to transfer data to the U.S. must now promptly implement an alternative data transfer mechanism, and companies that rely on the SCCs should reevaluate their contractual obligations and assess whether they can be met in light of the local laws of the importing country.
Companies should follow the developments related to this field as the situation is in flux and will evolve in the next few weeks. We are closely monitoring this topic and will report on any major development.
 GDPR Art 45(2).
 GDPR Art 13 and 14.