On July 16, 2020, the Court of Justice of the European Union, Europe’s highest court, issued its highly anticipated decision in the case Data Protection Commission v. Facebook Ireland, Schrems (Schrems II).
The General Data Protection Regulation (‘the GDPR’) provides that the transfer of personal data to a third country outside of the European Union may, with limits, take place only if the third country in question ensures an adequate level of data protection. This is most often seen with companies in the United States that contract with European companies to process personal data. The processing of this data may require the US based company to transfer EU personal consumer data to the US. The GDPR allows the Data Protection Commission to decide whether another country has adequate data privacy safeguards through its domestic laws or international commitments. If those safeguards are not in place, the transfer may take place if the personal data exporter can prove that the company has appropriate safeguards in place. These protections are documented through the use of Standard Contractual Data Protection clauses or The EU- US Privacy Shield Framework. The recent Schrems II decision puts EU to US data transfers in question.
Background on the Schrems II Decision
The Schrems II decision concerns an Austrian national who has been a Facebook user since 2008. Mr. Schrems’ personal data is transferred by Facebook Ireland to servers owned by Facebook Inc. that are located and operated in the United States. Many US based companies process EU data similarly to Facebook. Mr. Schrems complained to the Irish supervisory authority seeking to prohibit those transfers, stating a violation of his privacy rights under the EU Charter on Fundamental Rights. Schrems argued that the laws of the United States did not provide sufficient protection against access by public authorities. The complaint was rejected by the Irish supervisory authority, on the basis that the Commission had previously found that the United States ensures an adequate level of protection (known as the Safe Harbour Decision). On October 6, 2015, the Court of Justice, before which the High Court (Ireland) had referred questions for a preliminary ruling, declared that the Safe Harbour Decision was invalid (‘the Schrems I judgment’). This decision was invalidated after it became apparent that the US prioritizes digital surveillance laws, whereas the EU prioritizes European fundamental rights which give citizens rights to privacy and data protection, as set out in the EU Charter of Fundamental Rights.
After this decision, Mr Schrems, once again, claimed that the United States did not offer sufficient protections for EU personal data transferred to the US. He sought the suspension or prohibition of future transfers of his personal data from the EU to the United States. Currently, Facebook Ireland carries out the transfer of data to the United States pursuant to the standard data protection clauses previously approved by the Commission. The Irish supervisory authority bought proceedings to the High Court and ultimately the Court of Justice to determine the adequacy of both the Standard Contractual Clauses and the EU-US Privacy Shield.
The Court of Justice was tasked with answering: 1) whether the GDPR applies to transfers of personal data pursuant to the standard data protection clauses, 2) what level of protection is required by the GDPR in connection with such a transfer, and 3) what obligations are incumbent on supervisory authorities in those circumstances.
Ultimately the highest court invalidated the European Commission's adequacy decision for the Privacy Shield Framework, once again citing the clash between US surveillance laws and EU data protections. This was shocking to many US companies because over 5,000 companies in the United States rely on this framework to process and transfer EU data.
The court invalidated the decision for two main reasons. First, US surveillance programs are not limited and are not proportional to the requirements of EU law, especially the requirements of the EU Charter on Fundamental Rights. Second, the court held that EU data subjects do not have actionable judicial redress. In other words, the court determined that EU citizens lack an effective remedy if their data is accessed in the US.
As for the Standard Contractual Clauses, the court did not invalidate their use, but required companies and regulators to verify whether foreign laws concerning government access to transferred data meet the EU standards. If the country does not provide adequate protections, the companies must provide additional safeguards. The EU data protection authority now has the power to suspend transfers of data if they deem that equivalent protection cannot be ensured.
Questions and Implications for US Companies Doing Business in the EU
The question facing many US companies is whether they will have to increase their protections aside from the Standard Contractual Clauses already written in their data processing agreement. It is important to note that the Schrems decision primarily impacts bulk outsourcing of data processing from the EU to the US. This is especially concerning to US companies, given that the court held that the US Privacy Shield was invalid due to the lack of limitations under US surveillance laws. Moving forward, privacy professionals will need to consider if or how US surveillance programs impact their transfers of data from the EU. Privacy departments will also have to consider if transferred data should be encrypted and if there are any US surveillance laws that would make this unlawful in the United States. For example, many companies such as Facebook fall under US surveillance laws such as FISA 702. The court made it clear that US companies that fall under surveillance laws will have to stop processing EU data. Will these companies even be able to create data privacy programs that block US surveillance? Ultimately, will companies be forced to set up data centers in the EU?
Another question to tackle is how companies can provide EU citizens appropriate judicial remedies if their data is accessed, as this was one of the main concerns addressed by the EU court. Moving forward US-based companies may not be able to depend solely on their compliance with Standard Contractual Clauses. The EU court’s decisions reminds companies that the Standard Contractual Clauses are more than just standard clauses to sign and forget about, companies need mechanisms to efficiently comply with the clauses. It may be difficult for US companies to adequately create privacy programs that protect EU personal data, especially given the breadth of US surveillance laws. Privacy professionals must determine how their protections around the transfer of EU data can meet the standards set by the EU.
Further, companies that depend on the Privacy Shield will have to look for a different legal basis to enable the transfer of data under the GDPR. Companies may want to consider the use of Standard Contractual Clauses or binding corporate rules.
As the effects of this decision begin to unfold, it is important that US companies that process EU data enlist privacy attorneys and professionals that can assist them in navigating how the EU's decision could impact their businesses. Moreover, companies can probably expect a shift in the drafting of the Standard Contractual Clauses in the near future. Now more than ever it is important to create comprehensive data privacy frameworks that will ensure this decision does not create significant disruptions to US companies doing business in the EU.