As previously advised, on July 16, 2020, the Court of Justice of the European Union (CJEU) issued a lengthy and detailed opinion invalidating the EU-U.S. Privacy Shield The decision required immediate changes in the transfer of “personal data” between the European Union (EU) and the United States.
EU – U.S. Personal Data Protection
The General Data Protection Regulation (GDPR) was approved by the EU in 2016 and dramatically enhanced protections for EU personal data, including:
- Requiring clear plain language for individual consents.
- The right to the details of the use and processing of personal data.
- The right to receive a copy of all personal data in a “commonly used and machine-readable format” – and to even have such provided to competitive parties.
- The “the right to be forgotten” by the erasure, or termination of search links.
- Notification of a breach within 72 hours.
The GDPR limits transfers of personal data of EU citizens outside the EU to only those countries that have the same level of data protection as the EU. Until the Schrems I and II decisions, businesses could transfer EU personal data into the U.S. under government-defined data protection regimes called the EU-U.S. Safe Harbor, and later the Privacy Shield.
EU Challenges to U.S. Privacy Protections
The U.S. Safe Harbor was initially challenged and invalidated by the CJEU in a case against Facebook, commonly referred to as “Schrems I.” Schrems brought a second action challenging the suitability of the EU-U.S. Privacy Shield, which was created to address the Safe Harbor issues. The CJEU’s July 16 “Schrems II” opinion invalidated the Privacy Shield but left open the use of GDPR “standard contractual clauses.”
Schrems II generally follows Schrems I in finding that there are insufficient protections against U.S. intelligence and/or law enforcement agencies obtaining personal data of EU citizens. The most significant difference is that Schrems II recognized privacy as a fundamental right of EU citizens – tantamount to an individual liberty protected by the U.S. Bill of Rights. It is this aspect of the Schrems II decision that is now generating additional guidance by EU data privacy agencies (DPAs) and enforcers, which further impacts how businesses can transfer personal data of EU data subjects going forward.
Various U.S. and EU officials initially made announcements that contractual GDPR privacy protection clauses – called “standard contractual clauses” – could still be used for the transfer of personal data between the EU and the U.S. Unfortunately, EU DPAs and EU enforcement officials are now issuing guidance advising that changes will be required in standard contractual clauses to protect the fundamental privacy right of EU citizens delineated in Schrems II from the perceived privacy threat from U.S. intelligence and law enforcement agencies.
Standard Contractual Clauses Guidance
Many U.S. businesses have utilized standard contractual clauses for the transfer of personal data from the EU. While the Schrems II opinion did not expressly invalidate the use of standard contractual clauses, it did establish that EU supervisory authorities are obliged to assess the compliance of such clauses within non-EU countries.
Immediately following Schrems II, the Data Protection Commission in Ireland and Federal Commissioner for Data Protection in Hamburg, Germany issued pronouncements questioning the adequacy of standard contractual clauses for transfers of existing EU personal data to the U.S.
On August 24 the DPA for Baden-Württemberg, Germany issued additional guidance on protections needed in standard contractual clauses for transfers of EU personal data to the U.S. More specifically, the German DPA recommended that standard contractual clauses for transfers from the EU to the U.S. include 1) the use of encryption where “only the data exporter has the key and which cannot be broken by US intelligence services;” and 2) anonymization of personal data that can only be correlated back to the data subject by the data exporter. The German DPA even provided a compliance checklist of recommendations, which mirrors recommendations that Bradley has previously provided to minimize cybersecurity risks:
- Maintain a detailed schedule of data, data transfers and data locations – i.e., use of data maps.
- Communicate the impact and effects of Schrems II with all service providers – i.e., proactively communicate compliance and contractual requirements to service providers to assure regulatory compliance and delineate contractual responsibility.
- Research applicable local and federal laws in other jurisdictions – i.e., harmonize regulatory compliance and contractual responsibility where possible.
- Determine whether a non-EU country has been found inadequate by the EU – i.e., keep current on the ever-changing cyber and privacy requirements of applicable jurisdictions.
- Determine whether standard contractual clauses must be modified due to inadequate protections of a non-EU country – i.e., assure regulatory compliance and contractual responsibility with multi-jurisdictional requirements.
The Belgium DPA issued similar guidance on August 31, and other EU DPAs are likely to issue additional guidance in the coming months. We will continue to monitor for such announcements and provide updates accordingly.
In addition to the actions and guidance from EU regulators, there is already an effort to address the issue from a U.S. federal regulatory perspective. On September 3, the EU Justice Commissioner, speaking on behalf of the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs, advised that the EU is working with the U.S. to develop solutions for required protections – though from a U.S. perspective no action is likely until after the U.S. election in November.
- Personal data transfers from the EU to the U.S. based solely on the EU-U.S. Privacy Shield must be suspended.
- Personal data transfers involving Germany that are based on pre-existing standard contractual clauses should be suspended until clauses can be revised to reflect the guidance of the Baden-Württemberg DPA.
- Continue to amend standard contractual clauses as required to comply with additional guidance from other EU DPAs.