On July 16, 2020, the Court of Justice of the European Union (“CJEU”) announced their decision in case C-311/18, better known as Schrems II. Late last year, the Advocate General issued a nonbinding opinion declaring the use of standard contractual clauses valid, but also alluding to potential inadequacies of the EU-U.S. Privacy Shield (“Privacy Shield”). This uncertainty has been partially resolved, as the court upheld the use of standard contractual clauses as a valid data transfer mechanism but struck down the Privacy Shield. This is the second time in five years that a “safe harbor” program between the EU and U.S. has been found inadequate by the CJEU.
The Safe Harbor Program and Schrems I
The Privacy Shield’s predecessor, the Safe Harbor program, became the subject of controversy in 2014 after then law student Maximillian Schrems brought an action before the CJEU arguing that the Safe Harbor did not actually provide “adequate” protection of personal data as required by the EU Data Protection Directive — especially in light of the unrestricted access to personal data by U.S. intelligence agencies. After the CJEU Advocate General issued an influential, non-binding opinion on September 23, 2015, recommending that the Safe Harbor Program be invalidated, the CJEU issued a formal opinion to the same effect on October 6, 2015 . In 2018, when the EU Data Protection Directive’s successor, the General Data Protection Regulation (“GDPR”), went into effect, Schrems set his sights on the Privacy Shield and Standard Contractual Clauses with similar objections to their adequacy.
The GDPR and Schrems II
The GDPR regulates the processing of data within the European Economic Area (“EEA”), as well as transfers of personal data outside of the EEA. Under the GDPR, there are three scenarios in which an entity can legitimately transfer personal data to a receiver outside the EEA: (1) the receiver is located within an area covered by an adequacy decision; (2) appropriate safeguards have been established to protect individuals’ rights to their personal data; or (3) an exception, such as explicit consent, covers the transfer.
Adequacy decisions are made by the European Commission (“Commission”) and establish that a given country has adequate data protection and privacy measures. These decisions are reviewed at least every four years. In 2016, the Commission issued a partial adequacy decision for the United States, ruling that only personal data transfers that are covered by the EU-U.S. Privacy Shield (“Privacy Shield”) provide sufficient protection. In order to be covered by the Privacy Shield, private entities within the U.S. must self-certify with the United States Department of Commerce.
For transfers that do not fall within the scope of an existing adequacy decision, “appropriate safeguards” must be established. While the GDPR lists several kinds of appropriate safeguards, one of the most common is the standard contractual clause (“SCC”). SCCs are template clauses that are preapproved by the Commission that companies can use in their contracts to ensure sufficient data protection and GDPR compliance.
In 2019, Schrems alleged that the SCCs Facebook relied on when transferring his personal data were not appropriate safeguards. Additionally, he requested that the Privacy Shield be invalidated. SCC supporters countered Schrems, arguing that SCCs and the Privacy Shield foster business growth and technological innovation through the predictability and reliability they provide.
The Advocate General of the CJEU issued a nonbinding opinion in Schrems II on December 19, 2019, stating that SCCs are an appropriate safeguard for personal data transfers. However, the Advocate General questioned whether certain personal data transfers under the Privacy Shield provided sufficient protection, seeming to indicate that the sufficiency of the protection offered in any given personal data transfer must be decided on a case-by-case basis.
Summary of the CJEU Opinion
The CJEU summarized its findings in a press release describing its examination of requirements under the GDPR regarding data transfer. Specifically, the GDPR requires appropriate safeguards, enforceable rights and effective legal remedies. These requirements, the Court noted, must be interpreted to require that data transferred outside of the EEA be afforded a level of protection “essentially equivalent” to that guaranteed within the EU by the GDPR. The level of protection afforded to transferred data must be evaluated in light of both the contractual clauses agreed to by the data exporter and the data recipient and, “as regards any access by the public authorities of that third country [such as the U.S.] to the data transferred, the relevant aspects of the legal system of that third country.”
In examining the validity of Decision 2010/87 (the “SCC Decision”), the Court determined that the mere fact that the standard data protection clauses do not bind the authorities of the non-Member State country to which data is transferred is not enough to invalidate the decision or the use of SCCs. Notably, however, this validity depended, according to the Court, on whether the SCC Decision includes effective mechanisms ensuring compliance with the requirements of EU law and ensuing that data transfer is stopped in the event of a breach of the clauses. The SCC Decision (and thus the SCCs themselves) offer this protection and are therefore still valid following this decision.
The Court next examined the validity of Decision 2016/1250 (the “Privacy Shield Decision”). The Court reasoned first that the requirements of the GDPR must be read in light of the provisions of the Charter of Fundamental Rights guaranteeing respect for privacy and family life, protection of personal data, and the right to effective judicial protection. In examining protections offered within the U.S., the CJEU found that “the requirements of U.S. national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to [the U.S.].”
Surveillance programs within the United States, the Court continued, violate a principal of international law known as proportionality, in so far as the surveillance programs “are not limited to what is strictly necessary.” In this way, protections within the U.S. are not “essentially equivalent” to those offered within the EEA, according to the Court. The Court also found that the Ombudsperson mechanism referenced in the Privacy Shield Decision does not provide data subjects with a cause of action and that the Ombudsperson was insufficiently independent and lacked the ability to adopt decisions binding upon U.S. intelligence services. As a result, the Court declared the Privacy Shield Decision and, thus, the Privacy Shield itself, invalid.
What This Means For You
The Privacy Shield now faces the same unfortunate fate as the Safe Harbor program in 2015. Similar to the scramble that occurred after invalidation of the Safe Harbor program, we may see the U.S. and EU governments meet to repair the defects highlighted by the CJEU decision. (Interestingly, the CJEU’s decision did not mention the Judicial Redress Act in the context of providing an adequate cause of action for data subjects and whether that act could provide a remedy sufficient to provide “equivalent” guarantees to those required by EU law.) But, until these defects are remedied, any company relying on the Privacy Shield to properly transfer data should shift to other measures that have been explicitly deemed appropriate safeguards, such as SCCs, user consent, and binding corporate rules.
Even for companies that rely on SCCs for exporting data out of the EEA, it would be prudent to monitor this space closely. EU Commissioner for Justice Didier Reynders issued an early announcement on the same day as the decision, noting its plans to update SCCs in light of their now-increased importance.