[co-author: Lara McMahon]
Pathways for U.S. companies to transfer personal data out of the European Union have been repeatedly blocked by EU authorities concerned by what they perceive as gaps in data protection under U.S. laws. Schrems I invalidated the pre-GDPR Safe Harbor program in 2015, and last summer, we saw the EU-U.S. Privacy Shield struck down by Schrems II. Last week, on May 14, 2021, Ireland’s High Court issued another potential blow to EU-U.S. data transfers, this time targeting a transfer mechanism known as standard contractual clauses (“SCCs”).
In Data Protection Commission v. Facebook Ireland, Schrems (“Schrems II”), the Court of Justice of the European Union (“CJEU”) took another swipe at EU-U.S. data transfers. As V&E previously discussed here, in deciding Schrems II, the CJEU was tasked with examining two prior European Commission (“Commission”) decisions: Decision 2016/1250 (the “Privacy Shield Decision”) and Decision 2010/87 (the “SCC Decision”). The CJEU abrogated the Privacy Shield Decision on the grounds that U.S. surveillance is incompatible with the GDPR. In doing so, the CJEU invalidated the EU-U.S. Privacy Shield as a legal mechanism for the transfer of personal data out of the European Union.
The CJEU’s invalidation of the EU-U.S. Privacy Shield cast some doubt on whether SCCs can remedy the inadequate protection afforded by U.S. law. Nevertheless, the CJEU confirmed that as a general rule, SCCs provide appropriate safeguards for international transfers of personal data. In so doing, however, the CJEU cautioned that the continued validity of SCCs turns on whether transferred data can be afforded a level of protection “essentially equivalent” to that guaranteed within the European Union. The onus is on both the data exporter and data importer to conduct a transfer impact assessment and, if necessary, to implement additional safeguards. If the “essentially equivalent” standard of protection cannot be guaranteed, then the parties must suspend the transfer.
In its statement issued in response to the CJEU’s decision, the Irish Data Protection Commission (“DPC”) emphasized the importance of the “essentially equivalent” standard. According to the DPC, while the CJEU “ruled that the SCCs transfer mechanism … is, in principle, valid” it also made clear that “the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable.” The DPC cautioned that this issue would require “further and careful examination.” Additionally, guidance issued by the European Data Protection Board (“EDPB”) in the wake of Schrems II reiterated the CJEU’s finding that “US law (i.e., Section 702 FISA and EO 12333) does not ensure an essentially equivalent level of protection.”
On August 28, 2020, approximately forty days after the CJEU’s decision in Schrems II was handed down, the Irish DPC issued a preliminary order warning Facebook, which had adopted SCCs as its transfer tool of choice, that it may have to stop transferring the data of its EU users to the United States. The order suggests that SCCs “cannot in practice be used” by Facebook and other companies for EU-U.S. data transfers. According to the DPC, this is because U.S. law does not provide an “essentially equivalent” level of protection, SCCs cannot compensate for the inadequate level of protection, and Facebook does not appear to have implemented any supplemental measures which would compensate for the inadequate protection. As such, “a suspension of [Facebook’s] data transfers would likely be appropriate.”
Facebook appealed the order and was granted a stay during the pendency of the appeal. On May 14, 2021, however, the Irish High Court dismissed Facebook’s appeal, finding that Facebook is “not entitled to any of the reliefs claimed in the proceedings” because it “has not established any basis for impugning” the DPC’s order. Facebook now has twenty-one days to submit proof of its additional safeguards. If Facebook cannot show that it can ensure the level of protection required by the GDPR is respected in the United States, the DPC will likely suspend Facebook’s data transfers.
A final decision on the fate of SCCs is still a few months away. Even after Ireland’s DPC reaches a decision on the adequacy of Facebook’s additional data protection safeguards, that decision will need to be reviewed and approved by the other national data processing authorities (“DPAs”). Any disagreement among the DPAs will trigger review by the EDPB, which will itself have to reach a consensus before the decision can be finalized. This review process affords companies some much-needed time to assess their current transfer mechanisms and consider next steps. The individualized inquiry into Facebook’s specific data protection safeguards casts doubt on the likelihood of a per se prohibition on SCCs. However, the efficiency of adopting SCCs may be lost if your company must still prove up its entire data protection program to EU regulators.
Though options for EU-U.S. data transfers have been whittled down, there are still valid legal alternatives, with additional relief potentially on the horizon:
In Schrems II, the EU-U.S. Privacy Shield met the same fate as that of its predecessor, the Safe Harbor program. Undeterred by the failure of these last two “partial” adequacy decisions, the U.S. Department of Commerce and the European Commission are currently negotiating an “enhanced” Privacy Shield agreement to replace the version invalidated by the CJEU in Schrems II. Recognizing the disruption the Schrems II decision caused to EU-U.S. data flows, the European Union and United States are arguably more motivated now than ever before to implement a workable solution. Although, given the EU’s disdain for U.S. surveillance laws, this new iteration may, in the words of Max Schrems, eventually be subject to a “third beating” by the CJEU. In the background of the Privacy Shield negotiations, the landscape of U.S. data protection is changing rapidly, with new state-level legislation in California1 and Virginia.2 But, the key questions seem to be whether new laws will address the EU’s surveillance concerns, and whether the protections will be consistent enough across all U.S. jurisdictions to enable a national-level agreement with the EU.
SCCs are not the only type of appropriate safeguards that companies can use to facilitate EU-U.S. data transfers. If data is being transferred between two affiliates or two entities engaged in the same joint venture, the transfer can be made pursuant to binding corporate rules (“BCRs”). To use BCRs, a company must adopt a set of pre-approved internal rules that are legally binding upon every member of the organization. While BCRs were not addressed directly in Schrems II, the EDPB’s guidance clarifies that the decision also applies to BCRs. Like SCCs, therefore, BCRs are effective only if the “essentially equivalent” standard can be met. Thus, the multi-year process for approval of BCRs may not be a viable option if “additional safeguards” are also required.
Unlike BCRs, derogations were not impacted by the CJEU’s decision in Schrems II. Derogations can be used, for example, if the data subject has explicitly consented to the transfer, or if the transfer is necessary for the performance of a contract or to exercise or defend a legal claim. While derogations have been viewed unfavorably in light of EDPB guidance that recommends limiting their use to “occasional” and “non-repetitive” transfers, recent statements by Dr. Thomas von Danwitz, the judge in both Schrems I and Schrems II, have sparked a renewed interest in their viability. In a speech given to the German Federal Ministry of the Interior on January 28, 2021, Dr. von Danwitz noted that derogations “have not been fully explored yet” and “are not so narrow that they restrict any kind of transfer, especially when we’re talking about transfers within one corporation or group of companies.” As such, companies may want to look closer at whether any of their EU-U.S. data transfers can be made pursuant to a derogation.
*Lara McMahon is a law clerk in our Washington DC office.
1 See The California Consumer Privacy Act of 2018, amended by The California Privacy Rights and Enforcement Act of 2020, Cal. Civ. Code § 1798.100 (West). V&E’s coverage of the CPREA, including its impact on the CCPA, can be found here.
2 The Virginia House of Delegates adopted the Virginia Consumer Data Protection Act (“VCDPA”), H.B. 2307, on January 29, 2021 and the Virginia Senate approved an identical companion bill, S.B. 1392, on February 5, 2021. Governor Northam signed the bill into law on March 2, 2021. V&E’s coverage of the VCDPA can be found here.