As previously advised, on July 16, 2020, the Court of Justice of the European Union (CJEU) issued a lengthy and detailed opinion invalidating the EU-U.S. Privacy Shield The decision required immediate changes in the transfer of “personal data” between the European Union (EU) and the United States.
The General Data Protection Regulation (GDPR) was approved by the EU in 2016 and dramatically enhanced protections for EU personal data, including:
The GDPR limits transfers of personal data of EU citizens outside the EU to only those countries that have the same level of data protection as the EU. Until the Schrems I and II decisions, businesses could transfer EU personal data into the U.S. under government-defined data protection regimes called the EU-U.S. Safe Harbor, and later the Privacy Shield.
The U.S. Safe Harbor was initially challenged and invalidated by the CJEU in a case against Facebook, commonly referred to as “Schrems I.” Schrems brought a second action challenging the suitability of the EU-U.S. Privacy Shield, which was created to address the Safe Harbor issues. The CJEU’s July 16 “Schrems II” opinion invalidated the Privacy Shield but left open the use of GDPR “standard contractual clauses.”
Schrems II generally follows Schrems I in finding that there are insufficient protections against U.S. intelligence and/or law enforcement agencies obtaining personal data of EU citizens. The most significant difference is that Schrems II recognized privacy as a fundamental right of EU citizens – tantamount to an individual liberty protected by the U.S. Bill of Rights. It is this aspect of the Schrems II decision that is now generating additional guidance by EU data privacy agencies (DPAs) and enforcers, which further impacts how businesses can transfer personal data of EU data subjects going forward.
Various U.S. and EU officials initially made announcements that contractual GDPR privacy protection clauses – called “standard contractual clauses” – could still be used for the transfer of personal data between the EU and the U.S. Unfortunately, EU DPAs and EU enforcement officials are now issuing guidance advising that changes will be required in standard contractual clauses to protect the fundamental privacy right of EU citizens delineated in Schrems II from the perceived privacy threat from U.S. intelligence and law enforcement agencies.
Many U.S. businesses have utilized standard contractual clauses for the transfer of personal data from the EU. While the Schrems II opinion did not expressly invalidate the use of standard contractual clauses, it did establish that EU supervisory authorities are obliged to assess the compliance of such clauses within non-EU countries.
Immediately following Schrems II, the Data Protection Commission in Ireland and Federal Commissioner for Data Protection in Hamburg, Germany issued pronouncements questioning the adequacy of standard contractual clauses for transfers of existing EU personal data to the U.S.
On August 24 the DPA for Baden-Württemberg, Germany issued additional guidance on protections needed in standard contractual clauses for transfers of EU personal data to the U.S. More specifically, the German DPA recommended that standard contractual clauses for transfers from the EU to the U.S. include 1) the use of encryption where “only the data exporter has the key and which cannot be broken by US intelligence services;” and 2) anonymization of personal data that can only be correlated back to the data subject by the data exporter. The German DPA even provided a compliance checklist of recommendations, which mirrors recommendations that Bradley has previously provided to minimize cybersecurity risks:
The Belgium DPA issued similar guidance on August 31, and other EU DPAs are likely to issue additional guidance in the coming months. We will continue to monitor for such announcements and provide updates accordingly.
In addition to the actions and guidance from EU regulators, there is already an effort to address the issue from a U.S. federal regulatory perspective. On September 3, the EU Justice Commissioner, speaking on behalf of the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs, advised that the EU is working with the U.S. to develop solutions for required protections – though from a U.S. perspective no action is likely until after the U.S. election in November.