On July 16, 2020, the Court of Justice of the European Union (“CJEU”) turned the privacy world upside down by invalidating the EU-US Privacy Shield as a mechanism to legitimize cross-border data transfers. Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems, Case C-311/18. The decision affects thousands of companies relying on the Privacy Shield and, more broadly, those companies whose business depends on EU-US data flow.
European privacy and data protection laws require cross-border data transfers to be conducted under approved mechanisms to ensure that the personal data of EU persons (“EU data subjects”) are equally protected in third countries. Two popular mechanisms for such transfers are the Standard Contractual Clauses (“SCCs”) approved by the European Commission in 2010 and the EU-US Privacy Shield, which was bilaterally negotiated between the European Commission and the U.S. Department of Commerce. A published list of 5,391 companies, a significant number of them small or medium enterprises, rely on the EU-US Privacy Shield to legitimize their transfer of EU personal data to the United States.
Privacy advocate Maximillian Schrems filed a complaint with the Irish Data Protection Commission (IDPC) contending that Facebook Ireland Ltd. violated his privacy rights by transferring his personal information to Facebook Inc. in the United States using the 2010 controller-to-processor SCCs established by the European Commission. During the pendency of the case, the EU-US Privacy Shield was negotiated and certified by the European Commission. The IDPC referred the case to the High Court of Ireland, which in turn referred the case to the Court of Justice of the European Union seeking a preliminary ruling.
The Irish High Court asked eleven specific questions which touched on the following issues:
First, the CJEU held that EU law, and in particular the GDPR and the Charter of Fundamental Rights (“Charter”), applies to transfers of personal data from a commercial entity established in Europe to another commercial entity that is in a third country, even if the data may be accessed by the authorities of the third country for national security and public safety reasons. The fact that such authorities may have access to the data does not prevent the transfer per se.
The important question is whether the transfer can be supported by a mechanism with safeguards, rights, and remedies such that the EU data subjects are given a level of protection that is essentially equivalent to what is guaranteed to them under the GDPR. In assessing the level of protection, both the contractual requirements and the legal system of the importing third country, including any access to the data by public authorities, should be considered. Whether a mechanism, such as the SCCs, is valid depends on whether it includes effective controls to ensure compliance with the level of protection required under EU law, and whether transfers will be suspended or prohibited where compliance is impossible or where the controls in the contract are breached.
The CJEU found that the SCCs obligate the parties to verify that compliance is possible under the laws of the importing third country prior to the transfer. If compliance is not possible, the data importer must inform the data exporter of the inability to comply with the contractual clauses, whereupon the data exporter must suspend the transfer or terminate the contract with the importer.
In light of the “essentially equivalent” standard, the CJEU examined the Privacy Shield and concluded that it did not meet the requirements arising from the GDPR, read in light of the Charter’s guarantee of respect for private and family life, personal data protection, and the right to judicial protection. Specifically, the Privacy Shield provides that the requirements of US national security, public interest, and law enforcement have primacy to the detriment of EU data subjects’ fundamental right of privacy. The CJEU found access by US national security agencies was not limited to what is strictly necessary, and failed to grant EU data subjects actionable rights before courts against US authorities. Although the Privacy Shield provided a process for complaint and review under an Ombudsperson as a remedy, the CJEU did not find this to be an equivalent remedy to those required by EU law.
Addressing the responsibilities of the supervisory authorities of the EU member states, the CJEU confirmed that these agencies are required to suspend or prohibit a transfer if, in light of all the circumstances of that transfer, the SCCs are not or cannot be complied with in the importing third country and the protections guaranteed by EU law cannot be ensured by other means. However, where the European Commission has determined an importing third country to have adequate data protection mechanisms, the supervisory authorities may not make a different decision independently.
What does this mean for companies?
Immediately, the 5,391 companies that relied on the Privacy Shield as a mechanism to legitimize their data transfer from the EU must identify another means to support their cross-border data transfers. While there are mechanisms other than the SCCs, such as binding corporate rules and the derogations provided under the GDPR, in practice most companies will turn to the SCCs due to the drawbacks of the other mechanisms: binding corporate rules are costly and time-consuming to put together, and require the approval of the competent data protection authority in the EU; and the derogations provided under the GDPR, namely explicit consent and the necessity to fulfill a contract, are not intended to support regular and ongoing transfers of data.
While the Court of Justice affirmed the validity of SCCs, the decision also made clear that parties who use SCCs as a mechanism for transfer must ensure that the subjects of the EU personal data being transferred receive essentially the equivalent protections they would receive in Europe. If such equivalence cannot be achieved, the SCCs cannot be used to legitimize the transfer. Therefore, companies can no longer take a “sign it and forget it” attitude towards the SCCs. If the requirements of the executed SCCs are not met, the data transfer is invalid and the companies risk exposure to significant fines under GDPR.
Data exporters must undertake a case-by-case assessment prior to any data transfer. With the cooperation of their importing partners, data exporters must understand the requirements under the SCCs and the specific circumstances of the particular data transfer to ensure that all contractual requirements can be met. They must add supplemental controls if the protections are found to be insufficient. This assessment must also take into account the data protection legal regime of the importing third country. The assessment and steps taken to comply with the SCC requirements should be well documented.
Many have questioned whether compliant transfers are possible in light of current US surveillance laws. While this remains an undecided issue, it is important to note that these laws, for example FISA Section 702, apply to particular industries such as electronic communications, including telecommunications carriers, providers of electronic communication services, remote computing services, and other communication service providers who have access to wire or electronic communications. 50 U.S.C. §1881 et seq. For companies that are not in those industries or companies that do not regularly receive FISA requests for data, compliance with the SCCs are possible and reliance on them for cross-border data transfer is less likely to raise US surveillance issues.
Over the next weeks and months, the European Commission and the European Data Protection Board will be issuing new guidance on compliance, and will address any additional measures that should be included in the SCCs. These agencies and the U.S. Department of Commerce are also exploring resolution so that data flows that support the $7.1 trillion transatlantic economic relationship continue without significant interruption.