CJEU Invalidates the EU-US Privacy Shield Framework but Leaves the Standard Contractual Clauses Intact, Subject to Major Caveats
On 16 July 2020, the Court of Justice of the EU (“CJEU” or the “Court”) delivered another landmark decision on international data transfers – the so-called Schrems II judgment. In its decision, the CJEU invalidated the EU Commission’s adequacy decision on the EU-US Privacy Shield Framework (“Privacy Shield”), on which thousands of US companies have been relying to lawfully transfer personal data from the EU to the US. In the same decision, the CJEU confirmed the validity of the Standard Contractual Clauses (“SCCs” or “Clauses”) in principle, but made clear that their legality must considered on a case-by-case basis in light of the circumstances of the particular transfer.
US companies currently relying on Privacy Shield will need to move quickly to evaluate their ability to make use of alternative data transfer mechanism such as the SCCs, Binding Corporate Rules (“BCRs”) or, where applicable, one of the specific transfer-related derogations provided for in the EU General Data Protection Regulation (“GDPR”).
EU companies transferring data to the US in the absence of a valid adequacy mechanism can face fines under the GDPR of up to €20 million or 4 percent of their annual worldwide turnover, whichever is higher. It remains to be seen whether EU Data Protection Authorities will grant a grace period to enable companies using Privacy Shield to put in place alternative arrangements (as occurred when the EU-US Safe Harbor program was invalidated).
Invalidation of Privacy Shield
The CJEU assessed the validity of the Privacy Shield adequacy decision in light of the requirements stemming from the GDPR and the European Charter of Fundamental Rights (“Charter”).
The Court decided that Privacy Shield does not constitute a valid data transfer mechanism on the basis that:
The European Commission Decision adopting Privacy Shield accepted the position that the requirements of US national security laws, public interest and law enforcement would take primacy over the protection of EU personal data, and that US surveillance programs would not be limited to what is strictly necessary in a democratic society;
There are no limitations under U.S. law on the applicability of these programs to non-US persons, and such persons have no actionable rights against US authorities in respect of their data; and
The US Ombudsperson Mechanism referred to in the Decision does not provide EU data subjects with an effective right of redress.
The CJEU’s judgment comes almost five years after its invalidation of the EU-US Safe Harbor Program, Privacy Shield’s predecessor.
Conditional Blessing of the Standard Contractual Clauses
Unlike Privacy Shield, the CJEU concluded that the European Commission’s Decision adopting the Clauses is valid because it establishes, in the Clauses themselves, conditions that are meant to ensure the protection of EU personal data from the surveillance practices of foreign governments that exceed what “is a necessary and proportionate measure in a democratic society.” This element of the Court’s judgment will come as a welcome relief to companies that rely on (or plan to switch to) the SCCs as their data transfer mechanism; however, the judgment signals a new emphasis on the specific obligations imposed by the Clauses on both the data exporter and importer to ensure that the data being transferred is processed in accordance with the fundamental rights guaranteed by the Charter. EU data exporters will need to assess whether the foreign recipient (including an affiliate or parent company, or a third party service provider) is able to comply with the SCCs in practice. If not, the data exporter may not enter into the SCCs or must suspend or terminate an existing agreement. Moreover, as the Court’s judgment points out, under the GDPR, national Data Protection Authorities in the EU have the power – and in fact are required — to suspend or terminate data transfers that, “in the light of all the circumstances of that transfer, [do not or cannot comply with] the standard data protection clauses” in a third country in cases “where the controller or a processor has not itself suspended or put an end to the transfer.”
The CJEU judgment makes clear that if the laws of a third country would meet an assessment for adequacy, there will effectively be a presumption that the SCCs as implemented are valid. With the invalidation of Privacy Shield, this presumption will no longer apply to EU-US transfers. As a result, the circumstances of each transfer will need to be evaluated on a case-by-case basis. A key consideration when assessing whether a given data transfer carried out pursuant to the SCCs is valid, will be whether the personal data involved has been, or is likely to be, the subject of sweeping bulk data collection activities by US law enforcement or national security agencies under the U.S. Foreign Intelligence Surveillance Act (“FISA”) or relevant Executive Orders or Presidential Directives.
Broader Implications of the CJEU’s Judgment
Although the issue before the CJEU was the transfer of data between the EU and the US, the implications of the Court’s judgment are far-reaching and could impact transfers between the EU and other “non-adequate” countries as well, including EU-China transfers and, post-Brexit, EU-UK transfers.
In response to the Court’s judgment, the European Commission has stated that it is preparing to review the existing adequacy decisions covering the following countries: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay.
In addition, the Commission is considering updates to the SCCs (which predate the GDPR) to reflect the GDPR, and will now also consider the Court’s judgment as part of their assessment.
The European Data Protection Board (“EDPB”), consisting of all EU Member State Data Protection Authorities, has also announced that it will discuss the ramifications of the Schrems II decision at a plenary session on 17 July 2020. The EDPB will also play an important role in the review process for “modernizing” the SCCs and reviewing the existing adequacy findings of the Commission.
What Should Companies Do Now?
For Companies Using Privacy Shield
Assess the available alternatives under the GDPR, including SCCs, BCRs, bespoke data processing agreements approved by national Data Protection Authorities, specific derogations, etc. The range of options will depend on the types of data being transferred, the purposes of the transfer, whether technical measures are in place that make the data inaccessible in transit or at rest in the United States (hard encryption, tokenization, etc.), and various other factors. Although it is unclear whether there will be a grace period to allow time for the necessary transition, we would not expect national Data Protection Authorities to rush to take enforcement actions against companies using Privacy Shield for failure to immediately implement an alternative transfer mechanism.
For Companies that Rely On, or Plan to Shift to, SCCs
Take stock of the obligations imposed on data exporters and importers contained in the Clauses and consider whether the laws of the country where the data importer is located make it likely, under the particular circumstances of the data transfers in question, that the data importer will be unable to comply with its obligations. For data importers based in the United States, the immediate focus of concern is the extent to which the data importer is, or is likely to be, subject to FISA warrants or similar surveillance activities involving bulk data collection.
Keep in mind that the issues raised by the Court’s judgment will impact both internal data transfers within a corporate group and transfers between entities. Therefore, there are many systems and processes that may potentially be impacted, and others that are unlikely to be impacted.
It is also worth noting that transfers involving the use of subsea cables that are susceptible to national security intercepts enabling the bulk collection of data in transit may be at risk in light of the Court’s judgment. There are multiple references to the findings of the Irish High Court (which referred the matter to the CJEU) in regard to the obligations of communications providers to “allow the NSA to copy and filter Internet traffic flows in order to acquire communications from, to or about a non-US national associated with a ‘selector’… [and thereby gain] access both to the metadata and to the content of the communications concerned.”
Evaluate Possible Avenues to Limit Transfers
Due to the uncertainties surrounding the use of the SCCs (and possibly BCRs) to legitimize transfers from the EU to countries that do not meet the “adequacy” criteria, it may be prudent to consider the costs and benefits of hosting and storing EU data locally where international transfers are not necessary. Alternatively, for data that does not need to be accessible to personnel or individuals based outside the EU (for example, if it is merely being stored in a non-EU location), technology solutions that are effective in blocking access to the personal data involved (e.g., strong encryption) may be sufficient to justify transfers that would otherwise fail to meet the new hurdles established by the CJEU’s judgment.
The judgment emphasizes that under the SCCs, the parties must assess on a case-by-case basis whether the SCCs are valid and otherwise stop or suspend the transfer in question and, further, that national Data Protection Authorities are required to enforce these requirements; however, it remains to be seen whether they will in fact do so in practice.
Prioritizing Next Steps
Regardless of what the future holds, the best immediate course of action is to re-examine your organization’s international data flows between the EU and the US as a matter of priority, to determine whether the applicable transfer mechanism is invalid (Privacy Shield) or potentially at risk (SCCs involving data categories that are, or are likely to be, subject to the bulk data collection practices of the US national security agencies). If so, companies will want to consider and evaluate the feasibility of alternative transfer mechanisms, such as Binding Corporate Rules, and potentially evaluate any available technology solutions.
Because the Court’s decision is not limited to EU-US data transfers, this assessment should, as a second order of priority, be extended to review EU personal data transfers to countries whose governments are engaged in similar types of surveillance practices. Contingency planning regarding the position on EU-UK transfers after the end of this year should also be carried out in light of the increased probability that an adequacy finding is unlikely post-Brexit.