May 8, 2021

Volume XI, Number 128

Advertisement

May 07, 2021

Subscribe to Latest Legal News and Analysis

May 06, 2021

Subscribe to Latest Legal News and Analysis

CJEU Invalidates Privacy Shield, But Upholds SCCs with Conditions

On July 16, 2020, in the case colloquially known as “Schrems II,” the Court of Justice of the European Union (CJEU) struck down the EU-US Privacy Shield, finding it an invalid mechanism for transferring data from the EU to the US. The CJEU concluded that the Standard Contractual Clauses (SCCs) are valid for the transfer of personal data outside the EU (which would include transfers to the US), with certain conditions.

Brief Background

The Schrems II case followed closely on the heels of the CJEU’s decision in Schrems I (October 2015), which invalidated the EU-US Safe Habor Framework. In Schrems I, a key concern was that EU personal data might be at risk of being accessed and processed by the U.S. government once transferred. Schrems II then challenged the validity of SCCs for similar reasons advanced in Schrems I. The EU-US Privacy Shield was adopted in July 2016.

CJEU Decision

With regard to the SCCs, the CJEU judgment mainly followed the CJEU’s Advocate General’s non-binding opinion published on December 19, 2019. The CJEU stated that the SCCs provide sufficient protection for EU personal data, but emphasized the fact that EU organizations relying on them have an obligation to take a proactive role in evaluating, prior to any transfer, whether there is in fact an “adequate level of protection” for personal data in the importing jurisdiction. The CJEU noted that organizations may implement additional safeguards, over and above those contained in the SCCs – although it is unclear what those safeguards might include. The ruling also highlights the role that supervisory authorities should take in assessing and, where necessary, suspending and prohibiting transfers of personal data to an importing jurisdiction. Many anticipate that this decision will result in modifications to the standard contractual clauses, something that had been under discussion prior to the decision (as the SCCs predate GDPR).

While the CJEU AG’s view was that the CJEU is not required to rule on the validity of the EU-US Privacy Shield in the context of Schrems II, as it was not specifically requested to consider this question, the CJEU decided to examine and rule on the validity of the framework.  In finding the Privacy Shield invalid, the CJEU took the view that “the limitations on the protection of personal data arising from [U.S. domestic law] on the access and use by U.S. public authorities […] are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.” The CJEU also found that the EU-U.S. Privacy Shield framework does not grant EU individuals actionable rights before the courts against the US authorities.

Putting it Into Practice: Companies who engage in transfers of personal information from the EU to the US will want to look at the basis on which they engage in that transfer. For those US companies who are Privacy Shield participants, keep in mind that although the EU has “invalidated” the program from the EU perspective, the program is a US-run one and still exists. We thus anticipate direction coming soon from the Department of Commerce regarding how to address participation and reference current Shield participation.  In the meantime, changes in the basis for transfer will need to be made (such as standard contractual clauses). We also anticipate, however, modifications to the standard contractual clause regime, and will be watching those developments closely. Given the EU’s concern around disclosures to the US government, companies may also want to review this aspect of their policies, procedures and data protection agreements.

Advertisement
Copyright © 2021, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume X, Number 198
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335

Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...

312.499.6334
Partner

Craig Cardon serves as Co-chair of Sheppard Mullin’s Privacy & Data Security Group and as the International Liaison for the firm’s China offices. Craig is a partner in the Entertainment, Technology and Advertising and the Intellectual Property Groups in Sheppard Mullin's San Francisco and Century City offices.

Areas of Practice

Craig enjoys a broad advertising, privacy and ecommerce focused practice. He primarily represents brands, retailers, ad agencies, ad networks and other business involved in...

310-228-3749
Rachel Hudson, Lawyer, Sheppard Mullin, Intellectual Property Practice Group
Associate

Rachel Tarko Hudson is an associate in the Intellectual Property Practice Group in the firm's San Francisco office.

Areas of Practice

Rachel advises clients in the retail, technology, media, and other industries in online and mobile e-commerce transactions and vendor agreements, intellectual property licensing, commercial and development agreements, and other transactional matters. She assists clients in complying with domestic and international privacy laws, clearing advertising campaigns, conducting contests and sweepstakes promotional initiatives, and...

415.774.2999
Oliver Heinisch, Sheppard Mullin, Antitrust Regulation Lawyer, Fair International Competition Attorney,
Partner

Oliver Heinisch is a partner in the Antitrust and Competition Practice Group in the firm's London office.

Mr. Heinisch advises on all areas of EU, UK and German competition law with a focus on international cartel and abuse of dominance procedures including related antitrust litigation matters as well as merger control law. He has substantial expertise in advising on the interface between intellectual property and competition law mainly in the context of complaint cases, investigations of competition authorities and intellectual property...

32 (0) 2 290 7904
Advertisement
Advertisement