Compliance for EU-US Data Transfers After Schrems II CJEU Decision Strikes Down Privacy Shield
On July 16, 2020, the Court of Justice of the European Union (the “CJEU”) released a decision in the Schrems II Case (Data Protection Commission v. Facebook Ireland, Schrems), declaring the European Commission’s Standard Contractual Clauses (the “SCC”s) for the transfer of personal data outside the European Union (EU) as valid, but striking down the privacy shield framework in the process. The reasoning given for striking down the Privacy Shield Framework was that U.S. authorities access to EU personal data was not limited enough to provide protection equal to that available in the EU, and that EU individuals did not have actionable rights before a body offering guarantees equivalent to those required under EU Law.
Negotiated in 2016, the Privacy Shield was negotiated between the U.S. Department of Commerce, the European Commission and the Swiss Administration to provide companies with the ability to transfer personal data across the Atlantic while adhering to EU data protection law prior to the GDPR (General Data Protection Regulation). The Privacy Shield remained in use after May 2018, when GDPR went into effect. Roughly 4000 US companies used the Privacy Shield as a means to transfer personal data between the U.S. and the EU. After the CJEU decision invalidating the Privacy Shield, those companies need to find another way to transfer data across the Atlantic.
Kenneth Dort Partner with Faegre Drinker has spent over 30 years at the intersection of law and technology and advises companies on data privacy and cybersecurity concerns, spoke with the National Law Review on the CJEU decision in Schrems II.
What are the main compliance concerns for companies affected by the CJEU decision invalidating the US-EU Privacy Shield? What, in your view, are the major consequences of this decision?
The main compliance concerns are two-fold. First, for those businesses relying on the Privacy Shield for data transfers from the EU to the US, they now lack the protective devices mandated by the GDPR. Because the decision did not provide for any grace period, they must adopt replacement measures immediately. Second, for those businesses relying on EU Standard Contractual Clauses (SCCs), the decision called into question their viability in light of questions over their ability to protect EU personal data against national security inquiries by the U.S. federal government. Thus, the major consequences of the decision for businesses transferring data into jurisdictions lacking an adequacy determination (such as the U.S.) will be to implement recognized protocols that address the national security issues raised in the decision and which also satisfy EU data protection authorities.
It appears some of the CJEU’s reasoning goes back to Schrems I--that some of the concern is that EU individuals do not have actionable rights before the courts against U.S. authorities, or that EU individual privacy rights are not adequately protected. Does this put pressure on U.S. authorities to provide greater privacy protections in the U.S.?
The Schrems II decision has its foundation in Schrems I – particularly as to the CJEU’s concerns about the ability of the Privacy Shield and SCCs to protect EU personal data held by U.S. businesses from investigations by the U.S. federal government that would otherwise be in violation of the GDPR. The problem in the U.S. is that U.S. businesses receiving national security letters or other such federal investigative actions are often precluded from contacting the investigation targets about the inquiry – which is contrary to the transparency principles of the GDPR. Thus, should a U.S. business attempt to address this concern by agreeing contractually to make such a notification, they could be putting themselves at risk of violating U.S. national security law. Therefore, while it might work conceptually put pressure on the U.S. federal government to modify U.S. law in this regard, so far no such action has materialized.
Along with the privacy shield being invalidated, the SCC’s are now subject to a higher level of enforcement and require more contractual safeguards--what would those look like? Is there any guidance on what those safeguards need to be? How feasible is this avenue as a process for data transfers going forward?
As noted above, the additional safeguards raised in the CJEU’s decision may put U.S. businesses in a difficult position between their EU clients (the data transferors) and their legal obligations under U.S. national security law. First, companies should carefully determine whether they handle personal data at all – and if they do not, these issues disappear. However, if personal data is being transferred, a careful analysis should be performed to determine if the transfer is actually necessary, and if not, minimize the scope of the transfers. Finally, if personal data transfers are at issue, then affected U.S. businesses need to confer with their EU controllers to determine what measures can be taken to satisfy both the controllers and their specific data processing agreements (“DPA”’s). Depending on the stridency of the DPA, some transfers to the U.S. may have to cease.
Article 40 of GDPR encourages the implementation of Codes of Conduct for data--is this a possible way for U.S. companies to achieve compliance with GDPR now that the privacy shield is invalidated?
While codes of conduct are possible avenues for U.S. businesses and their EU counterparts, they will still face the same compliance difficulties noted above. As a result, their effective ability to address the issues raised in Schrems II is questionable at this time.
Many thanks to Mr. Dort for his expertise on this developing topic. The National Law Review watches the developments related to Shrems II, and other cybersecurity privacy stories, on our Cybersecurity resource page.