European Court of Justice Declares the EU-U.S. Privacy Shield Invalid and Provides Additional Obligations on Companies Using Standard Contractual Clauses
On July 16, 2020, the Court of Justice of the European Union (CJEU) announced its judgment in the so-called Schrems II case (Case C-311/18), declaring that the EU-U.S. Privacy Shield is invalid because it does not provide an adequate level of protection for the transfer of personal data from the European Union (EU) to the United States. However, it held that standard contractual clauses (SCCs) for the transfer of personal data from the EU to countries outside the EU remain valid but stated that companies relying on SCCs have several obligations to ensure compliance with EU data protection requirements.
The origins of the case trace back to a complaint lodged by Maximillian Schrems, an Austrian citizen, with the Irish Data Protection Commissioner. Schrems sought to prevent the transfer of personal data from the EU to the United States under the Safe Harbor Framework. After further legal action, on October 6, 2015, the CJEU decided in his favor and held that the European Commission decision that Safe Harbor Framework provided adequate protections for personal data transferred from the E.U. to the United States was invalid.
The Privacy Shield replaced the Safe Harbor Framework and became operational in August 2016. Together with SCCs, it is a frequently used mechanism for employers to transfer personal data outside of the EU.
What happened in this case?
Despite progress having been made in the functioning of the Privacy Shield program, as reported by the European Commission in its third annual review published on October 23, 2019, for reasons similar to the decision to declare the Safe Harbor Framework invalid, the CJEU has ruled that the Privacy Shield is not legally valid. This is primarily due to concerns over the access that U.S. intelligence agencies have to EU data.
Some of the court’s key findings were that (i) U.S. national security, public interest, and law enforcement takes precedence over and therefore condones interference with the fundamental rights of persons whose data is transferred to the United States (ii) U.S. surveillance programs are not limited to what is strictly necessary, and (iii) there is insufficient judicial protection for individuals in that the mechanisms available to them are not binding on U.S. intelligence agencies and are not equivalent to the standard that exists in the EU.
In better news for employers, and in line with the non-binding recommendation of the Advocate General of the CJEU, published on December 19, 2019, the CJEU confirmed that SCCs continue to be a valid tool for the transfer of data. However, it highlighted that the obligation remains on data controllers to assess the level of data protection afforded by the country to which the data is being transferred. Specifically, data controllers must take the following actions:
In collaboration with data processors and data subjects, where possible, data controllers must determine whether the data protection laws of the recipient country fail to provide adequate protection for data subjects and take measures to compensate for such failings that are in addition to the protections afforded by the SCCs. These measures include ensuring that data subjects have enforceable data subject rights and access to effective legal remedies.
Data controllers must suspend or end the transfer of data from the EU to the United States where the data controller or data processor cannot take such additional measures to guarantee adequate protections.
U.S. Reaction to the Ruling
Secretary of the U.S. Department of Commerce Wilbur L. Ross, Jr. issued a statement on the Schrems II ruling stating that, “the Department of Commerce is deeply disappointed that the court appears to have invalidated the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield” but that the Department is “still studying the decision to fully understand its practical impacts.” Further, Secretary Ross stated:
The Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. Today’s decision does not relieve participating organizations of their Privacy Shield obligations.
Impact on Other International Data Transfers
Although the Schrems II decision only applies to the EU-U.S. Privacy Shield Program, it is expected that the Swiss data protection commissioner will soon discontinue the Swiss-U.S. Privacy Shield program, which is based on the EU-U.S. Privacy Shield program. Indeed, the Swiss commissioner discontinued the Swiss Safe Harbor Framework soon after the European Court of Justice invalidated the EU Safe Harbor Framework in 2015.
Further, several countries outside of the EU have either recognized the EU SCCs or adopted model contract clauses similar to the EU SCCs as legal mechanisms for transferring data to other countries. These countries may now require data controllers to conduct country-specific data protection law assessments and provide additional safeguards for any deficiencies as outlined in the Schrems II decision.
What does this mean for employers?
The immediate consequence of the decision is that companies that rely on the Privacy Shield can no longer do so on the presumption that it provides adequate protections. It also means that a transfer of personal data under the Privacy Shield may be subject to complaints by employees and customers, investigations by individual data protection authorities, and possible enforcement actions and penalties.
Given the U.S. government’s position, companies already certified under the Privacy Shield may want to carefully evaluate their position before discontinuing their participation in the program. While the court’s decision has immediate effect, it is anticipated that the EU will provide some sort of grace period, as it did when the Safe Harbor Framework was invalidated in 2015, to permit Privacy Shield-certified companies to convert to another legal transfer mechanism or to allow the United States and EU to negotiate a replacement for the Privacy Shield.
Companies that rely solely on the Privacy Shield may want to review other legal means to transfer personal data and may now need to put contractual clauses in place with entities in the EU based on an assessment of the relevant countries’ data protection laws and provision of additional safeguards. Although these steps are potentially more burdensome than current practices, they are achievable for most employers in relation to transfers within the corporate structure. These steps, however, will likely prove more difficult to achieve in relation to transfers of data from third party entities. Other options include binding corporate rules that permit intracompany transfers or using the derogations provided by the General Data Protection Regulation (GDPR), including transferring information in connection with entering into or administering a contract or obtaining consent from individuals. However, these options may be difficult and costly to achieve and the EU supervisory authorities have indicated that employers cannot rely upon the consent of employees because the unequal bargaining power between employers and employees means that employees cannot provide voluntary consent.
Additionally, employers that rely on SCCs to transfer data from the EU may want to develop an assessment process to determine the adequacy of the data protection laws of the countries to which EU data is transferred and implement additional safeguards to remedy any deficiencies in the data protections afforded by the recipient countries.
It is hoped that further guidance from the European Commission or U.S. Department of Commerce may soon be provided and ultimately this decision may lead to a change in U.S. surveillance laws or the monitoring practices of U.S. intelligence agencies. However, that is perhaps unlikely to occur in the short term.
In the meantime, companies are required to continue to ensure that their privacy practices and procedures comply with the requirements of EU data protection laws when they implement alternate transfer methods.