European High Court Invalidates EU-U.S. Privacy Shield but Upholds Standard Contractual Clauses with Additional Safeguards
What Businesses Need to Know At-a-Glance
Privacy Shield is invalid because U.S. surveillance programs permit unrestricted processing of EU data subjects and U.S. law provides little recourse for EU data subjects.
Standard Contractual Clauses are still valid, but exporting data controllers and supervisory authorities must determine if the law in the data importer’s country can provide adequate privacy protections, possibly with additional safeguards, and if not, must stop the transfer of data.
What Businesses Should Do Now
Organizations that previously relied on Privacy Shield should immediately switch to some other lawful method, including Binding Corporate Rules, one of the derogations, or the Standard Contractual Clauses.
Organizations that currently use or switch to Standard Contractual Clauses should be prepared to be requested for contractual obligations with additional safeguards.
Continue to review guidance from supervisory authorities and conduct regular audits for compliance with your data security obligations. The use of Standard Contractual Clauses for transfers to the U.S. and other countries may be at risk if data controllers or supervisory authorities determine that no measures can provide adequate safeguards to overcome government surveillance programs and the lack of effective redress mechanisms for EU data subjects.
Continue to protect any data in compliance with the Privacy Shield that was imported in compliance therewith. Failure to do so may subject yourself to an investigation by the Federal Trade Commission or a state attorney general’s office for unfair or deceptive acts or practices.
On July 16, 2020, the Court of Justice of the European Union (CJEU) issued its anxiously-awaited judgment in the Schrems II case. The CJEU’s decision upheld the Standard Contractual Clauses (SCCs) but, somewhat surprisingly, invalidated the EU-U.S. Privacy Shield Framework (Privacy Shield). Consequently, and effective immediately, the transfer of personal data from the European Economic Area (EEA) to the U.S. based on the Privacy Shield is no longer lawful under EU law. Businesses that have relied upon the Privacy Shield must immediately review their processes and adopt another method of transferring personal data from the EEA, including using SCCs with supplemental business clauses designed to provide additional safeguards to protect personal data.
The Schrems II decision marks the second time that the CJEU invalidated the data transfer mechanism developed between the U.S. and the EU.1 About 5,000 companies had participated in the Privacy Shield to enable the transfer personal data from the EEA to the U.S. The decision calls into question the ability of organizations to share personal data from the EEA with organizations located in the U.S., as well as other countries, based solely upon an adequacy decision from the European Commission regarding a voluntary contractual framework without the adoption of broader privacy laws that protect the rights and freedoms of data subjects in jurisdictions outside the EEA. The gathering and processing of such personal data by U.S. intelligence services for asserted national security, public interest, and other law enforcement purposes further complicates any transfer. The decision to invalidate the Privacy Shield by the CJEU came as a surprise in light of the report from the European Commission stemming from its annual review of the Privacy Shield in October 2019 confirming the Privacy Shield provided an adequate level of protection. While the report identified additional steps for improvement, observers did not expect the Court would invalidate the Privacy Shield wholescale. Ultimately, the Schrems II decision may put pressure on non-EEA jurisdictions to adopt national privacy and security standards.
Max Schrems filed a complaint (Schrems II) with the Irish Data Protection Commissioner in October 2015, which alleged that Facebook, Inc.’s use of the SCCs to lawfully transfer data from the EEA to the U.S. failed to provide an adequate level of protection. The case was brought when Facebook turned to the SCCs to transfer the personal data to the U.S. on the heels of the CJEU’s decision in the first Schrems case (Schrems I) to invalidate the U.S.-EU Safe Harbor Framework.
The allegations in Schrems II were similar to those in Schrems I. In particular, Schrems claimed that the U.S.-EU Safe Harbor Framework failed to adequately protect the personal data of EU data subjects, alleging that the SCCs were invalid for transfers to the U.S. because they failed to provide an adequate level of protection. More specifically, Schrems claimed that U.S. privacy laws do not limit the U.S. government’s ability to access and process personal data from EU data subjects to only when such access and use is strictly necessary. He also claimed that the U.S-EU Safe Harbor Framework failed to provide a remedy to EU data subjects whose privacy rights may have been violated due to their information being transferred to the U.S.
Following the filing of Schrems II, the Irish Data Protection Authority brought a case against Facebook in the Irish High Court. The Irish High Court referred 11 questions to the CJEU for a preliminary ruling, most of which addressed the validity of the SCCs as a transfer mechanism but also touched upon the validity of the Privacy Shield.
Preliminary Non-binding Opinion by Advocate General
In December 2019, the Advocate General (AG) of the CJEU issued a non-binding opinion in Schrems II in which the AG recommended that the CJEU uphold the validity of the SCCs. The AG indicated that the laws and practices of the country receiving personal data subject to the SCCs were not relevant to determine if the SCCs themselves offered an adequate level of protection. The AG also suggested that just because the SCCs are not binding on government authorities in the recipient countries does not, by itself, mean that the SCCs do not provide sufficient safeguards over the processing of personal data in those countries. Instead, the AG indicated that the SCCs provided adequate safeguards through the provisions requiring the suspension of data transfers if the data importer was unable to comply with the protections under the SCCs due to local laws and practices. The AG also noted that additional protection is provided in the EU’s General Data Protection Regulation (GDPR) because the supervisory authorities can temporarily or permanently suspend transfers to a receiving country. Moreover, the AG noticed the need for a pragmatic approach to allow continued interaction with other parts of the world while still recognizing the EU’s fundamental privacy values.
The AG noted in the opinion that the validity of the Privacy Shield was not at issue in Schrems II. However, he nevertheless raised some concerns regarding the ongoing validity of the Privacy Shield. In particular, he raised concern that the Ombudsman, appointed as required under the Privacy Shield to address concerns over personal data processed by U.S. intelligence services, did not satisfy the requirement of judicial independence. He further noted that the Ombudsman did not provide an effective means for individuals, whose personal data may be accessed and used by U.S. intelligence services, to challenge the use of, correct, or otherwise request the deletion of such personal data.
Final Judgment by CJEU
Although the AG declined to provide any recommendation on the validity of the Privacy Shield since it was not directly at issue in the Schrems II proceedings, the CJEU decided to address its validity. The CJEU took issue with surveillance programs based on Section 702 of the U.S. Foreign Intelligence Surveillance Act (FISA) and US Executive Order 12333, finding that these programs do not provide data subjects in the EU a level of protection essentially equivalent to the those guaranteed in the Charter. The CJEU found that Section 702 and Executive Order 12333 failed to limit the use of personal data by U.S. intelligence services to the extent strictly necessary for the surveillance program or provide an effective remedy to EU data subjects in ways that would be essentially equivalent to the limits under EU law. In striking down the Privacy Shield, the CJEU stated that “the limitations on the protection of personal data arising from the domestic law of the U.S. on the access and use by U.S. public authorities of such data transferred from the EU to the U.S., which the Commission assessed in the Privacy Shield Decision, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required, under EU law.”
The CJEU did, however, uphold the use of the SCCs as a lawful method to transfer personal data outside of the EU while, at the same time, reminding EU-based organizations that they are required to take a proactive role in evaluating whether or not there is, in fact, an adequate level of protection provided in the country receiving the personal data prior to any transfer. The CJEU described that a personal data exporter might need to implement additional safeguards beyond those contained in the SCCs to ensure that personal data is provided with an adequate level of protection. However, the CJEU did not elaborate or provide any significant guidance on what additional safeguards may be necessary or what further measures may be required to ensure that an adequate level of protection has been provided to allow for the export of personal data from the EEA into the U.S.
Consistent with the AG’s non-binding opinion, the CJEU also indicated that the SCCs require personal data importers to inform personal data exporters in the event there is an inability to comply with the SCCs. Upon such notification, the data exporter must temporarily or permanently suspend the transfer of personal data and/or terminate the applicable agreement if there are no other safeguards that can be implemented to ensure an adequate level of protection for the personal data.
The CJEU also reminded supervisory authorities of their obligations to assess and possibly suspend or prohibit the transfer of personal data when a supervisory authority believes that the SCCs are not, or cannot be, complied with for exports to a particular country and there are no other means of protecting the personal data transferred. This suggests that different supervisory authorities may come to different conclusions regarding the adequacy or even availability of additional measures that may be necessary to permit the transfer of personal information from the EU to the U.S.
Note, this decision by the Court did not affect the Swiss-U.S. Privacy Shield. Though, that does not mean that itis safe from invalidation. The Swiss Federal Data Protection and Information Commissioner has indicated that decision is being examined at this time.
Impact on Businesses
While many U.S. companies that had sought compliance with the Privacy Shield had implemented SCCs as an alternative means for transfer, as they were jilted from the invalidation of the U.S.-EU Safe Harbor Framework, many other companies did not. What this means for now is that, for some companies, it is substantially business as usual. However, many companies will need to evaluate other lawful means to continue transferring personal data to the U.S.
This ruling has impacted businesses of all sizes. However, small to medium-sized companies are being particularly hard hit by this, as some may not have sought out or been able to obtain multiple means of lawfully transferring personal data to the U.S. Those companies that went all-in on the Privacy Shield are now left to quickly implement a new lawful means of transfer. As we saw with the invalidation of the U.S.-EU Safe Harbor Framework, this ruling has the ability to wreak havoc on business throughout the world and could disrupt the multi-billion-dollar trans-Atlantic digital economy. The timing of this decision comes when many businesses are already struggling with the effects of COVID-19.
Organizations previously relying on the Privacy Shield to transfer personal data outside of the EU should immediately switch to one of the other lawful methods for such transfers. These include relying on existing Binding Corporate Rules (BCRs), if any, or one of the derogations enumerated in the GDPR such as when the transfer is necessary to perform under a contract. However, the quickest option for organizations that may not be able to rely upon these methods could be to immediately execute applicable SCCs containing supplemental “business issues” clauses that incorporate additional safeguards to ensure an adequate level of protection. While the CJEU did not elaborate on what additional safeguards may be considered adequate, they are likely to require a data importer to submit to, and the data exporter to conduct, an audit to confirm the data importer’s compliance with privacy obligations (including those in the SCCs) at least annually. Additional safeguards may also include requirements for the data importer to notify the data exporter, to the extent possible, when it receives a court order to provide personal data to the U.S. government, allowing the data exporter to object to or minimize the scope of such a court order to protect the rights of the applicable data subjects.
While the CJEU has confirmed the validity of the SCCs for data transfers to non-EU countries, it will now be critical for companies to evaluate the rulings and any implications from there. However, relying upon the SCCs should not be viewed as a simple solution for replacing the Privacy Shield. As a result of this ruling, the eyes are now on the SCCs. Companies will be under increased scrutiny to ensure they have properly executed the SCCs and comply with them.
Since Data Protection Authorities (DPAs) from each EU Member State are “required to suspend or prohibit a transfer of personal data to a third country where . . . the standard data protection clauses . . . cannot be complied with . . . and that the protection of the data transferred . . . cannot be ensured by other means”, the validity of the SCCs, on a Member State by Member State basis, could be in jeopardy. The Court upheld the validity of the SCCs because each Member State’s DPA has the independent ability to reach their own determination as to the appropriateness and effectiveness of the SCCs for data transfers under their own laws. However, if the Court invalidated the Privacy Shield due to the U.S.’ perceived inability to comply with such laws, it would not take a stretch of the imagination for some DPAs to reach a similar conclusion, thereby invalidating the SCCs and suspending or prohibiting the transfer of data to the US. If this happens, there is the possibility that Europe could start to resemble the U.S. with a patchwork or sectoral approach to data protection, leading to forum shopping for data protection obligations.
Even though the Privacy Shield was invalidated, any data importer that relied upon the Privacy Shield as part of such importation remains liable to comply with its obligations thereunder as per the terms of the Privacy Shield and any supplementary promises made. Any failure to comply or misrepresent one’s compliance may subject a company to an investigation by the Federal Trade Commission or a state attorney general’s office for unfair or deceptive acts or practices.
Finally, if appropriate, companies may consider establishing an EEA-based data center option, sectioned off from access by the U.S. Companies, especially those that are an “electronic communication service provider” or otherwise subject to U.S. surveillance laws, are likely to be initial targets of enforcement and investigation by the European authorities.
Effectively immediately, the transfer of personal data from the EEA to the U.S. based on the Privacy Shield is no longer lawful under EU law. Businesses should immediately switch to another method of transferring personal data from the EEA, including using SCCs with supplemental business clauses designed to provide additional safeguards to protect personal data. However, it remains unclear as to the scope of what additional safeguards may be acceptable and how such safeguards may vary between the various supervisory authorities. At a minimum, data importers that process personal data in the U.S. should immediately implement annual audits and an ability to object to or otherwise limit the disclosure of personal data to U.S. government officials requested as part of surveillance programs. Data exporters should also include an affirmative obligation for data importers into the U.S. to provide a notice in the event that either compliance with the SCCs cannot be guaranteed or the data importer cannot provide an adequate level of protection for personal data and a right for the data exporter to immediately terminate the contract with no further expenses, costs, or liabilities. Organizations should also continue to look for any further guidance from applicable supervisory authorities, including any guidance that prohibits the transfer of personal data to the U.S. based on a finding that no additional safeguards are available to protect the personal data adequately.
1 The first coming in October 2015 when the Court invalided the U.S.-EU Safe Harbor Framework. At the time, more than 7,000 companies had relied on the U.S.-EU Safe Harbor Framework to lawfully transfer personal data from the EEA to the U.S.