In a decision with significant implications for international trade and cross-border data flows, the EU’s highest court – the Court of Justice of the European Union (“CJEU”) ruled on 16 July 2020 that a key legal mechanism (called the EU-US Privacy Shield program) used to enable transfers of personal data from the European Union (“EU”) was invalid, while also potentially requiring additional protections to be implemented when another key transfer mechanism (called Standard Contractual Clauses) is used. The case – Data Protection Commissioner v. Facebook Ireland, Max Schrems (“Schrems II”) – considered the validity of the EU-US Privacy Shield (“Privacy Shield”) program (a privacy certification made available for US organizations through an agreement between the European Commission and the US government) and Standard Contractual Clauses (“SCC”) (a form of international data transfer agreement made available for use by the European Commission).
Under the EU’s and the UK’s main data privacy law – the General Data Protection Regulation (“GDPR”) – organizations cannot transfer personal data from the EU and UK to countries (including the US, China and India) that have not yet been deemed by the EU to provide adequate protection for personal data – unless one of the legal transfer mechanisms approved under the GDPR is applicable to such transfer. While the Privacy Shield program and SCCs are not the only approved legal transfer mechanisms under the GDPR, they are, perhaps, the most widely-used, and as result, a key facilitator of international trade and cross-border data flows (particularly, on either side of the Atlantic). Yet in Schrems II – which is effective immediately – the CJEU invalidated the Privacy Shield program (used by over 5000 organizations) as a mechanism enabling transfers of personal data to the US.
According to the CJEU, the alleged lack of effective judicial or other independent redress for EU residents regarding the data collection and surveillance activities by US national agencies materially diminishes the privacy protections afforded to individuals whose personal data had been transferred to the US by organizations that had certified to the Privacy Shield program. In turn, the CJEU concluded that the privacy protections afforded to individuals under the Privacy Shield program was not “essentially equivalent” to privacy rights afforded to such individuals under EU law. As a result, the CJEU invalidated the Privacy Shield program. Accordingly, organizations that were relying on their Privacy Shield certification (including data transfers to affiliates, customers and vendors) will need to promptly identify and implement an appropriate alternate legal transfer mechanism (for example, SCCs, Binding Corporate Rules, or perhaps even reliance on informed consent from relevant data subjects or other exemptions under the GDPR, such as for performance of a contract). The European Commission and the US government have already announced their intention to develop a successor program to Privacy Shield that addresses the CJEU’s findings in Schrems II.
In contrast, the CJEU in Schrems II upheld the validity of SCCs as a legal mechanism to transfer personal data. This is very welcome news: relative to the Privacy Shield program, SCCs are even more widely used by international business organizations. However, the CJEU appears to consider that organizations by implementing SCCs to enable personal data transfers may not, in every circumstance (particularly data transfers to the US), afford an individual privacy protections that are “essentially equivalent” to those afforded under EU law. As a result, based on Schrems II, organizations may potentially – subject to additional guidance from regulators in the EU and the UK – need to evaluate and implement supplementary measures that provide privacy protections additional to those provided under SCCs used by that organization. In fact, the European Commission is proposing to release for use by organizations updated versions of SCCs (the current versions pre-date the GDPR) so as to reflect the CJEU’s views in Schrems II and GDPR requirements. It remains to be seen how long this will take and if these updated SCCs will, in and of itself, provide the supplementary privacy protections alluded to in Schrems II.
If an EU or UK data privacy regulator determines that an organization is not providing the requisite level of data protection (whether or not SCCs are used) for data transfers outside the EU/UK, it may undertake enforcement action, including requiring the organization to suspend such data transfers. As a result, many organizations will need to proactively assess (through both a factual analysis of personal data flows and analysis of the applicable legal transfer mechanisms) whether the legal transfer mechanism used by them is sufficiently protective under the GDPR and in light of the CJEU’s decision in Schrems II.
Note also that even companies that are not themselves members of the Privacy Shield need to consider whether their service providers, vendors or counter-parties are relying on the Privacy Shield in a manner that could impact the company itself.
While the EU has not provided any official grace period for the transition from Privacy Shield to new data transfer mechanisms, we expect EU enforcement authorities to be reasonable in light of the CJEU’s obviously disruptive change in the law. The CJEU decision itself did not incorporate any accommodation or recognition of reliance interests, but the Court did note that no “legal vacuum” would arise because companies could simply adopt other data transfer options.
Both the U.S. Department of Commerce and the EU Commission have committed to work cooperatively together to address the consequences of the Schrems II decision and assure that data flows between the EU and U.S. may continue. The Commerce Department also stated that companies that have certified their membership in the Privacy Shield arrangement must continue to comply with those requirements even though they have been invalidated on the EU-side. That means the Federal Trade Commission can continue to enforce against “Privacy Shield Companies” that do not live up to their commitments. However, other European national Data Protection Authorities may take different views. It is reported that the Berlin Data Protection Authority, in a statement issued on 17 July 2020, commented that following the judgment data should not be transferred to the US until that legal framework is reformed and that, where a state in a third country has access to data that goes beyond what is permitted under EU law, SCCs cannot justify the data transfer to such third country.
Pending any announcements or guidance from the EU Commission, companies that currently rely on SCCs should assess whether the types of personal data they process may be subject to government surveillance, their reliance on SCCs and consider adding new safeguards and obligations to “compensate” for the fact that – in the CJEU’s opinion – the U.S. does not provide EU residents whose data is transferred to the U.S. with equivalent protection from national security surveillance as mandated under EU law. Such safeguards could include, for example, developing internal procedures to deal with requests for disclosure of data to third parties including Governments. Part of that assessment should also consider the risk of possible forms of class litigation in the EU, whereby individuals could seek compensation for violation of EU data protection rights. This could be important as all EU-approved SCCs contain provisions permitting individuals whose data are transferred under SCCs to sue for breach of contract as third-party beneficiaries where the terms of SCCs are breached. To date, the risk of such litigation has been largely hypothetical, but that could change based on the CJEU’s ruling and the increasing support in Europe for class, or “collective,” litigation.