European Court Invalidates Privacy Shield; Upholds Model Clauses (For Now)
Privacy & Cybersecurity Update
Date: July 17, 2020
On July 16, the Court of Justice of the European Union (CJEU) issued its much-anticipated decision in the Schrems II litigation involving cross-border data transfers, invalidating the EU-U.S. Privacy Shield Framework, while upholding, with reservations, the use of standard contractual clauses (SCCs). Both mechanisms are widely used as the legal basis to transfer personal data from Europe to the United States. An organization that previously relied upon Privacy Shield should immediately assess alternative mechanisms to assist in its cross-border data transfer programs. For many organizations, employing SCCs will be the most effective and efficient option, but the decision opens even those to future challenges.
Background: EU and International Data Transfers
Under the EU General Data Protection Regulation (GDPR), when personal data is transferred outside the European Economic Area (EEA), special “safeguards” are required to ensure that the data retains certain privacy and security protections during and after the transfer. These restrictions apply to all international transfers, regardless of the size of the transfer or how often it occurs. In turn, the GDPR offers several mechanisms organizations may employ to transfer personal data to third countries located outside the EEA, including “binding corporate rules” (BCRs), which are legally binding data protection policies adhered to by multinational companies, and “adequacy decisions,” wherein the European Commission decides that the country to which the data is transferred provides adequate privacy protections. The EU has not determined, and likely never will, that U.S. law and policy provide sufficient protection for purposes of rendering an adequacy decision.
The data transfer mechanisms at issue in the Schrems II case were Privacy Shield and SCCs. Privacy Shield became available on August 1, 2016, and was adopted when the CJEU struck down its predecessor, the Safe Harbor Framework. SCCs, long used to facilitate international data transfers, were previously determined to provide sufficient safeguards for doing so. To date, the Commission has issued two sets of SCCs for transfers from data “controllers” in the EU to controllers outside the EEA, and one set of contractual clauses for transfers from controllers in the EEA to “processors” established outside. SCCs contain contractual obligations on both the party exporting the personal data from the EEA and the party importing it. SCCs also grant rights to the individuals whose personal data is transferred, which they can directly enforce against the data importer and the exporter.
The Schrems II Decision
The Schrems II case (Data Commissioner v. Facebook Ireland Ltd. and Maximillian Schrems) arrived before the CJEU when Schrems, an Austrian citizen and resident, filed a complaint with the Data Commissioner of Ireland against Facebook Ireland, Ltd. for failing to properly safeguard his personal data when it transferred its users’ data to Facebook, Inc. in the United States. In particular, Schrems argued that Facebook, Inc. could not rely upon EU-approved data transfer mechanisms to appropriately safeguard his personal data transferred to the United States in light of domestic laws and regulations that purportedly provided federal law enforcement and intelligence officials with the right to broadly and intrusively access such data.
In addressing Privacy Shield, the CJEU found that U.S. law gives “primacy” to national security and law enforcement and in that context condones interference with fundamental data privacy principles. It also found that U.S. law enforcement and intelligence programs that allow government access to personal data do not grant data subjects judicial recourse against the U.S. authorities that are substantially equivalent to those required by EU law. Based on these and similar factors, the CJEU struck down Privacy Shield as a lawful mechanism to transfer personal data to the United States.
On the other hand, the CJEU upheld the continued use of SCCs, finding that they impose obligations on data exporters and importers to verify, prior to any international transfer, whether the level of protection required by EU law is respected in the third country where the importer is located. It further noted that verification requires the data importer to formally notify the exporter of any inability to comply with the SCC, which would require the exporter to suspend the transfer or terminate the transaction altogether. The CJEU also emphasized that EU data protection authorities are required to suspend or prohibit specific transfers of personal data to a third country that they determine does not or cannot comply with SCCs. In other words, although the CJEU validated SCCs generally, it reminded EU member state authorities of their powerful roles and responsibilities in this context.
What Should Businesses Do Now?
According to a 2019 survey, approximately 88% of companies that transferred personal data outside the EU relied on SCCs, while 60% of those surveyed relied upon the (now invalid) Privacy Shield. An organization that relied upon Privacy Shield should immediately assess alternative mechanisms to assist in its cross-border data transfer programs, including the adoption of BCRs or SCCs. BCRs are designed to allow multinational companies to transfer personal data from the EEA to their non-EEA affiliates in accordance with their internal data protection policies and procedures that are approved by relevant EU authorities. However, the BCR approval process can be cumbersome and requires coordination and approval from the European Data Protection Board and potentially multiple supervisory authorities across the different EU member states in which an organization operates.
In contrast, SCCs generally do not require approval from supervisory authorities and organizations can adopt them like they would any other contract. In fact, it is common for organizations to adopt “intra-group agreements” just as they adopt other policies. An intra-group agreement often incorporates the data protection terms and conditions set forth in the SCC so they become binding on all applicable members of the business. However, an intra-group agreement, like any other data protection policy, should be narrowly tailored to the organization’s data processing activities and the relationship between its subsidiaries, affiliates and groups at issue (e.g., controller-to-controller or controller-to-processor relationship).
While the Schrems II decision’s long-term effects are not yet clear, businesses that regularly transfer information from the EU to the United States should review the mechanisms they now use and adjust their practices to take advantage of the (admittedly reduced) options left by the CJEU.
For more information, please contact:
Steven G. Stransky
Thomas F. Zych
This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.
This document may be considered attorney advertising in some jurisdictions.
© 2020 THOMPSON HINE LLP. ALL RIGHTS RESERVED.