1. Is the EU-U.S. Privacy Shield framework dead?
Yes, the Privacy Shield framework has been invalidated. The Court of Justice of the European Union (CJEU) invalidated the Privacy Shield framework based on its finding that the framework does not sufficiently protect EU personal data from U.S. national security and surveillance laws that allow access and use of personal data by U.S. public authorities. The Court held that U.S. surveillance law does not include the safeguards required to meet EU data protection principles concerning proportionality (e.g., collection is not limited to what is necessary, no limitations with respect to non-U.S. persons). Also, the CJEU found that European data subjects do not have a meaningful remedy before a body that offers guarantees substantially equivalent to those under EU law. In particular, the CJEU reasoned that the Privacy Shield’s Ombudsperson is not sufficiently independent and is unable to adopt decisions that bind U.S. intelligence services.
The Department of Commerce, which administers the Privacy Shield framework in the U.S., issued a press release that indicates it is still evaluating the decision’s effect on international data transfers. The press release stated that the Department ”will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. Today’s decision does not relieve participating organizations of their Privacy Shield obligations.”
That said, pursuant to the CJEU’s decision, organizations can no longer rely on the Privacy Shield framework to cover transfers of EU personal data to the United States. Current participants in the Privacy Shield will need to assess potential replacement data transfer mechanisms, bearing in mind that EU personal data previously transferred to the U.S. under the Privacy Shield framework must be returned or remain subject to safeguards implemented in accordance with the Privacy Shield Principles. An entity that chooses to withdraw from the framework must still continue to apply the Privacy Shield Principles to any EU personal data received while it participated in the Privacy Shield.
Even for organizations not themselves certified to the Privacy Shield framework, a contract review of vendors and service providers is recommended to evaluate whether any EU-U.S. data transfers conducted on their behalf are carried out under the auspices of the Privacy Shield.
2. Are the European Commission’s Standard Contractual Clauses still valid?
Yes, the CJEU upheld the validity of Standard Contractual Clauses (SCCs) – but with caveats. As a general proposition, the Court upheld the SCCs as a valid transfer mechanism. But, it also noted that the European Commission’s decision establishing the SCCs has always required individual importers and exporters to verify, prior to transfer, whether the country to which EU personal data is being transferred offers a level of data protection that is essentially equivalent to that of the EU. This assessment of the third country’s data protection laws and the data importer’s ability to comply with the SCCs is an ongoing requirement. If at any point a data importer cannot comply with the SCCs, the exporter must suspend transfers, and the personal data already transferred must be returned or destroyed. Since the Court invalidated the Privacy Shield due to concerns regarding U.S. government access to EU personal data, the Court’s reasoning may also create obstacles for parties seeking to verify that an importer in the U.S. can ensure adequate data protection to comply with SCCs.
The Court further held that EU Member State data protection authorities are required to suspend or prohibit personal data transfers where the SCCs cannot be complied with in the recipient country and the data exporter has not already ended the personal data transfers.
3. What other options are there for transferring personal data from the EU to the U.S.?
Binding Corporate Rules (BCRs) may be established to allow for transfers among corporate entities with operations in jurisdictions not considered “adequate” by the European Commission. Although historically BCRs were employed mainly by large multinational organizations with complex data flows and the resources necessary to undertake the BCR implementation process, the popularity of BCRs has grown in recent years as uncertainty surrounded the status of existing data transfer mechanisms. An organization’s BCRs must be approved by the relevant supervisory authority, a process that may take a significant amount of time and involve multiple rounds of revisions. The supervisory authority then communicates its draft decision to the European Data Protection Board (EDPB), which issues an opinion on the BCRs. When finalized, the supervisory authority will approve the BCRs. It is possible BCRs covering data transfers to the U.S. may face heightened scrutiny given the CJEU’s position that data exporters and data protection authorities must consider the law of the country to which EU personal data is to be transferred.
Article 49 of the GDPR allows for certain types of data transfers pursuant to specified derogations. Personal data transfers subject to these derogations are permitted in the absence of a data transfer mechanism. For example, personal data may be exported if the data subject provides explicit consent to the transfer. Occasional transfers required for the performance of a contract with an EU data subject also may be possible without a separate data transfer mechanism, as may transfers necessary for the establishment, exercise or defense of a legal claim. Note, however, that all of these derogations have limitations and must meet specific parameters.
Although we have seen little evidence of their use to date, the EU General Data Protection Regulation (GDPR) also contemplates the development of codes of conduct and certification mechanisms to provide appropriate safeguards for cross-border data transfers. Perhaps the Schrems II decision will spur movement in that space.
4. Does this decision change how organizations should assess U.S. discovery or law enforcement requests affecting EU personal data?
Maybe. Discovery is an integral part of the U.S. legal system, and recent U.S. court decisions have demonstrated that U.S. courts will not defer to European data protection law when considering objections to the production of EU personal data. Similarly, organizations subject to U.S. law may face civil and criminal penalties for failing to comply with data requests from law enforcement authorities, and nothing in the Schrems II decision addresses how organizations should navigate instances where U.S. legal obligations may be at odds with EU data protection requirements.
To the extent this was not already a priority, organizations subject to both U.S. law and the GDPR should ensure that they have a strategy in place for responding to requests that may implicate the disclosure of EU personal data. In particular, organizations must have a thorough understanding of their data flows and where personal data is located to respond effectively. Institutional risk tolerance also may come into play, as requests of this nature are likely to make it challenging to comply fully with both U.S. and EU law. Organizations should establish a framework for evaluating the relevant legal, business and reputational considerations associated with their options.
5. How did we end up here?
For the past 25 years, EU data protection law – first the Data Protection Directive and then the GDPR – have restricted the free transfer of EU personal data to a limited number of non-EU countries that have implemented data protection laws deemed to provide an “adequate” level of data protection by the European Commission. This means the vast majority of such transfers (including transfers to the United States) must be covered by a legal data transfer mechanism such as European Commission-approved SCCs or, until today, the EU-U.S. Privacy Shield Framework.
In 2013, Max Schrems filed a complaint with the Irish Data Protection Commission (DPC) regarding data transfer practices under the Data Protection Directive. In his complaint, Schrems asked the DPC to prohibit personal data transfers to the U.S., claiming that U.S. laws and practices did not adequately protect personal data from the surveillance activities of its public authorities. The DPC rejected the complaint, so Schrems then appealed in an action before the Irish High Court. The High Court referred questions concerning the application of EU law to the CJEU. One question concerned the validity of the EU-U.S. Safe Harbor Framework, which the European Commission had previously determined to provide an adequate level of data protection. As we reported in October 2015, the CJEU invalidated the European Commission’s EU-U.S. Safe Harbor adequacy decision, holding that adequacy requires the other country’s law to “ensure protection essentially equivalent” to that guaranteed by EU law. At that point, the High Court annulled the original DPC decision and referred the Schrems matter back to the DPC.
The DPC began an investigation and asked that Schrems amend his complaint to take into account the invalidation of the Safe Harbor. Schrems’s amended complaint, following similar reasoning as his original complaint, alleged that the use of SCCs, adopted by the European Commission for international data transfers, could not be a valid data transfer mechanism. Schrems pointed out that, even when personal data is protected by SCCs, once transferred to the U.S., the U.S. public authorities can require organizations to turn over personal data in the context of government surveillance and other government activities. This government surveillance, he alleged, infringes on the rights guaranteed by Articles 7 (respect for private and family life), 8 (protection of personal data) and 47 (right to effective remedy and fair trial) of the Charter of Fundamental Rights of the European Union. Schrems asked the DPC to suspend the transfers of personal data to the U.S. The DPC analyzed these new claims and drafted a decision finding U.S. law incompatible with the Charter of Fundamental Rights provisions and concluding that the SCCs do not have adequate safeguards to mitigate that risk.
Taking into account “the significant issues arising in terms of citizens’ data privacy rights” and the “very significant commercial implications arising from the value of data exchanges to EU-US trading relations,” the DPC commenced legal proceedings in the Irish High Court seeking an opinion on the validity of the European Commission’s SCCs and, if necessary, a referral to the CJEU to determine the issue. The High Court took evidence from the U.S. government and others before ultimately referring questions to the CJEU in May 2018 for a decision on the application of EU law. The High Court laid out their concerns, which were similar to those of the DPC; namely, that U.S. law did not provide adequate remedies for EU data subjects whose personal data was transferred and the SCCs, as well as the Privacy Shield, did not provide adequate safeguards to protect EU personal data.
Following a hearing in July 2019, CJEU Advocate General (AG) Henrik Saugmandsgaard Øe issued his Opinion in the matter in December of last year, analyzing the relevant law under both the Directive and the GDPR, which was implemented during the pendency of Schrems’s complaint. Saugmandsgaard Øe struck a middle ground approach, balancing the fundamental privacy values of the EU with the need to allow interaction with the rest of the world. The AG’s Opinion explicitly advocated not invalidating the European Commission-adopted SCCs and not addressing the Privacy Shield questions. Instead, the AG’s approach shifted obligations to data controllers to ensure adequate due diligence before the use of data transfer mechanisms and DPAs to suspend inadequate data transfers, which fail to safeguard EU personal data. The AG encouraged the CJEU to focus solely on the issue of whether the DPC can “adopt corrective measures in a specific case,” which he noted was all that was required to allow the referring court to settle the dispute. An AG’s Opinion is never binding on the CJEU, but it frequently is persuasive. The decision in Schrems II demonstrates that the CJEU did not find Saugmandsgaard Øe’s Opinion entirely persuasive.
On July 16, 2020, the CJEU issued its Opinion in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (Case C-311/18, “Schrems II”), which challenged the adequacy of both the European Commission’s SCCs and the Privacy Shield framework. The CJEU validated the European Commission’s SCCs. But, the CJEU’s decision firmly places the burden on personal data importers and exporters using SCCs to analyze the adequacy of a third country’s laws and suspend transfers to third countries that cannot adequately safeguard European personal data. Additionally, European data protection authorities are explicitly tasked with suspending inadequate transfers. The CJEU then invalidated the Privacy Shield, focusing on the essential conflicts between U.S. laws and those fundamental rights guaranteed to EU citizens.
Ann O’Brien, partner in BakerHostetler’s Washington, DC office and formerly the Acting Director of Criminal Enforcement, U.S. Department of Justice, Antitrust Division:
The Schrems II decision has been a long time coming, and it has great implications for commercial transfers of data from the EU to the U.S. How Schrems II will impact U.S. national security programs and U.S. domestic law enforcement data collection will certainly continue to play out. Attorneys at the U.S. Department of Justice’s National Security Division and Computer Crime and Intellectual Property Section (CCIPS) of the Criminal Division are probably very busy trying to provide guidance to prosecutors and law enforcement officers, while companies are trying to figure out how, if at all, Schrems II impacts how they respond to law enforcement data requests.
Jeewon K. Serrato, partner in BakerHostetler’s San Francisco office and former member of the U.S. Department of Homeland Security Data Privacy and Integrity Advisory Council:
We have been advising companies to use a “belt and suspenders” approach for EU-U.S. data transfers, including a combination of one or more of the available methods: the Privacy Shield, Standard Contractual Clauses and Binding Corporate Rules. Since the Schrems II decision appears to call into question all data transfers made to the U.S., regardless of whether “appropriate safeguards” were put in place as long as U.S. public authorities have access to the data, the practical impact, without further political action, is that companies face legal risk for any future transfers of EU resident data to the U.S. Based on this decision, we expect there will be renewed focus and attention on how personal data moves from one country to another for storage and processing purposes and what, if any, strategies companies have to respond to law enforcement and intelligence agency requests for data. Laws like the GDPR and California Consumer Privacy Act allow consumers to ask companies where data is collected from, to whom data is shared and for what purpose data is used. We will see how this decision by the EU Court of Justice reverberates across the globe, as EU and non-Eu regulators react, including potential legislative action in the U.S. to finally pass a U.S. federal privacy law.