EU High Court Invalidates EU-U.S. Privacy Shield
The Court of Justice of the European Union (CJEU) issued a long awaited opinion yesterday (July 16, 2020) in Data Protection Commissioner v. Schrems1 finding the EU-U.S. Privacy Shield inadequate for lawfully transferring the personal data of EU residents from the EU to the United States for commercial purposes.
This decision is effective immediately and will have a significant impact on U.S. companies that relied on the Privacy Shield as a mechanism for cross-border data transfers. Such companies will have to adopt another lawful transfer mechanism, such as standard contractual clauses (SCCs), which remain valid but may face additional scrutiny and be subject to challenge.
Background
The EU General Data Protection Regulation (GDPR) prohibits transfers of personal data from the EU to an outside jurisdiction unless the European Commission has determined that:
- The importing jurisdiction provides an "adequate" level of data protection; or
- The entity exporting or importing the personal data has otherwise committed to providing appropriate safeguards to protect the data, as specified in the GDPR.
The European Commission found the United States "adequate" in 2016 but only with respect to the Privacy Shield. In other words, companies that adopted, implemented, and adhered to the Privacy Shield data protection framework could freely transfer personal data from the EU to the United States. Because the European Commission has not recognized the overall U.S. data privacy legal framework as "adequate," however, companies that did not adhere to the Privacy Shield had to transfer personal data under another mechanism – such as through SCCs or binding corporate rules (for intracompany transfers only).
Privacy Shield Found Inadequate
Yesterday's CJEU decision2 invalidated the European Commission's earlier 2016 decision finding the Privacy Shield "adequate" to protect EU residents' personal data transferred from the EU to the United States. Specifically, the CJEU held yesterday that the Privacy Shield failed to provide an "adequate" legal framework because U.S. law gives U.S. intelligence agencies broad authority to access the personal data of EU residents and thus fails to adhere to the principle of proportionality.
It also found that EU residents are not able to seek judicial redress under U.S. law for interference with their fundamental rights guaranteed under Article 47 of the Charter of Fundamental Rights. The CJEU disagreed with the European Commission's finding that the Privacy Shield Ombudsperson, an official appointed by the U.S. Secretary of State and charged with receiving queries from EU residents regarding U.S. intelligence authorities' access to personal data, was a sufficient substitute for judicial redress.
The CJEU noted that EU residents are not able to bring legal action in the United States "before an independent and impartial court in order to have access to their personal data, or to obtain the rectification or erasure of such data." Further, the CJEU found that the European Commission did not indicate in its 2016 decision that the ombudsperson was sufficiently independent from the executive branch or had "the power to adopt decisions that are binding on those intelligence services."
Standard Contractual Clauses Remain Valid, but Must Be Enforced
Although SCCs also operate against the backdrop of U.S. laws allowing intelligence authorities access to personal data, the CJEU upheld the use of SCCs as a valid data transfer mechanism in its review of the European Commission's 2010 decision adopting the SCCs for data processors. The CJEU cautioned, however, that entering into SCCs is not a rote exercise, emphasizing that controllers and processors who transfer personal data, as well as supervisory authorities that oversee such transfers, will be responsible for suspending transfers of personal data when the SCCs fail to provide adequate protection.
The CJEU explained that because SCCs cannot bind U.S. authorities who are not a party to the contract between the controller (or processor) and the entity receiving the data, controllers or processors who are transferring personal data must evaluate the laws of the jurisdiction to which the personal data will be transferred and determine whether those laws are sufficient to adequately protect the data. If not, the controller or processor must supplement the SCCs to provide additional safeguards. And if the controller or processor cannot take additional measures to do so, then they must suspend or end the transfer of personal data.
The CJEU specifically noted that this scenario could arise where "the law of that third country imposes on the recipient of personal data from the European Union obligations which are contrary to those clauses and are, therefore, capable of impinging on the contractual guarantee of an adequate level of protection against access by the public authorities of that third country to that data."
In a statement about the CJEU's ruling, European Commission Vice President Vera Jourová announced that the Commission intends to work with data protection authorities to modernize the SCCs, which have not been updated since 2004 (for controller-controller SCCs) or 2010 (for controller-processor SCCs).
Takeaways
Companies involved in transfers of personal data from the EU to the United States must take certain near- and long-term actions.
- Organizations that were relying on the Privacy Shield must take immediate steps to remove references to compliance with the Privacy Shield from their privacy notices and discontinue receiving personal data from the EU until they are able to implement an acceptable substitute mechanism. Failure to do so could result in an enforcement action by the FTC or an EU data protection authority.
- Most organizations likely will opt for the SCCs in place of the Privacy Shield, but they should review their data flows to determine which mechanism is best suited to their operational needs. For instance, large multinational corporations that need to transfer personal data within the organization may wish to adopt binding corporate rules.
- Because the CJEU tasked EU data protection authorities and controllers with evaluating the adequacy of the recipient jurisdiction's legal regime, organizations should expect and must be prepared to react quickly to regulators' statements and controllers' concerns. In the short term, it is possible that privacy regulators will take different positions regarding whether organizations may continue to use SCCs.
- Organizations also should be prepared to update their data processing agreements after the European Commission modernizes the SCCs.
Footnotes
1 Data Protection Commissioner v. Schrems, CJEU, C-311/18, 16 July 2020.
2 Although this client alert does not provide the full procedural history of this dispute, the following background may be useful: The CJEU decision stems from a complaint that Facebook user Maximillian Schrems, an Austrian citizen, initially filed with the Irish data protection authority in 2013, alleging that Facebook’s transfers of his personal data to Facebook’s servers in the U.S. under the U.S.-EU Safe Harbor (the program that was then in place to enable cross-border data transfers) were unlawful because the Safe Harbor program did not sufficiently protect personal data from access by U.S. intelligence services. The CJEU agreed and invalidated the Safe Harbor program in 2015 (“Schrems I”). Schrems then reformulated his challenge, alleging that the transfers of his personal data to the U.S. via standard contractual clauses were unlawful because they, too, failed to protect EU residents’ personal data from U.S. intelligence authorities (“Schrems II”). In the meantime, the Department of Commerce and the European Commission developed and adopted the Privacy Shield to address concerns raised in Schrems I by, for instance, establishing an ombudsperson who would receive requests from individuals seeking information about access to personal data by U.S. intelligence authorities. The CJEU in Schrems II found it necessary to evaluate the European Commission’s 2016 decision finding the Privacy Shield adequate, stating that the Privacy Shield decision – and its findings regarding the U.S. legal system – was relevant to the court’s evaluation of SCCs.