The summer of 2020 is proving to be a busy time for privacy legislation and an exciting time for privacy enthusiasts. On the heels of the official California Consumer Privacy Act (CCPA) enforcement date on July 1st and the second anniversary of the European Union's General Data Protection Regulation (GDPR), as a result of the Schrems II case, the EU-US Privacy Shield Framework (Privacy Shield) has just been ruled invalid by the Court of Justice of the European Union (the Court). The Court's ruling stated that Privacy Shield fails in its essential purpose of protecting and upholding privacy and data protection rules as required by the GDPR.
This latest development is likely to have material consequences on the many businesses that share and transfer data of European Union (EU) residents to businesses in the United States. In the same case, the Court ruled that the Standard Contractual Clauses (SCCs) are a valid means for cross-border data transfers, for now.
Cross-Border Data Transfers
Pursuant to Chapter 5 of the GDPR, transfers of personal data to a country outside of the EU can only occur where that country ensures an adequate level of protection for the personal data. The U.S. has been deemed inadequate under this standard. Therefore, U.S. and EU regulators have negotiated programs to ensure that such data transfers could continue in compliance with the GDPR.
Privacy Shield, the second such program, requires U.S. companies that want to be deemed adequate to self-certify to the Privacy Shield Principles and register with the program. While Privacy Shield is not the only cross-border data transfer mechanism, it is one of the more advantageous.
The Schrems II case derives its name from a lawsuit (Schrems I) that Max Schrems, a privacy advocate in Europe, brought against Facebook in 2013. In that prior action, Schrems claimed that the then-existing U.S.-EU Safe Harbor Framework (Safe Harbor) did not provide sufficient protection for the transfer of EU citizens' personal data from Facebook in Ireland to Facebook in the United States.
As a result of Schrems I, Privacy Shield's predecessor, Safe Harbor, was invalidated on the premise that the United States did not offer stringent enough data privacy protections. Schrems then brought a second claim, based on an allegation that the SCCs (also relied upon for transfers of data by Facebook) were also a deficient data protection mechanism.
The Court's Decision
One of the most anticipated decisions in the history of EU privacy law has been rendered: The Privacy Shield is henceforth invalid. The Court indicated that the Privacy Shield simply does not sufficiently, as a minimum threshold, align with equivalent protections under EU privacy and data security law, particularly with respect to protections from U.S. surveillance activities, which the Court viewed as not sufficiently limited.
However, the SCCs have been upheld, with a caveat — their use should be assessed on a case-by-case basis. Companies in the EU wishing to rely upon the SCCs will also be expected to consider the privacy and data security laws, standards and practices in the jurisdiction where the data is to be transferred. If those laws, standards and/or practices are not sufficient, additional controls may be required.
EU regulators are expected to be looking at use of the SCCs more closely, particularly in the event of a data subject complaint.
Similarly to when the Safe Harbor was done away with in 2015, perhaps even before the dust has settled on Schrems II, we should expect the U.S. and EU to again attempt to negotiate yet another new personal data transfer mechanism. Without such a data transfer mechanism, coupled with the uncertainty around use of the SCCs, the ability of businesses to transfer personal data between the EU and the U.S. may be materially limited.
Reaching agreement in this regard has proven to be a difficult task given that the EU tends to revolve around a more citizen-driven privacy scheme, and in the U.S., the trend has been more market-driven, with the exception of new state protections that are now coming into play, such as the CCPA.
Although additional scrutiny and review may be required, for now, we should expect an increase in the reliance upon the SCCs in order to allow businesses to continue operating across jurisdictional boundaries.
Prior to this ruling, the Federal Trade Commission (FTC) had issued a number of enforcement actions against companies in connection with Privacy Shield, specifically that such companies had falsely stated that they were registered with the Privacy Shield program. It remains to be seen how the FTC will respond to this recent development. Especially since the U.S. will need to reach agreement with the EU on a new data transfer mechanism, we should expect continued vigilance by the FTC as a show of good faith and commitment to uphold a high level of protection for EU citizens.
Let's hope the next data transfer treaty between the EU and the U.S. sticks.
Originally published by Davis & Gilbert, July 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.