One week following the decision of the Court of Justice of the European Union (CJEU) in Case C-311/18 Data Protection Commission vs. Facebook Ireland and Maximillian Schrems (Schrems II),1 which invalidated the EU-US Privacy Shield Framework (Decision (EU) 2016/1250) (Privacy Shield), the European Data Protection Board (EDPB) issued guidance to explain the CJEU decision (the Decision) through a set of Frequently Asked Questions (FAQs).2 Those FAQs not only underscore the widespread significance of the CJEU Decision, but also the fact that the Decision creates hurdles for companies relying on other currently existing mechanisms for transfers of personal data from the European Union (EU) to the United States in compliance with the EU General Data Protection Regulation (GDPR).
Thousands of US companies have certified under the Privacy Shield and depend on it as legal basis for the transfer personal data from the EU to the United States in accordance with the requirements of the GDPR3. All of those US companies must now seek alternative mechanisms for receiving personal data from EU-based organizations, and data controllers transferring personal data to them must ensure that a lawful and adequate transfer mechanism is put in place for such transfers. And given the CJEU statements in Schrems II, as highlighted and interpreted by the EDPB in its new FAQs, about the potential risks of relying on either of the currently accepted alternatives and about safeguards that must be guaranteed prior to data transfers, there is serious cause for concern about EU-US commerce involving the trans-Atlantic flow of personal data. Indeed, the day after the CJEU issued its Decision, US Secretary of State Michael Pompeo issued a statement referring to the decision presents serious "consequences and implications for more than 5,300 European and US companies, representing millions of transatlantic jobs and over $7.1 trillion in commercial transactions."4 Secretary Pompeo stressed that "[u]ninterrupted data flows are essential to economic growth and innovation, for companies of all sizes and in every sector, which is particularly crucial now as both our economies recover from the effects of the COVID-19 pandemic." He pledged that the "United States will continue to work closely with the EU to find a mechanism to enable the essential unimpeded commercial transfer of data from the EU to the United States."
Negotiations on a new acceptable mechanism may not occur or could take years. Companies involved in EU-US transfers of personal data need to know now whether and how to effectuate those transfers. The CJEU decision, and the EDPB FAQs interpreting it, suggest that companies should tread with caution and be vigilant about circumstances in the United States that could be deemed to threaten the privacy and security of personal data, irrespective of private party commitments to protect data.
Background on the Privacy Shield and Other Data Transfer Mechanisms
Under the GDPR and its predecessor the EU Data Protection Directive5, an entity within the EU is prohibited from transferring personal data (as defined in the GDPR) to any country outside the EU unless such country has been found by the European Commission (EC) to provide "adequate protection" for personal data. Although the EC has found a number of countries to provide such adequate protection by enacting and enforcing strict data privacy and security laws, the United States is not one of them. Hence, a solution was sought between the EU and the US government, which initially was found in the form of a mechanism similar to the Privacy Shield, the EU-US "Safe Harbor," but which later emerged as the Privacy Shield, after the CJEU invalidated the Safe Harbor in 2015 on the ground that it failed to protect personal data of persons in the EU from intrusive US government surveillance.6
In light of the invalidation of Safe Harbor, the US Department of Commerce and the EC designed the Privacy Shield to include more detailed explanations of US laws and commitments by US authorities to ensure greater protection of personal data of EU data subjects. Otherwise, the Privacy Shield functioned much like the prior Safe Harbor, providing a legal basis for transfers of personal data from the EU to companies in the United States that, through a binding certification submitted to the US Department of Commerce, committed to protect the data in accordance with the Privacy Shield Principles.7 These commitments were legally binding and enforceable under US law (by the Federal Trade Commission (FTC) and Department of Transportation), and participating entities were further required to recertify on an annual basis.8 The US government, through the Department of Justice and the Office of the Director of National Intelligence, committed that access for law enforcement and national security purposes would be limited and subject to safeguards and oversight mechanisms.9 An ombudsman mechanism was also implemented to follow up on complaints and inquiries from EU data subjects relating to national security access.
As an alternative (or in addition) to the Privacy Shield, EU entities seeking to transfer personal data to countries that, like the United States, have not been deemed "adequate" by the EC with respect to data protection, have relied on Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs). SCCs are contractual provisions that the EC determined, in three decisions issued between 2001 and 201010, to be a valid mechanism through which a data controller in the EU could bind a data controller or a data processor in a "non-adequate" country to protect the privacy and security of specified personal data, and thereby transfer that data to the recipient in compliance with EU privacy law. Companies may rely on the SCCs without the need for any prior approval or review by a competent data protection authority in an EU Member State as long as the clauses of the SCCs are not modified. BCRs, which apply only to intracompany transfers of personal data, involve similar contractual commitments.11 Obtaining approval for BCRs, however, is neither swift nor inexpensive: companies must submit proposed BCRs for approval to the lead EU Member State supervisory data protection authority for the EU-based company entity, which deliberates and then communicates a draft decision to the EDPB, which in turn deliberates and then issues a final decision. Both because of this involved process and because they are limited to intracompany transfers, BCRs have not been an attractive choice for the vast majority of transfers of personal data from the EU to the US.
The Decision in Schrems II
In Schrems II, the CJEU determined that the Privacy Shield was fundamentally flawed because it prioritizes US national security, public interest, and law enforcement over the privacy rights of data subjects. First, the CJEU found that use of personal data by US surveillance programs is not limited to what is strictly necessary and proportional as required by the GDPR. Second, the Court held that the Privacy Shield does not provide data subjects with a right to effective legal remedies in the United States, because US intelligence law lacks individualized protections such as "actionable rights" of challenge before US courts that are "essentially equivalent" to privacy rights guaranteed in the EU, and the ombudsperson established by the Privacy Shield lacked independence and power to adopt decisions that are binding on US intelligence services. Third, according to the CJEU, authorities of the EU Member States have insufficient powers and means to take effective action in relation to data subjects' complaints based on allegedly unlawful processing in the United States.
Schrems II also involved a challenge to the SCCs. Through a detailed analysis, the CJEU confirmed the validity of the SCCs, while highlighting their vulnerabilities. Recognizing that SCCs are contractual guarantees and thus not binding on government authorities, the CJEU found them valid specifically because the EC decision approving them mandates that companies continually monitor their ability to comply with these contractual terms and report to the competent supervisory data protection authorities in the EU Member States (SAs) any apparent obstacles to compliance. As the CJEU noted, the EC decision imposes an obligation on the exporting party to SCCs to ensure "appropriate safeguards" to guarantee adequate protection for the personal data being exported, especially as regards public authority access to data. If the data importer becomes subject to obligations to disclose the data to local intelligence or public authorities in the importing jurisdiction in any way inconsistent with the GDPR or other EU laws, the SCCs require the importer to notify the data exporter that the SCC obligations cannot be fulfilled.12 Upon receipt of such a notice, the data exporter must either (i) suspend its data transfers under the SCCs (which might require terminating the contract underlying the SCCs),13 or (ii) provide a copy of the importer's notice to the SA, which may use its powers to investigate or to suspend data transfers.14
EDPB FAQs Attempt to Clarify
One week following the CJEU's ruling in Schrems II, the EDPB attempted to provide some answers to questions raised by the Decision.15 Noting that the CJEU's opinion invalidated the Privacy Shield immediately, the EDPB emphasized the urgency for companies that have been relying on the Privacy Shield to seek other means of legitimizing their transfers of personal data to "inadequate" countries such as the United States.16
Extrapolating from the CJEU's discussion of the evaluation of the legitimacy of SCCs, the EDPB FAQs clarify that companies must make an assessment of the protection provided to data transferred to the United States or other "inadequate" jurisdictions in reliance on either SCCs or BCRs. According to the EDPB, the same assessment applies to BCRs providing for data transfers to the United States because "U.S. law would also have primacy over this tool."17 In either case (SCCs or BCRs), the required assessment must take into consideration the "circumstances of the transfers, and supplementary measures . . . put in place[,]" to make sure that the importing jurisdiction's "inadequate" law "does not impinge on the adequate level of protection" SCCs or BCRs guarantee. If the assessment indicates that appropriate safeguards would not be ensured, the intended exporter must notify its SA. Although the EDPB FAQs do not state that similar notification is required if the assessment indicates there are adequate safeguards, the FAQs underscore that "the SAs will . . . have a key role to play when enforcing the GDPR and when issuing further decisions on transfers to third countries."
What Comes Next?
The Schrems II Decision leaves many companies who solely rely on the Privacy Shield in legal limbo. As of last account, 5,385 have certified compliance with the Privacy Shield. The FTC has made clear that it still "expect[s] companies to comply with their ongoing obligations with respect to transfers made under the Privacy Shield Framework."18
The Decision, and the EDPB FAQs, underscore that relying in the alternative on either SCCs or BCRs presents significant risks. As noted, data exporters must now make a case-by-case accounting of their contractual obligations and if necessary, adopt supplementary measures to ensure compliance EU law. And neither the Decision nor the EDPB FAQs provide much guidance on what "supplementary measures" would reliably serve this purpose. The EDPB FAQs do state, however, that "[t]he EDPB is currently analyzing the Court's judgment to determine the kind of supplementary measures that could be provided in addition to SCCs or BCRs, whether legal, technical and organizational . . . ."
Outside of the additional assurances and measures that can be taken to continue to rely on SCCs and BCRs, in very specific and limited circumstances, some transfers may continue pursuant to conditions set forth in Article 49 of the GDPR, such as when a data subject consents, or occasionally when transfer of information is necessary for the performance of a contract between the subject and the controller, or when the transfer is necessary for the establishment, exercise or defense of legal claims. As stated by the EDPB in their related guidance19, the derogations set out in Article 49 should be used only in absence of other mechanisms for the transfer of personal data (e.g. SCCs, BCRs).These derogations present, therefore, narrow exceptions to be used for specific situations. As data subjects can withdraw their consent at any time and most of the other derogations set out in Article 49 could be relied on only for occasional and/or non-repeated transfers, companies engaged in the regular, repeated and large scale transfers of personal data to the US will likely need to rely on SCCs or BCRs.
Practical Next Steps
As the legal community continues to interpret the implications of Schrems II, companies engaged in the cross-border transfer of personal data from the EU must remain nimble and account for some level of risk. Currently, however, companies should consider the following:
First, companies certified under the Privacy Shield should continue compliance with its requirements. Although Schrems II invalidates the Privacy Shield from the perspective of the GDPR, it does not invalidate it from the perspective of the FTC. The FTC may still seek to pursue enforcement actions against companies not complying with their certifications under the Privacy Shield.
Second, companies should evaluate relationships under which they transferred information pursuant to the Privacy Shield and whether they may now avail themselves of SCCs or BCRs. In the most intractable circumstances, if neither of these work, this may mean seeking alternative processors or co-controllers that would not require cross-border transfer (i.e., located within the EEA) or that are located in a country deemed adequate.
Third, a more hands-on approach is now required when adopting SCCs or BCRs. To adjust to increased regulatory oversight, exporters of personal data from the EU should be prepared to develop internal procedures to swiftly suspend cross-border transfers if they determine that the data importer does not provide adequate protection for personal data. In turn, US companies wishing to rely on SCCs may wish to evaluate how they can provide assurances to data exporters of their SCC and data protection compliance—through the adoption of technical and organizational measures or otherwise.
Above all, continued monitoring of how the various EU and US authorities and agencies react to the decision is required. Although another iteration of the Privacy Shield that would assuage the CJEU's concerns seems unlikely in the current US political climate, the upheaval accompanying Schrems II may spur bipartisan solutions. This, and other developments likely to occur in the near future, will require flexibility and creative planning.
2 European Data Protection Board,Frequently Asked Questions on the judgment of the Court of Justice of the European Union in Case C-311/18-Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems(Adopted on 23 July 2020) (FAQs).
3 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
5 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
6 CaseC-362/14Maximillian Schrems vs. Data Protection Commissioner(Schrems I).
9 https://www.privacyshield.gov/servlet/servlet.FileDownload?file=015t00000004q0W; https://www.privacyshield.gov/servlet/servlet.FileDownload?file=015t00000004q1F; https://www.privacyshield.gov/servlet/servlet.FileDownload?file=015t00000004q1A
12 Schrems II Decision¶ 139.
Originally published 30 July, 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.