Highlights
-
The EU’s Court of Justice has invalidated the Privacy Shield data sharing system between the EU and U.S.
-
The court cited overreaching surveillance by U.S. public authorities
-
Standard Contractual Clauses for the transfer of personal data remain valid, however, they remain the subject of ongoing litigation that could result in their invalidation
On July 16, the European Court of Justice issued its decision in the closely watched Schrems II case and the court has surprisingly invalidated the EU-U.S. Privacy Shield Framework that has served as a primary mechanism for businesses’ transfer of personal data between the European Union and the United States.
The court has left the Standard Contractual Clauses (SCC) in place as a transfer mechanism, for now, but an Irish court proceeding against Facebook places the clauses at the same risk as Privacy Shield. Businesses and privacy professionals that have relied on the Privacy Shield to provide for the legal transfer of EU personal data must now act quickly to develop a new transfer strategy and ensure data flows remain compliant under the law.
Since July 2016, the Privacy Shield has provided companies on both sides of the Atlantic with a mechanism to comply with European data protection requirements under the General Data Protection Regulation (GDPR) when transferring personal data from the European Economic Area to the United States. Enacted after the Schrems I case invalidated the U.S.-EU Safe Harbor on October 6, 2015, the Privacy Shield had also become an important avenue for companies to avoid the laborious process of trying to ensure each data transfer separately complied with governing laws.
U.S. organizations have been able to self-certify to the U.S. Department of Commerce under the Privacy Shield by publicly committing to comply with the framework’s requirements. As of July 2020, 5,378 companies were listed as having self-certified their voluntary compliance with the Privacy Shield. Each of these businesses must now immediately identify a new legal means to transfer this data.
Court’s Decision and Standard Clauses
The court’s decision is based upon its finding that European data subjects were being afforded a lower level of protection in the U.S. than in the EU, and that the Privacy Shield protections were not sufficient to guarantee EU data subjects’ personal data under the GDPR. An increase in U.S. digital surveillance over the years and lack of U.S. data protections as compared to the EU has raised questions as to whether European individuals’ privacy rights can be adequately protected when their personal data is transferred to the U.S.
The Court has upheld for now the continued use of SCCs for the transfer of data from member nations to third party nations, but admonished that any such transfers must “ensure compliance with the level of protection required by EU law,” a responsibility that rests on the data exporter and the recipient prior to commencing such a transfer. The SCC are sets of contractual terms and conditions between the sender and recipient of personal data, which are supported by the European Commission and intended to comply with GDPR’s requirements.
The court further clarified that supervisory authorities are required to, and therefore have the ability to, suspend or prohibit a transfer of personal data to a third country where they take the view that the standard data protection clauses are not, or cannot be, complied with or ensured by other means.
The highlighting of this ability presents ongoing compliance challenges for companies considering data transfers. This is especially true in light of the previously issued opinion by the Irish court that referred this case to the European Court of Justice, wherein the court suggested “the provisions of law in the [United States] may be the basis for suspending or prohibiting data transfers pursuant to an SCC. . . .”
What To Do Now
Now that the case has been referred back to the same Irish data protection authority and the referring Irish court by the European Court of Justice, careful monitoring for further developments regarding the future validity of data transfers pursuant to SCCs, and preparation in the event such transfers are invalidated, will be paramount.
In the wake of this important decision, there are several steps companies should consider taking to help ensure their future transfers of protected personal data are legally compliant:
-
Work expeditiously to identify alternate means for data transfers between the EU and the U.S.
-
Identify existing EU-U.S. data flows to determine whether Standard Contractual Clauses are an appropriate alternate legal transfer mechanism for EU personal data subject to GDPR
-
Undertake a careful examination of any existing Standard Contractual Clauses-based transfers to ensure compliance with the GDPR
-
Analyze alternative means of transferring data where possible, like utilizing European data hubs
-
Monitor additional developments regarding the validity of Standard Contractual Clauses to ensure legally compliant data transfers