Yesterday, the Court of Justice of the EU (“CJEU”) issued a judgment with two important outcomes: (1) invalidation of the U.S.-EU Privacy Shield as a basis for transfers of personal data from the EU to the U.S.; and (2) upholding standard contractual clauses as a mechanism for transfers (but with some important caveats, discussed below).
Below, we summarize the impact of this decision on companies in the U.S. and provide recommended next steps.
1. What just happened? What is the background and context?
For background, the EU General Data Protection Regulation restricts transfers of personal data from the EU to countries outside the EU (referred to as “third countries”). The GDPR allows international transfers only if the European Commission has determined in an “adequacy decision” that a third country provides adequate safeguards to protect the privacy rights of data subjects in the EU or if the transferring parties have implemented approved safeguards (e.g., standard contractual clauses, binding corporate rules) to otherwise protect the transferred personal data. The U.S. is not deemed “adequate” by the European Commission, except – until yesterday – for companies that participated in the Privacy Shield.
The Privacy Shield is a framework developed by the U.S. Department of Commerce and the European Commission to enable data transfers under EU law. Before yesterday’s decision, companies participating in the Privacy Shield could transfer personal data under the European Commission’s Decision 2016/125 – the Commission’s adequacy decision that upheld the Privacy Shield as providing adequate protection for transfers under the GDPR.
Yesterday, the CJEU issued a long-awaited judgment in Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, widely referred to as Schrems II. The judgment invalidated Decision 2016/125. From a practical standpoint, this means that Privacy Shield participation no longer enables transfers from the EU to the U.S. companies that continue to transfer personal data will need to establish safeguards, including standard contractual clauses.
In the same judgment, the CJEU upheld standard contractual clauses as a method for transfer. However, the CJEU’s judgment is not a complete victory for U.S. companies that rely on standard contractual clauses. The judgment requires a data exporter (or if necessary, a supervisory authority) to suspend transfers to the U.S. under standard contractual clauses, if such clauses are not or cannot be complied within the U.S. (or another third country). The CJEU invalidated the Privacy Shield based on its opinion that U.S. privacy and surveillance laws do not adequately safeguard the rights of EU data subjects. Those same issues will also apply to data transferred under standard contractual clauses, so some commentators are speculating that data flows from the EU to the U.S. will need to be halted.
2. Does this mean we can’t transfer or receive data from the EU?
No. It means that you cannot transfer personal data from the EU to the U.S. under the Privacy Shield. For now, companies may still transfer personal data under standard contractual clauses or another mechanism approved by the EU (e.g., binding corporate rules; ad hoc transfer clauses approved by a supervisory authority). We will continue to monitor developments, including any actions by supervisory authorities to suspend transfers under standard contractual clauses.
3. What about the U.S.-Swiss Privacy Shield?
Switzerland is not a member of the EU and is not directly affected by the CJEU’s decision. However, this decision may impact the U.S.-Switzerland framework in some manner. For example, when the CJEU invalidated the U.S.-EU Safe Harbor in 2016, the U.S. and Switzerland also renegotiated the U.S.-Swiss Safe Harbor and replaced it with the Privacy Shield framework.
4. When does this become effective?
The decision has immediate effect. From a practical perspective, we anticipate that EU supervisory authorities will issue a statement on enforcement. When the CJEU invalidated the U.S.-EU Safe Harbor framework, a grace period was provided for companies to transition to an alternative.
5. What do we need to do now?
We recommend the following immediate steps for companies that are Privacy Shield participants:
-
Continue complying with Privacy Shield, as long as your organization is an “active” participant. The U.S. Department of Commerce indicated that it will continue to administer the Privacy Shield, and it will continue to be enforceable against participants. If your organization is an active member of the Privacy Shield, it must continue to comply with the Privacy Shield principles. However, unless the U.S. and EU are able to work out a fast solution to save the Privacy Shield, we recommend that you consider withdrawing as a participant or declining to renew. As always, upon leaving the Privacy Shield, we strongly advise you to remove any references to the Privacy Shield from your organization’s privacy policy or website. Organizations are often subject to FTC enforcement actions for misrepresenting their Privacy Shield status and that will continue.
-
Take inventory of existing transfers and determine whether those transfers are made under the Privacy Shield or through another mechanism. It is common for transferring parties to enter into standard contractual clauses, even where one or both parties are Privacy Shield participants. If that is the case, transfers may continue under those existing standard contractual clauses.
-
Implement standard contractual clauses or other safeguards for transfers. There are alternatives to Privacy Shield, but despite the possibility that supervisory authorities may take further action against standard contractual clauses (either generally or on a case-by-case basis), in most cases standard contractual clauses will likely be the best alternative. The standard contractual clauses are boilerplate contractual provisions that many multinational companies are familiar with and do not require any additional, prior approval from supervisory authorities in the EU.
-
If safeguards are not feasible, consider whether derogations apply. The GDPR provides certain derogations to its restriction on transfers – including consent, but it is strongly recommended that you only use derogations as a last resort where it is not possible to use standard contractual clauses or another safeguard.
6. Where can I read more about this?
-
The CJEU issued a press release on its decision, available at: https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf. The CJEU’s full judgment is available at: http://curia.europa.eu/juris/document/document_print.jsf?docid=228677&text=&dir=&doclang=EN&part=1&occ=first&mode=lst&pageIndex=0&cid=9710274.
-
The U.S. Secretary of Commerce Wilbur Ross issued a statement, available at: https://www.commerce.gov/news/press-releases/2020/07/us-secretary-commerce-wilbur-ross-statement-schrems-ii-ruling-and