Privacy Shield Invalidated 2020: What You Need to Know & Can SCCs Bring Respite?
July 17, 2020 –
On July 16, 2020, the Court of Justice of the European Union (the “CJEU”) issued its landmark judgment in the Schrems II case (case C-311/18). In its judgment, the CJEU concluded that the Standard Contractual Clauses (the “SCCs”) issued by the European Commission for the transfer of personal data to data processors established outside of the EU are still valid emphasizing the need for case-by-case scrutiny. Unexpectedly, the Court invalidated the EU-U.S. Privacy Shield framework (goes against the requirement of Article 45(2)(a) of the GDPR).
|June 2013||Snowden disclosures regarding PRISM program|
|June 2013||Schrems complaint to Irish DPC re Safe Harbor in view of Snowden disclosures|
|June 2014||Irish High Court refers the Schrems case to CJEU|
|October 2015||CJEU invalidates Safe Harbor|
|October–December 2015||Schrems complaint to Irish DPC re EU Standard Contractual Clauses (SCCs)|
|July 2016||Adoption of EU-US Privacy Shield|
|October 2017||Irish High Court refers Schrems complaint to the CJEU|
|May 2018||Entry into force of the GDPR|
|July 2019||Schrems II hearing in the CJEU|
|December 2019||CJEU AG Opinion in Schrems II|
|16 July 2020||CJEU judgment in Schrems II|
As demonstrated by the timeline, Schrems II has been years in the making and is a fascinating case. As a result of the case, US companies doing business in Europe or handling data from European clients will either have to negotiate new individual data-handling arrangements, called Standard Contractual Clauses (SCCs), with the EU, or stop porting data from European operations into the US.
The ruling has an impact on
(a) more than 5,000 companies in the United States that have self-certified under the Privacy Shield mechanism, and
(b) an undefined number of companies outside the United States that relied on the recipients’ Privacy Shield self-certification to comply with the strict EU data protection laws.
Supervisory Authorities Reaction
Following the EJC Schrems II decision, some supervisory authorities have expressed their view on the way forward, in particular with respect to the continued use of the Standard Contractual Clauses (SCC). Below we have summarized the key messages and findings:
If the invalidity of the Privacy Shield is primarily due to the escalating intelligence activities in the USA, the same must also apply to the Standard Contractual Clauses. Contractual agreements between data exporter and importer are equally unsuitable for protecting data subjects from state access.
However, they also see that
in addition to Binding Corporate Rules and individual agreements, it is above all the SCC that can be used as a basis for transfers to third countries. At the same time, however, uncertainty has increased this time: The ECJ is passing the ball to the European supervisory authorities.
Johannes Casper, Commission Officer of the Hamburg DPA states:
After today’s ECJ decision, the ball is once again in the court of the supervisory authorities, who will now be faced with the decision to critically question the overall data transfer via standard contractual clauses.
At the same time, the Federal Commissioner for Data Protection and Freedom of Information (BfDI), Professor Ulrich Kelber, associates today’s ruling of the European Court of Justice (ECJ) on international data transfer with a strengthening of the rights of those affected:
The ECJ makes it clear that international data traffic is still possible. However, the fundamental rights of European citizens must be respected. Special protective measures must now be taken for data exchange with the USA. Companies and authorities can no longer transfer data on the basis of the Privacy Shield, which the ECJ has declared ineffective. We will, of course, be giving intensive advice on the changeover
A very proactive approach was already taken by the Rhineland-Palatinate DPA. Just a few hours after the ECJ decision, an FAQ document on the ECJ decision was published. Regarding what data exporters now have to do in relation to the SCC, they conclude:
Data controllers must check the laws applicable to the data importer in the third country to which they intend to transfer the data and, if applicable, to its other contractual partners in this business relationship and whether these laws affect the guarantees provided by the standard contractual clauses. If necessary, the specific data flows must be analyzed to determine which laws of the third country are applicable in each case. These obligations apply to data transfers to all third countries, not only to the USA.
The validity of the SCC Decision is Recognized
Since the Court upheld the validity of the 2010 SCC Decision, then the data flows from the EU to the rest of the world based on SCCs can continue uninterrupted. However, even for companies that rely on SCCs for exporting data out of the EEA, it would be prudent to monitor this space closely. The EU Commissioner for Justice Didier Reynders issued an early announcement on the same day as the decision, noting its plans to update SCCs in light of their now-increased importance.
Invalidation of the Privacy Shield Without a Transition Period
Since the Court also decided to assess the Privacy Shield and found it invalid, then all the data flows relying on this framework will become unlawful.
The Privacy Shield now faces the same unfortunate fate as the Safe Harbor program in 2015. Similar to the scramble that occurred after invalidation of the Safe Harbor program, we may see the U.S. and EU governments meet to repair the defects highlighted by the CJEU decision. But, until these defects are remedied, any company relying on the Privacy Shield to properly transfer data should shift to other measures that have been explicitly deemed appropriate safeguards, such as SCCs, user consent, and Binding Corporate Rules (BCRs).
As the authorities acknowledge that the SCCs still work as a basis, we do expect that the authorities will allow organizations a grace period to bring themselves into compliance in relation to transfers following the judgment. A 6-month grace period was allowed after the fall of Safe Harbor in 2015. Given the broader impact, it would be reasonable to repeat this now and potentially to extend this period.
Next Steps for Organizations
Businesses should prepare for the post Privacy Shield era now, and get binding corporate rules (BCR) and standard contractual clauses (SCC) in place for their own data protection.
- While SCCs remain valid, organizations that currently rely on them will need to consider whether, having regard to the nature of the personal data, the purposes and context of the processing, and the country of destination, there is an “adequate level of protection” for the personal data as required by EU law. Where that is not the case, organizations should consider what additional safeguards may be implemented to ensure there is in fact an “adequate level of protection.”
- Organizations that currently rely on the EU – U.S. Privacy Shield framework will need to urgently identify an alternative data transfer mechanism to continue transfers of personal data to the U.S. Organizations may be able to rely on derogations provided in the GDPR for certain transfers (such as when the transfer is necessary to perform a contract), and SCCs or Binding Corporate Rules should also be considered as alternative mechanisms.
In short, companies that are subject to the GDPR should consider
(i) their data flows to the U.S.,
(ii) the respective legal mechanism for such transfers to the U.S., and
(iii) if the EU-U.S. Privacy Shield is the current transfer mechanism, put in place a legitimate transfer mechanism for such activities.
What Convert Will Do
- Watch out for guidance from supervisory authorities, the European Data Protection Board, and the European Commission.
- Assess what data is being transferred outside the EU and on what basis. Look out for:
- Data transfers to organizations which participate in the Privacy Shield,
- Data transfers which rely on Standard Contractual Clauses – note any data transfers to US importers relying on SCCs in particular,
- Data transfers which rely on Binding Corporate Rules and which involve data transfers to the US. The CJEU doesn’t mention BCRs – but they are a form of “appropriate safeguard” pursuant to Art.46, so the general comments about the need to assess the law of the importing country could also be applicable here.
- Develop an approach for due diligence when data transfers take place – either within the organization or with suppliers. This should check:
- To which country the personal data is transferred,
- Whether public authorities in that country could be entitled to access the data,
- On what basis this is authorized.
- Is it set out in the law?
- Does the law limit the ability to access the data?
- Is it no more than is necessary and proportionate, in a democratic society, to safeguard national security, defense, public security or the prevention and detection of criminal offenses and execution of criminal penalties?
- Does the law provide effective judicial remedies for data subjects?
- Is the data encrypted or tokenized in transit?