European Court of Justice Invalidates Privacy Shield but Holds Standard Data Protection Clauses to Be Valid (maybe!)
The Court of Justice of the European Union (ECJ) recently declared that the EU-U.S. Privacy Shield, used by thousands of businesses to transfer personal data between the EU and U.S., was invalid. [Case C-311/18, Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems, (“Schrems II”)]. This decision will have a wide-ranging impact on businesses that handle data protected by the EU’s General Data Protection Regulation (GDPR). At the same time, the ECJ held that businesses can still transfer personal data to countries outside the EU if they execute the EU’s approved standard data protection clauses (“Standard Contractual Clauses” or “SCCs”), provided there are effective mechanisms to ensure compliance with the level of protection required by EU law, and if the transfer of personal data is prohibited in the event of the breach of such clauses. This alert breaks down the key aspects of the court’s decision and offers recommendations for how businesses should respond.
Background to the Schrems II Decision
The case is related to an earlier complaint filed by Maximillian Schrems with the Irish Data Protection Commission (Irish DPC) in 2013 arguing that Facebook was unable to ensure an “adequate level of protection” required under EU law because of U.S. government surveillance of EU citizen information that was transferred to the United States (“Schrems I”). The Safe Harbor Framework (recognized under EU law as Decision 2000/520) that existed at the time allowed for data transfers from the EU to companies located in the United States despite the United States not meeting the EU’s personal data protection requirements. In Schrems I, the ECJ held that personal data transfers outside of the EU required an “essentially equivalent” level of protection to the data as was offered in the EU, and overturned the Safe Harbor Framework concluding that it did not ensure that level of protection. The ECJ found that the Safe Harbor Framework had no real control mechanism beyond self-monitoring, lacked periodic recertification, and did not demonstrate how the self-certification process could factually ensure proper protection. The ECJ’s strongest criticism came against the exception within the Framework that relaxed privacy standards for “national security, public interest, or law enforcement requirements.”
In response to Schrems I, the European Commission announced a new EU-U.S. “Privacy Shield” on July 12, 2016, to address the shortcomings highlighted by the ECJ. The Privacy Shield increased oversight, required organizations to undergo periodic reviews and renewals, mandated disclosure, and provided legal remedies to EU citizens who allege a company has engaged in improper disclosures of data. The Privacy Shield also led to the creation of an “Ombudsman” which provided an avenue to address complaints by EU data subjects against U.S. authorities regarding the authorities’ access to personal data. When a company certified compliance with the Privacy Shield, they were capable of receiving personal data transfers from the EU. As of July 2020, there were over 5,300 Privacy Shield participants. Those participants, in turn, provided data processing services to thousands of other companies, which means that a countless number of companies were relying on the Privacy Shield as a lawful means of transferring personal data from the EU to the U.S.
Many companies, including Facebook, also used the SCCs as another way for a U.S. company to receive data transfers from the EU. First adopted by the European Commission in 2010, the SCCs permit the transfer of personal data to processors established in third countries if they adhere to a number of provisions that ensure the protection of personal data. The SCCs are required to be adopted and signed by both parties prior to the transfer of data, and should not be substantively modified in any way.
The Schrems II Decision
Also following the Schrems I decision, the Irish DPC requested Schrems reformulate his complaint. In response, Schrems challenged Facebook’s use of the SCCs, asserting that the SCCs cannot offer adequate protection when third country data importer is subject to invasive surveillance laws that fail to provide adequate data protection. Schrems also raised concerns about the EU-U.S. Privacy Shield framework. On July 9, 2019, the ECJ held a hearing on Schrem’s second complaint. On July 16, 2020, the ECJ issued its much-anticipated ruling in Schrems II and invalidated the Privacy Shield.
In making its determination, the ECJ considered five questions: 1) whether the GDPR applies to transfers of personal data from the EU to countries outside the EU pursuant to the SCCs; 2) what level of protection is required by the GDPR in connection with such a transfer; 3) what obligations are incumbent on supervisory authorities (i.e., government regulators) in those circumstances; 4) whether the SCCs withstand scrutiny and can be used to lawfully transfer personal data; and 5) whether the EU-U.S. Privacy Shield could be used to lawfully transfer personal data.
First, the ECJ determined that EU law and the GDPR apply to personal data transfers from EU to countries outside the EU. It held that the level of protection required for the transferred data is equivalent to that guaranteed within the EU by the GDPR, even when the data is used for the purposes of public security.
Second, the ECJ held the SCCs to be valid, but it also went on to impose new responsibilities on the government regulators in each EU member nation, as well as on the data exporter and the data recipient. The court recognized that due to the contractual nature of the SCCs, they do not bind the authorities of the third country to which data may be transferred. Thus, the court held that these clauses are valid only if there are effective mechanisms to ensure compliance, and if transfers could be suspended or prohibited in the event of a breach of the SCCs. The court also imposed an obligation on a data exporter and the data recipient to verify, prior to any transfer, whether the level of protection for data under EU law is respected in the country to which data will be transferred. Finally, the ECJ required the data recipient to inform the data exporter of any inability to comply with the SCCs. In such instances, the data exporter is obligated to suspend the data transfer and/or terminate the contract.
Finally, the court invalidated the Privacy Shield based on its perception that U.S. national security and law enforcement requirements interfere with the fundamental rights of EU citizens. The ECJ held that the limitations on the protection of personal data in the U.S. do not satisfy EU law which limit such surveillance to what is strictly necessary. The court found that certain surveillance programs in the U.S. are not adequately limited to protect fundamental rights, there are no guarantees for potentially targeted non-U.S. persons, and there are no actionable rights for such persons before the courts against the U.S. authorities. It further found that the “Ombudsperson” mechanism in the Privacy Shield does not provide data subjects with any causes of action. Specifically, under the Privacy Shield, non-U.S. persons are unable to ensure the independence of the Ombudsperson and nor can the Ombudsperson adopt decisions that bind the U.S. intelligence services.
Key Takeaways From the Schrems II Decision
Following this decision, every data exporter and data recipient that relied on the Privacy Shield will need to find a new, approved method for lawfully transferring personal data from the EU to a third country. In the majority of cases, this will require executing SCCs between the data exporter and recipient. But in such cases, each data exporter and recipient is required to undertake a case-by-case analysis to confirm that the high level of protection required by the GDPR will be met. And because each EU member state has its own regulator (or more than one regulatory entity), there is a risk of varied standards amongst the member states.
Additional obligations also exist for the data exporter and recipient, as they are required to continually monitor the transfer and use of data, and make necessary corrections on a case-by-case basis. Considering the penalties to which organizations are exposed for GDPR violations, this decision creates a heavy obligation that will require organizations involved in data transfers to pay significantly more attention to privacy compliance. Where the data transferred is likely to be subject to U.S. government surveillance, the use of encryption offers a potential means to ensure compliance with the SCCs. Another strategy could be to add provisions to the SCCs that require the data recipient notify the exporter if it receives a request for access to the data from the U.S. government. The case-by-case analysis could also be dependent on the type of data being transferred. For example, if the data recipient has not received any prior requests for similar data from the U.S. government under FISA, the level of continual monitoring of the transferred data could be reduced.
We note that case-by-case determinations could be avoided if organizations can ensure protection of the transferred data by other means. Under the GDPR, this could be accomplished in three ways. First, if the country of the data recipient has been deemed “adequate” by the European Commission when it comes to protecting personal data, no SCCs are required. At the moment, however, the United States has not been deemed “adequate.” Second, the data recipient can attempt to provide other “appropriate safeguards” to protect the transferred data, such as by adopting binding corporate rules. Finally, companies can attempt to rely on derogations in specific situations, i.e. that the data transfer meets one of the other conditions for legal transfers, such as that the transfer is necessary for the performance of a contract between the data subject and the controller. In light of the ECJ’s decision regarding the SCCs, however, the use of binding corporate rules and derogations may also now carry with it a continuing monitoring requirement.
In response to Schrems II, the U.S. Department of Commerce clarified that the decision does not relieve participating organizations of their Privacy Shield obligations. Further, Schrems II does not impact the Swiss – U.S. Privacy Shield, which is an entirely different framework. Though the ECJ’s Schrems II does not provide a grace period for alternate compliance, regulators in each EU member state may grant such grace periods.
While the impact of this decision will continue to play out over the coming months and years, one thing is certain: the requirement for a case-by-case analysis for data transfers puts a greater burden on organizations engaging in data transfers when it comes to privacy law compliance.