July 29, 2020
International data flows and use of data transfer mechanisms between the European Union and the United States that rely on Privacy Shield have been invalidated, and data transfers between the European Union and United States based on the Standard Contractual Clauses have been called into question in a recent decision issued by the Court of Justice of the European Union. Businesses should strongly consider quickly adjusting their operations to address this new uncertainty.
The European Union’s comprehensive data protection regime, the General Data Protection Regulation (GDPR) prohibits the transfer of an individual’s personal information present in the European Union to a country outside the European Union absent assurances that such country’s laws would safeguard the privacy of that individual in a similar manner as under European Union data protection and privacy law.
Since its 2016 debut, nearly all personal data transfers to the United States from the European Union relied on the EU-U.S. Privacy Shield Framework (“Privacy Shield”) and/or a set of European Commission approved contractual clauses (the “Standard Contractual Clauses”). Until the Court of Justice of the European Union (CJEU), in Data Protection Commission v. Facebook Ireland, Schrems (“Schrems II”), Privacy Shield and the Standard Contractual Clauses provided the necessary assurance that the laws of the United States afforded adequate safeguards to the protection of the privacy and fundamental rights and freedoms of individuals on a comparable basis with European Union law. However, on July 16, 2020, the CJEU determined:
- The European Commission’s 2016 decision adopting Privacy Shield where it found that the law of the United States provided an adequate level of protection for personal data to permit companies that self-certified under Privacy Shield to transfer personal data from the European Union to the United States is invalid. In reaching its decision, the CJEU found United States law failed to provide an adequate level protection of personal data as compared to European Union law. Namely, the CJEU noted that: (1) United States public intelligence and law enforcement authorities have nearly unfettered access to and use of personal data to include data transferred from the European Union to the United States, (2) individuals whose personal information was swept up by United States intelligence or law enforcement activities lacked a meaningful method of redress for such incursions, and (3) the European Commission failed to appropriately consider the above in reaching its 2016 decision in “disregard [of] the requirements of . . . [European Union data protection and privacy law].”
- The Standard Contractual Clauses remain valid as the data protection clauses contained therein provide “adequate” safeguards for the protection of personal data; therefore, parties contemplating the transfer of personal data from the European Union to a country outside of the European Union may rely on the Standard Contractual Clauses as a basis for such transfer if the transferring party (in coordination with the receiving party) “satisfy themselves that the legislation of the third country of destination enables the recipient to comply with the standard data protection clauses in the [Standard Contractual Clauses], before transferring personal data to that third country.” This exercise requires “a case-by-case” analysis and if either the transferring party or the receiving party determine the destination country’s law fails to adequately mirror European Union law then the parties to the transfer must agree to and implement “additional safeguards” so as to properly effectuate the data protection principles contained in the Standard Contractual Clauses.
Privacy Shield is no longer a permissible basis to support personal data transfers from the European Union to the United States and any transfers made in reliance on the same are illegal.
Even though the CJEU affirmed the validity and use of Standard Contractual Clauses for data transfers it did so with the express caveat that such clauses can effectively safeguard personal data consistent with European Union law. Since the Standard Contractual Clauses are a creation for use between private parties, they can only bind the respective parties to the agreement. In other words, a sovereign power (such as the United States) is not and cannot be bound by the parties’ agreement. Given that the CJEU determined that United States law inadequately safeguarded personal data — absent further assurances between the parties to the data transfer — the data protection obligations in the Standard Contractual Clauses are ineffective as to transfers to the United States thus “call[ing] into question” any data transfers relying on the unqualified Standard Contractual Clauses. Indeed, the Irish Data Protection Commissioner responding to the Schrems II decision stated “the [Standard Contractual Clauses’] transfer mechanism used to transfer data to countries worldwide is, in principle, valid, although it is clear that, in practice, the application of the [Standard Contractual Clauses’] transfer mechanism to transfers of personal data to the United States is now questionable.”
Fortunately, the European Commission is in the process of reviewing and modernizing the Standard Contractual Clauses (which was put on hold until Schrems II was resolved) and we expect that this review will be forthcoming given the impact Schrems II will have on the already fragile $7.1 trillion transatlantic economic relationship between the European Union and the United States. However, until the European Commission updates the Standard Contractual Clauses any transfer of personal information from the European Union to the United States relying on such contains risk.
Companies must find other “appropriate safeguards” to support data transfers from the European Union to the United States. The CJEU noted that Article 49 of the GDPR may serve to mitigate any “legal vacuum” created by its invalidation of Privacy Shield and finding United States law inadequate in protecting the privacy interests of individuals under European Union law; however, the “derogations” contained in Article 49 are of limited utility. Rather, companies are better served by considering technical or operational adjustments to warrant use of the Standard Contractual Clauses. For example, companies can implement more robust encryption of personal data or focus on data localization principles (i.e., processing personal data in the European Union). If transfer out of the European Union is necessary, you may want to explore transfer and processing of personal data to locations other than the United States (e.g., Canada), but be mindful that any onward transfer to another country would require consideration of and accounting for laws and practices of the such country (e.g., including the extent to which its public authorities will have access to the personal data) prior to any onward transfer.
For now, you should maintain your self-certification under Privacy Shield. It is too soon to tell whether Privacy Shield will (or can) serve as a lawful means of personal data transfers from the United Kingdom to the United States once the transition period expires at the end of this year as currently intended, and Schrems II has no bearing on the Swiss-US Privacy Shield Framework so your Swiss data transfers under Privacy Shield are still valid. Indeed, as the US Department of Commerce remarked “[the Schrems II] decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework.” Therefore, if your company has held itself out as Privacy Shield compliant, do not abandon measures taken to meet Privacy Shield compliance.
Businesses are in a holding pattern as we await guidance from European data protection authorities, and we will continue to provide you with up-to-date information on this topic.
For further information and to obtain advice and strategic input on your data privacy and security compliance, in addition to the listed author, feel free to contact any of our Data Privacy & Security attorneys, including Bunny Smith and Seth Polansky.
Foundry General Counsel is closely monitoring and analyzing the global legal, economic, policy, and industry impacts of the Schrems II decision. For our latest insights, please periodically visit here.
This publication is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon as to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of Foundry General Counsel or its clients.