On Thursday, July 16, the European Union Court of Justice (CJEU) delivered a bombshell ruling invalidating the EU-U.S. Privacy Shield, which had been a widely used mechanism for U.S. companies to transfer and store EU personal data in the United States. The result of the case, known as Schrems II (C-311/18), is that U.S. companies may no longer rely on the Privacy Shield as a basis for transferring personal data from the EU to the United States.
Under the General Data Protection Regulation (GDPR) and other EU laws, data transfers to countries outside the EU may only occur if the third county ensures an adequate level of data protection, or if the data exporter provides appropriate safeguards for the data transfers. Prior to the Schrems II decision, the EU-U.S. Privacy Shield was used regularly by U.S. companies to transfer and store EU personal data in the United States.
Lack of Data Protection
The Schrems II case challenged the EU-U.S. Privacy Shield, arguing it did not provide the requisite protection of EU personal data because U.S. law did not adequately protect personal data, particularly due to U.S. government surveillance activities by the NSA and FISA courts. The CJEU considers the U.S. government’s access to personal data disproportionate to its stated goals and criticizes the lack of redress data subjects have to challenge the U.S. government’s access to their data.
More than 5,300 companies use the Privacy Shield to facilitate cross-continental data transfers, but they must now reevaluate their legal basis for transferring EU personal data.
SCCs OK to Use, For Now
Importantly, the Schrems II decision validated the use of standard contractual clauses (SCCs), another commonly used mechanism for transatlantic data transfers. According to Schrems II, companies may continue to utilize SCCs as the basis for EU-U.S. data transfers so long as the SCCs ensure the EU data is afforded the same level of protection it receives under EU law.
Companies relying on SCCs, however, must effectively implement the terms of the SCCs and assess whether U.S. law allows for the company to truly comply with the SCCs’ terms. If the company cannot ensure transfers are made in accordance with the SCC’s terms, it must suspend the transfers and seek alternative bases for transferring EU data to the United States.
While this is an important aspect of the Schrems II decision, and use of SCCs continues to be valid if implemented properly, it begs the question: how many companies are going to determine that they cannot ensure that their EU data is adequately protected in the United States? That may effectively invalidate the use of SCCs in the future.
BCRs and Derogations Still Viable Options
The Schrems II decision did not discuss binding corporate rules (BCRs) and derogations allowed under GDPR Article 49. These presumably remain viable options for transatlantic data transfers. GDPR Article 49 allows for the transfer of personal data in a variety of circumstances even in the absence of an adequacy decision or binding corporate rules. These scenarios include when the company has obtained explicit informed consent from the data subject, and when the transfers are necessary for the data controller to performance a contract on behalf of the data subject.
What Happens Next?
In a response statement by the U.S. Secretary of Commerce, Wilbur Ross expressed disappointment at the ruling but stated the department would continue to administer the Privacy Shield program. “While the Department of Commerce is deeply disappointed that the court appears to have invalided the European Commission’s adequacy decision underlying the EU-US Privacy Shield, we are still studying the decision to fully understand its practice impacts,” Ross stated.
“We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments.”
Large technology companies have sought to reassure customers that data transfers would remain unaffected. For example, Microsoft’s Corporate Vice President for Global Privacy and Regulatory Affairs wrote in a blog post, “For years we have provided customers with overlapping protections under both the Standard Contractual Clauses (SCCs) and Privacy Shield frameworks for data transfers. Although today’s ruling invalidated the use of Privacy Shield moving forward, the SCCs remain valid. Our commercial customers are already protected under SCCs.”
The practical implications of the Schrems II decision will be borne out over the next weeks, months and even years. At a minimum, the decision should prompt companies engaging in U.S.-EU data transfers to evaluate its legal basis for doing so in this new post-Schrems II era of data protection.
Adams and Reese’s Privacy, Cybersecurity and Data Management team will continue to monitor developments in this arena.