The European Union Court of Justice (CJEU) invalidated on July 16, 2020, the EU-US “Privacy Shield,” the formal framework the European Union and the United States negotiated in 2016 for handling cross-border transfers of personal data from the EU to the U.S. Rumors of the Privacy Shield’s demise, which had been predicted for years, were finally borne out when the CJEU held in Data Protection Commissioner v Facebook Ireland (Schrems II) that the Privacy Shield program failed to provide adequate judicial redress to European data subjects in the face of the overly broad nature of U.S. government surveillance programs. The court concluded that the absence of such safeguards, which are guaranteed under the General Data Protection Regulation (GDPR) and the Charter of Fundamental Rights of the European Union (Charter), required it to invalidate adequacy decision made by the European Commission allowing for free flowing data transfers between the EU and U.S. signatories to the Privacy Shield Program pursuant to GDPR Article 45(2).
While companies may still use the approved standard contractual clauses (“SCCs”) to handle cross-border transfers of personal data, the CJEU ruling and subsequent guidance from the European Data Protection Board have unsettled SCC transfer practices. Companies may very well have to take “additional measures” to safeguard EU data subjects’ personal data for transfers to the U.S. or other third countries whose data privacy laws do not provide protections equivalent to those available in the EU.
Privacy Shield Did Not Adequately Safeguard Data Subject Rights
The EU-U.S. Privacy Shield Program was conceived as a next generation solution to cross-border personal data transfers across the Atlantic. It was put into place to succeed the prior U.S./EU Safe Harbor Framework that after it was invalidated by the CJEU in the prior decision with the same litigant – known colloquially as Schrems I. However, many privacy advocates argued the Privacy Shield failed to address the problem— mass surveillance without adequate legal redress for EU data subjects — that doomed the prior iteration of this framework, Safe Harbor.
Essentially following on those criticisms, in Schrems II the CJEU found that the Privacy Shield Program failed to provide an effective mechanism to ensure compliance with the level of data protection afforded to data subjects under EU law. Specifically, under the EU-U.S. Privacy Shield Program, the U.S. agreed to appoint an independent ombudsperson. That designee was supposed to have the authority to facilitate requests related to the processing by U.S. national security services of personal data transmitted from the EU to the U.S. The ombudsperson mechanism was expressly intended to broadly cover cross-border transmissions made under Privacy Shield, SCCs, binding corporate rules, and current or future derogations (exceptions to the GDPR) which were subject to national security review in the U.S. However, as the CJEU observed in Paragraphs 196 and 197 of its Judgment:
. . . although recital 120 of the Privacy Shield Decision refers to a commitment from the US Government that the relevant component of the intelligence services is required to correct any violation of the applicable rules detected by the Privacy Shield Ombudsperson, there is nothing in that decision to indicate that that ombudsperson has the power to adopt decisions that are binding on those intelligence servicesand does not mention any legal safeguards that would accompany that political commitment on which data subjects could rely. Therefore, the ombudsperson mechanism to which the Privacy Shield Decision refers does not provide any cause of actionbefore a body which offers the persons whose data is transferred to the United States guarantees essentially equivalent to those required by Article 47 of the Charter. (emphasis added)
CJEU Unsettles Personal Data Transfer Practices under SCCs
In contrast to its determination invalidating the EU-U.S. Privacy Shield Program, the CJEU held that EU data exporters and data importers around the world, including the U.S., may continue to use SCCs to accomplish cross-border transfers of EU subjects’ personal data. However, the CJEU clarified that any such transfers should be “suspended or prohibited” by EU data exporters or a supervisory data protection authority (DPA) if it is determined that the obligations agreed to by the data importers under the SCCs “are not or cannot be complied with.”
Handling Cross-Border Data Transfers to the U.S. Going Forward
With the Privacy Shield now defunct and SCC transfers under scrutiny, enterprises that engage in cross-border transfers of personal data from the EU must ask themselves what steps can be taken to comply with their newly clarified obligations under the GDPR and the Charter. Fortunately, the CJEU and European Data Protection Board (EDPB) acknowledge the validity of using their SCCs for the transfer of personal data from the EU to third countries which lack an adequacy decision. In a post-CJEU ruling announcement, the EDPM explained:
While the SCCs remain valid, the CJEU underlines the need to ensure that these maintain, in practice, a level of protection that is essentially equivalent to the one guaranteed by the GDPR in light of the EU Charter. The assessment of whether the countries to which data are sent offer adequate protection is primarily the responsibility of the exporter and the importer, when considering whether to enter into SCCs. When performing such prior assessment, the exporter (if necessary, with the assistance of the importer) shall take into consideration the content of the SCCs, the specific circumstances of the transfer, as well as the legal regime applicable in the importer’s country. The examination of the latter shall be done in light of the non-exhaustive factors set out under Art 45(2) GDPR.
If the result of this assessment is that the country of the importer does not provide an essentially equivalent level of protection, the exporter may have to consider putting in place additional measures to those included in the SCCs. The EDPB is looking further into what these additional measures could consist of.
While the world waits for guidance from the EDPB on additional measures to be taken, companies must still be responsive to inquiries from any of the DPAs. In the immediate aftermath of the CJEU judgment, a few DPAs have already indicated a rather dim view of the entire SCC process. For example, the DPAs in Hamburg and Berlin, Germany questioned the notion that personal data transfers could now be made to the U.S.
Similarly, the Irish Data Protection Commission, which has lead supervisory authority over the use of SCCs by Facebook and scores of other large US companies, promptly called into question the ongoing viability of any cross-border transfers of personal data to the U.S. using the current SCCs, writing:
while . . . the Court . . . has also ruled that the SCCs transfer mechanism used to transfer data to countries worldwide is, in principle, valid, it is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable. This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis. (emphasis added)
It is important to note that divergent views of DPAs across Europe will need to be reconciled, with any final determination to be made by the EDPB under GDPR Article 65. In the meanwhile, companies should still consider working closely and cooperatively with their respective lead DPA on cross-border data transfers to the U.S. and other jurisdictions lacking an Article 45 adequacy determination. Taking a practical approach may yield more positive results than adopting a laissez-faire or confrontational stance on the issues.
Over the long term, companies should stay abreast of any bilateral developments between the U.S. and the EU on a new cross-border transfer framework to replace the Privacy Shield. Many political leaders from the EU and U.S. recognize the importance of having a predictable and reliable data transfer framework in place to support business and legal transactions associated with globalization. However, the question remains as to how that can be achieved recognizing the fundamentally divergent societal views on data protection and individual privacy.