Navigating, Innovating, and Litigating Through the COVID-19 Global Pandemic
August 3, 2020
ITAR Projects are Not Limited to US Citizens
August 11, 2020

Top European Court Invalidates Privacy Shield, Unsettles Personal Data Transfer Practices under the Standard Contractual Clauses

The European Union Court of Justice (CJEU) invalidated on July 16, 2020, the EU-US “Privacy Shield,” the formal framework the European Union and the United States negotiated in 2016 for handling cross-border transfers of personal data from the EU to the U.S. Rumors of the Privacy Shield’s demise, which had been predicted for years, were finally borne out when the CJEU held in Data Protection Commissioner v Facebook Ireland (Schrems II) that the Privacy Shield program failed to provide adequate judicial redress to European data subjects in the face of the overly broad nature of U.S. government surveillance programs. The court concluded that the absence of such safeguards, which are guaranteed under the General Data Protection Regulation (GDPR) and the Charter of Fundamental Rights of the European Union (Charter), required it to invalidate adequacy decision made by the European Commission allowing for free flowing data transfers between the EU and U.S. signatories to the Privacy Shield Program pursuant to GDPR Article 45(2).

While companies may still use the approved standard contractual clauses (“SCCs”) to handle cross-border transfers of personal data, the CJEU ruling and subsequent guidance from the European Data Protection Board have unsettled SCC transfer practices. Companies may very well have to take “additional measures” to safeguard EU data subjects’ personal data for transfers to the U.S. or other third countries whose data privacy laws do not provide protections equivalent to those available in the EU.

Privacy Shield Did Not Adequately Safeguard Data Subject Rights

The EU-U.S. Privacy Shield Program was conceived as a next generation solution to cross-border personal data transfers across the Atlantic. It was put into place to succeed the prior U.S./EU Safe Harbor Framework that after it was invalidated by the CJEU in the prior decision with the same litigant – known colloquially as Schrems I. However, many privacy advocates argued the Privacy Shield failed to address the problem— mass surveillance without adequate legal redress for EU data subjects — that doomed the prior iteration of this framework, Safe Harbor.

Essentially following on those criticisms, in Schrems II the CJEU found that the Privacy Shield Program failed to provide an effective mechanism to ensure compliance with the level of data protection afforded to data subjects under EU law. Specifically, under the EU-U.S. Privacy Shield Program, the U.S. agreed to appoint an independent ombudsperson. That designee was supposed to have the authority to facilitate requests related to the processing by U.S. national security services of personal data transmitted from the EU to the U.S. The ombudsperson mechanism was expressly intended to broadly cover cross-border transmissions made under Privacy Shield, SCCs, binding corporate rules, and current or future derogations (exceptions to the GDPR) which were subject to national security review in the U.S. However, as the CJEU observed in Paragraphs 196 and 197 of its Judgment:

 . . . although recital 120 of the Privacy Shield Decision refers to a commitment from the US Government that the relevant component of the intelligence services is required to correct any violation of the applicable rules detected by the Privacy Shield Ombudsperson, there is nothing in that decision to indicate that that ombudsperson has the power to adopt decisions that are binding on those intelligence servicesand does not mention any legal safeguards that would accompany that political commitment on which data subjects could rely. Therefore, the ombudsperson mechanism to which the Privacy Shield Decision refers does not provide any cause of actionbefore a body which offers the persons whose data is transferred to the United States guarantees essentially equivalent to those required by Article 47 of the Charter. (emphasis added)

CJEU Unsettles Personal Data Transfer Practices under SCCs

In contrast to its determination invalidating the EU-U.S. Privacy Shield Program, the CJEU held that EU data exporters and data importers around the world, including the U.S., may continue to use SCCs to accomplish cross-border transfers of EU subjects’ personal data. However, the CJEU clarified that any such transfers should be “suspended or prohibited” by EU data exporters or a supervisory data protection authority (DPA) if it is determined that the obligations agreed to by the data importers under the SCCs “are not or cannot be complied with.”

Handling Cross-Border Data Transfers to the U.S. Going Forward

With the Privacy Shield now defunct and SCC transfers under scrutiny, enterprises that engage in cross-border transfers of personal data from the EU must ask themselves what steps can be taken to comply with their newly clarified obligations under the GDPR and the Charter. Fortunately, the CJEU and European Data Protection Board (EDPB) acknowledge the validity of using their SCCs for the transfer of personal data from the EU to third countries which lack an adequacy decision. In a post-CJEU ruling announcement, the EDPM explained:

While the SCCs remain valid, the CJEU underlines the need to ensure that these maintain, in practice, a level of protection that is essentially equivalent to the one guaranteed by the GDPR in light of the EU Charter. The assessment of whether the countries to which data are sent offer adequate protection is primarily the responsibility of the exporter and the importer, when considering whether to enter into SCCs. When performing such prior assessment, the exporter (if necessary, with the assistance of the importer) shall take into consideration the content of the SCCs, the specific circumstances of the transfer, as well as the legal regime applicable in the importer’s country. The examination of the latter shall be done in light of the non-exhaustive factors set out under Art 45(2) GDPR.

If the result of this assessment is that the country of the importer does not provide an essentially equivalent level of protection, the exporter may have to consider putting in place additional measures to those included in the SCCs. The EDPB is looking further into what these additional measures could consist of.

While the world waits for guidance from the EDPB on additional measures to be taken, companies must still be responsive to inquiries from any of the DPAs. In the immediate aftermath of the CJEU judgment, a few DPAs have already indicated a rather dim view of the entire SCC process. For example, the DPAs in Hamburg and Berlin, Germany questioned the notion that personal data transfers could now be made to the U.S.

Similarly, the Irish Data Protection Commission, which has lead supervisory authority over the use of SCCs by Facebook and scores of other large US companies, promptly called into question the ongoing viability of any cross-border transfers of personal data to the U.S. using the current SCCs, writing:

while . . . the Court . . . has also ruled that the SCCs transfer mechanism used to transfer data to countries worldwide is, in principle, valid, it is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable. This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis. (emphasis added)

It is important to note that divergent views of DPAs across Europe will need to be reconciled, with any final determination to be made by the EDPB under GDPR Article 65. In the meanwhile, companies should still consider working closely and cooperatively with their respective lead DPA on cross-border data transfers to the U.S. and other jurisdictions lacking an Article 45 adequacy determination. Taking a practical approach may yield more positive results than adopting a laissez-faire or confrontational stance on the issues.

Over the long term, companies should stay abreast of any bilateral developments between the U.S. and the EU on a new cross-border transfer framework to replace the Privacy Shield. Many political leaders from the EU and U.S. recognize the importance of having a predictable and reliable data transfer framework in place to support business and legal transactions associated with globalization. However, the question remains as to how that can be achieved recognizing the fundamentally divergent societal views on data protection and individual privacy.

Eric P. Mandel

Eric is an attorney, legal technologist, and privacy professional who has spent the past 13 years focused on solving complex problems at the intersection of law and technology. He has served in senior leadership roles in several U.S.-based trade associations, including The Sedona Conference, the EDRM Institute, the Legal Technology Professionals Institute, and the Association of Certified E-Discovery Specialists, and is a frequent speaker on a broad range of topics relating to electronic discovery, information governance, data regulatory compliance, and data privacy and data protection. Additionally, Eric has worked on numerous leading publications, including The Sedona Principles, Third Edition.

Jonathan Swerdloff

Jonathan Swerdloff is a Consultant at Driven, Inc. Prior to joining Driven, Jonathan was a litigation associate at Hughes, Hubbard & Reed LLP, accumulating more than 10 years experience in eDiscovery that included managing large discovery projects, analysis of enterprise systems, and investigations into nontraditional data sources. Through his experience as a litigator and programmer, Jonathan focused primarily on creative problem solving with regard to all data types. He analyzed and produced complex enterprise systems and developed internal workflows for large litigations. He deployed Information Governance strategies, has extensive experience with structured data collection, analysis, and production, and has served as an expert witness. His experience also includes developing cost-saving legal processes, managing legal budgets, and supervising legal personnel. Jonathan is admitted to the bars of New York and Connecticut. He holds a J.D. from the Cardozo School of Law and an MPS from NYU’s Tisch School of the Arts Interactive Telecommunications Program, where he studied rapid prototyping and software development. Jonathan is also an adjunct professor at the Parsons School of Design, teaching a Masters-level course in regulatory and ethics contexts for product designers. Jonathan previously served as the Director of Legal Strategy at the Corporate Knowledge Strategies Forum

Philip Favro
Philip Favro
Philip Favro acts as a trusted advisor to organizations and law firms on issues surrounding discovery and information governance. Phil provides guidance on data preservation practices, litigation holds, data collection strategies, and ESI search methodologies. In addition, he offers direction to organizations on records retention policies and the need to manage dynamic sources of information found on smartphones, cloud applications, and social networks. Phil is available to serve as a special master on issues related to electronic discovery. Phil is a nationally recognized thought leader and legal scholar on issues relating to the discovery process. His articles have been published in leading industry publications and academic journals and he is frequently in demand as a speaker for eDiscovery education programs. Phil is a member of the Utah and California bars. He actively contributes to Working Group 1 of The Sedona Conference where he leads drafting teams and serves as the Steering Committee project manager. Prior to joining Driven, Phil practiced law in Northern California where he advised a variety of clients regarding business disputes and complex discovery issues. He also served as a Judge Pro Tempore for the Santa Clara County Superior Court based in Santa Clara, California.