The Bottom Line
- Now that the European Union has invalidated the EU-US Privacy Shield Framework, companies will need to re-examine the methods they use to transfer personal data of EU data subjects from the EU to the U.S. The Standard Contractual Clauses, which survived the court’s ruling for now, will become a more popular option, at least until U.S. and EU regulators negotiate an alternative to Privacy Shield.
The summer of 2020 is proving to be a busy time for privacy legislation and an exciting time for privacy enthusiasts. On the heels of the official California Consumer Privacy Act (CCPA) enforcement date on July 1st and the second anniversary of the European Union’s General Data Protection Regulation (GDPR), as a result of the Schrems II case, the EU-US Privacy Shield Framework (Privacy Shield) has just been ruled invalid by the Court of Justice of the European Union (the Court). The Court’s ruling stated that Privacy Shield fails in its essential purpose of protecting and upholding privacy and data protection rules as required by the GDPR.
This latest development is likely to have material consequences on the many businesses that share and transfer data of European Union (EU) residents to businesses in the United States. In the same case, the Court ruled that the Standard Contractual Clauses (SCCs) are a valid means for cross-border data transfers, for now.
Cross-Border Data Transfers
Pursuant to Chapter 5 of the GDPR, transfers of personal data to a country outside of the EU can only occur where that country ensures an adequate level of protection for the personal data. The U.S. has been deemed inadequate under this standard. Therefore, U.S. and EU regulators have negotiated programs to ensure that such data transfers could continue in compliance with the GDPR.
Privacy Shield, the second such program, requires U.S. companies that want to be deemed adequate to self-certify to the Privacy Shield Principles and register with the program. While Privacy Shield is not the only cross-border data transfer mechanism, it is one of the more advantageous.
The Schrems II case derives its name from a lawsuit (Schrems I) that Max Schrems, a privacy advocate in Europe, brought against Facebook in 2013. In that prior action, Schrems claimed that the then-existing U.S.-EU Safe Harbor Framework (Safe Harbor) did not provide sufficient protection for the transfer of EU citizens’ personal data from Facebook in Ireland to Facebook in the United States.
As a result of Schrems I, Privacy Shield’s predecessor, Safe Harbor, was invalidated on the premise that the United States did not offer stringent enough data privacy protections. Schrems then brought a second claim, based on an allegation that the SCCs (also relied upon for transfers of data by Facebook) were also a deficient data protection mechanism.
The Court’s Decision
One of the most anticipated decisions in the history of EU privacy law has been rendered: The Privacy Shield is henceforth invalid. The Court indicated that the Privacy Shield simply does not sufficiently, as a minimum threshold, align with equivalent protections under EU privacy and data security law, particularly with respect to protections from U.S. surveillance activities, which the Court viewed as not sufficiently limited.
However, the SCCs have been upheld, with a caveat — their use should be assessed on a case-by-case basis. Companies in the EU wishing to rely upon the SCCs will also be expected to consider the privacy and data security laws, standards and practices in the jurisdiction where the data is to be transferred. If those laws, standards and/or practices are not sufficient, additional controls may be required. The SCCs should not just be signed and shoved into a drawer without further analysis.
EU regulators are expected to be looking at use of the SCCs more closely, particularly in the event of a data subject complaint.
Similarly to when the Safe Harbor was done away with in 2015, perhaps even before the dust has settled on Schrems II, we should expect the U.S. and EU to again attempt to negotiate yet another new personal data transfer mechanism. Without such a data transfer mechanism, coupled with the uncertainty around use of the SCCs, the ability of businesses to transfer personal data between the EU and the U.S. may be materially limited.
Reaching agreement in this regard has proven to be a difficult task given that the EU tends to revolve around a more citizen-driven privacy scheme, and in the U.S., the trend has been more market-driven, with the exception of new state protections that are now coming into play, such as the CCPA.
Although additional scrutiny and review may be required, for now, we should expect an increase in the reliance upon the SCCs in order to allow businesses to continue operating across jurisdictional boundaries.
Prior to this ruling, the Federal Trade Commission (FTC) had issued a number of enforcement actions against companies in connection with Privacy Shield, specifically that such companies had falsely stated that they were registered with the Privacy Shield program. It remains to be seen how the FTC will respond to this recent development. Especially since the U.S. will need to reach agreement with the EU on a new data transfer mechanism, we should expect continued vigilance by the FTC as a show of good faith and commitment to uphold a high level of protection for EU citizens.
A statement was quickly issued by U.S. Secretary of Commerce Wilbur Ross, whose agency manages the Privacy Shield program. Secretary Ross said “[w]hile the Department of Commerce is deeply disappointed that the court appears to have invalidated the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield, we are still studying the decision to fully understand its practical impacts…[w]e have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments. Data flows are essential not just to tech companies — but to businesses of all sizes in every sector.” Further, and perhaps surprisingly, the Department of Commerce stated that despite the decision they will continue to administer the Privacy Shield program, including processing new and renewing certifications, and that this decision “does not relieve participating organizations of their Privacy Shield obligations.”
Let’s hope the next data transfer treaty between the EU and the U.S. sticks.