It feels fitting that the summer of 2020 would bring us Schrems II. This surprising Court of Justice of the European Union (CJEU) decision wreaked havoc in late July by invalidating the EU - U.S. Privacy Shield and calling into question other mechanisms for transferring the personal data of EU citizens into the United States (and beyond) under the GDPR. Let’s take a deeper dive into that decision and what it means for companies that need to transfer EU citizens’ data into the U.S.
Schrems II is the second decision by the CJEU that is based on privacy complaints made against Facebook by Austrian privacy activist Max Schrems. Both cases stem from privacy concerns related to the U.S. National Security Agency (NSA)’s ability to access the personal data of EU citizens, famously disclosed by Edward Snowden in 2013.
In the first Schrems decision in 2015, the CJEU invalidated the U.S. - EU Safe Harbor Framework (the predecessor to the EU - U.S. Privacy Shield) as a means to transfer personal data from the EU into the U.S., finding that the protections afforded by the Safe Harbor framework did not meet fundamental privacy rights guaranteed within the EU to EU citizens.
In the aftermath of the first Schrems decision, the U.S. Department of Commerce and the EU Commission collaborated to implement the EU-U.S. Privacy Shield as a replacement to the Safe Harbor Framework, again allowing for a broader transfer mechanism of personal data into the U.S. compared to the alternatives (namely, “standard contractual clauses” (SCCs) and “binding corporate rules” (BCRs) – more on those below). Since its implementation in 2016, over 5,000 organizations have met the requirements administered by the International Trade Administration to join the Privacy Shield. Meeting those requirements can mean a large investment for organizations in overhauling their data privacy practices.
That brings us to Schrems II, wherein Schrems brought a second complaint against Facebook, this time challenging the validity of SCCs as a mechanism to transfer personal data into the U.S. In Schrems II, he argued that the same privacy concerns related to the NSA’s ability to access EU citizens’ personal data under the Safe Harbor framework also applied to personal data transferred via an SCC. It should be noted here that around the same time, European privacy advocates also filed a challenge to the new EU-U.S. Privacy Shield with the European Court.
Schrems II CJEU Decision
In the Schrems II ruling in July, the CJEU ultimately decided to address both the EU-U.S. Privacy Shield and SCC issues.
The Court upheld the validity of SCCs as a means to transfer personal data from the EU into the U.S. However, rather than carte blanche approval, the Court laid out obligations for both parties of an SCC and data protection supervisory authorities within the EU. Those obligations include:
- Entities that are transferring personal data of EU citizens into the U.S. must verify “on a case by case basis” that the protections afforded by the SCC can be met and that there is an “adequate level of protection” in the U.S. to protect the personal data of EU citizens.
- Entities that are receiving personal data of EU citizens in the U.S. have an obligation to notify the data exporter if they are unable to comply with the SCC for any reason.
- Data protection supervisory authorities within the EU have a mandatory obligation to evaluate not only the terms of the SCCs themselves, but also whether the data protections afforded by the U.S. legal system can meet those terms. If the SCC is found to be insufficient, the supervisory authority has an obligation to stop the transfer.
This decision puts SCCs (and thereby BCRs) on shaky ground throughout the entire world, because the threshold set by the Court applies to any third country, not just the U.S. (see Questions 2 and 6 of the FAQ issued by the European Data Protection Board for more information on these points).
However, the real kicker of Schrems II for U.S.-based companies with an international presence is that the CJEU completely invalidated the EU-U.S. Privacy Shield. The Court found that the U.S. does not provide sufficient protection of EU citizens’ personal data because of the access the U.S. government has to EU citizens’ personal data and because EU citizens have no means of redress against U.S. authorities should their privacy rights be violated.
What Does Shrems II Mean for Companies that Need to Transfer Personal Data from the EU into the U.S.
- Companies that were relying on the Privacy Shield to transfer EU data into the U.S. should:
- Work to put individual SCCs or BCRs in place to achieve these transfers. There is no grace period during which a company can keep transferring data using the Privacy Shield mechanism, according to the European Data Protection Board (see Question 3 for more information).
- Continue to comply with all current Privacy Shield obligations. While the CJEU decision invalidates the Privacy Shield, it does not relieve current participant organizations of their obligations.
- Watch for further guidance from both the European Data Protection Board and the U.S. Department of Commerce (DOC). DOC and the European Commissioner for Justice issued a joint press release in early August, stating that they have initiated discussions to evaluate the potential for an enhanced EU-U.S. Privacy shield framework that would meet the requirements laid out by the CJEU.
- Companies that rely on SCCs or BCRs as a means to transfer personal data should:
- Conduct a risk assessment to determine whether those agreements and the recipient of the data in the U.S. can provide an adequate level of data protection, according to the European Data Protection Board (see Questions 5 and 6 for more information).
- Watch for further guidance from data protection authorities in relevant countries related to SCCs and BCRs in the wake of Schrems II.
The transfer of personal data between countries is vital to the lifeblood of many companies, large and small. While Schrems II has thrown a wrench into the legality of those transfers… all is not lost. Stay tuned for updates from U.S. and EU authorities that may help ease the burden of this unexpected decision by the CJEU.
Resources for More Information
- CJUE Schrems II full decision: http://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=16606736
- CJEU press release on its Schrems II decision: https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf
- EU – U.S. Privacy Shield Program Schrems II FAQs: https://www.privacyshield.gov/article?id=EU-U-S-Privacy-Shield-Program-Update
- European Data Protection Board Schrems II FAQs: https://edpb.europa.eu/our-work-tools/our-documents/ovrigt/frequently-asked-questions-judgment-court-justice-european-union_en
- S. Secretary of Commerce Wilbur Ross Statement on Schrems II ruling and the importance of EU-U.S. data flows: https://www.commerce.gov/news/press-releases/2020/07/us-secretary-commerce-wilbur-ross-statement-schrems-ii-ruling-and
- Joint press statement from the U.S. Secretary of Commerce and the European Commissioner regarding initiated discussions for a new privacy shield: https://www.commerce.gov/news/press-releases/2020/08/joint-press-statement-us-secretary-commerce-wilbur-ross-and-european
- UK’s Information Commissioner’s Office updated statement on the Schrems II decision: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/07/updated-ico-statement-on-the-judgment-of-the-european-court-of-justice-in-the-schrems-ii-case/