Yesterday, the Court of Justice of the European Union (“CJEU” or “Court”) reached a landmark decision in the Schrems II case (case C-311/18) (the “Schrems II Decision”) invalidating the EU-U.S. Privacy Shield framework. The following are our top takeaways from the CJEU’s decision:
Invalidation of the Privacy Shield in its entirety, effective immediately. The CJEU took the position that U.S. national security powers and programs allow for interference with the fundamental privacy rights of EU citizens whose personal data are transferred to the U.S. Specifically, U.S. law does not limit U.S. authorities’ access to and use of personal data in a manner that satisfies requirements that are “essentially equivalent” to requirements for protection of personal data under EU law. Certain U.S. surveillance programs, such as PRISM and UPSTREAM, do not provide for any limitations on the power conferred to implement such programs, or for any guarantees for potentially targeted non-U.S. individuals. Additionally, the CJEU determined that U.S. law fails to provide adequate remedies for EU individuals who believe their privacy rights have been violated because EU individuals are not granted actionable rights against U.S. authorities. Based on these determinations, the Court ruled the Privacy Shield framework invalid, effective immediately.
Validity of Standard Contractual Clauses generally affirmed, but may not be appropriate for many transfers, and additional safeguards may be required. The CJEU reaffirmed the validity of Standard Contractual Clauses (“SCCs”) as an acceptable data transfer mechanism, but asserted that organizations located in and outside of the EU that transfer EU personal data cross-border in reliance on SCCs must verify, on a case-by-case basis, whether the law in the recipient country ensures adequate protection, in relation to EU law, for such personal data transferred under SCCs. If the recipient country’s law does not provide adequate protection, then the companies involved in the transfer must either implement and provide additional safeguards, or suspend or end the transfer of personal data. In analyzing the adequacy of U.S. law in protecting EU personal data, it is important to be aware of the Court’s expressed concerns with Section 702 of the Foreign Intelligence Surveillance Act (“FISA”), which permits the surveillance of non-U.S. citizens located outside of the U.S. to obtain foreign intelligence information. The CJEU noted that, “[i]n those circumstances, the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to the United States . . . are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law.” As Max Schrems has asserted, this decision likely means that SCCs cannot be used by U.S. organizations subject to U.S. surveillance laws (e.g., electronic communication service providers), because such organizations would be obligated to provide U.S. authorities with access to personal data, and thus, any additional safeguards put in place in addition to SCCs still would not protect EU personal data from being reviewed by the U.S. federal agencies. By extension, organizations using U.S.-based electronic communication service providers (such as Google, Facebook, and Microsoft) subject to Section 702 to transfer or store EU personal data likely can no longer rely on SCCs to transfer data to or through such providers.
The Irish Data Protection Commission went one step further, stating that the Court “ruled that the SCCs transfer mechanism used to transfer data to countries worldwide is, in principle, valid, although it is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable.” The Hamburg, Germany Representative for Data Protection and Freedom of Information reached a similar conclusion: “If the invalidity of the Privacy Shield is primarily due to the escalating secret service activities in the USA, the same must also apply to the standard contractual clauses. Contractual agreements between data exporter and importer are equally unsuitable to protect those affected from state access.”
Other data transfer mechanisms were not invalidated, but may still be in jeopardy due to U.S. national security laws. The CJEU’s decision did not invalidate other data transfer mechanisms, such as Binding Corporate Rules (“BCRs”) or derogations under Article 49 of the GDPR. However, like data transfers to the U.S. under the SCCs, data transfers to the U.S. relying on other mechanisms appear to be in jeopardy in light of the Court’s expressed concerns about U.S. national security laws, which can reasonably be inferred to also apply to other data transfer mechanisms when the U.S. recipient is subject to U.S. surveillance laws and is obligated to provide U.S. authorities with access to and use of personal data.
National Data Protection Authorities (“DPAs”) have the duty to prevent data transfers under SCCs that do not comply with EU law. The CJEU stated that DPAs are required to suspend or prohibit transfers of personal data relying on SCCs if such DPAs determine that, in light of all the circumstances of a given transfer (which would include consideration of country-specific surveillance practices), the SCCs are not or cannot be complied with in connection with that transfer, and the level of protection of the data transferred that is required by EU data protection law cannot be ensured by other means.
Decision’s applicability not limited to the U.S. Though the decision is focused on the U.S., it has broad applicability to EU personal data transfers to other countries, particularly to other countries in which there is significant national surveillance of personal data.
Recommended Next Steps
Organizations involved in transfers of personal data out of the EU, whether sending or receiving such data, should consider taking the following steps in light of the Schrems II Decision:
Consider reasonableness of discontinuing transfers of EU data to the U.S. EU organizations should consider whether it is a viable option to cease transferring EU personal data to the U.S.
Analyze adequacy of data transfer mechanisms currently in place. Organizations should identify the data transfer mechanism in place for each data transfer or set of data transfers from the EU, and determine the adequacy of the transfer mechanism used in each case in light of the CJEU’s decision. For each data transfer, organizations should consider: (1) the type[s] of personal data being transferred; (2) the country to which the personal data is being transferred; (3) whether and under what circumstances such country’s national security laws would permit governmental authorities to access the personal data; (4) whether the country’s laws provide effective judicial remedies for EU data subjects; (5) what safeguards have been put in place to protect the confidentiality of the personal data in transit and in storage (e.g., encryption); and (6) whether the data transfer mechanism that is in place is appropriate in light of EU law and guidance.
If currently relying on the Privacy Shield framework:
- Determine and implement alternative transfer mechanism. Because the Privacy Shield has been invalidated, organizations currently relying on the Privacy Shield for transfers of data from the EU must analyze the appropriateness of different data transfer mechanisms, such as SCCs, BCRs, or derogations under GDPR Article 49. This determination must be made on a case-by-case basis, and must involve an analysis of the specific facts of each data transfer or set of data transfers. Once this determination is made, organizations should seek to promptly implement the chosen mechanism or mechanisms.
- Withdraw from Privacy Shield Framework. Although the CJEU’s decision invalidates the Privacy Shield as a data transfer mechanism, it does not affect the U.S. Department of Commerce’s continued administration of the Privacy Shield program. As U.S. Secretary of Commerce Wilbur Ross stated following the CJEU’s ruling, “[t]oday’s decision does not relieve participating organizations of their Privacy Shield obligations.” It also does not affect the FTC’s enforcement of the Privacy Shield under Section 5 of the FTC Act prohibiting unfair and deceptive acts and practices. U.S. organizations should consider taking the necessary steps to withdraw from the Privacy Shield framework and their related Privacy Shield commitments in order to remove the FTC’s jurisdiction over the organization with respect to enforcement of Privacy Shield commitments.
If currently relying on SCCs:
- Analyze data transfers on a case-by-case basis to determine the appropriateness of relying on SCCs and the necessity of applying additional safeguards. Organizations should analyze each data transfer or set of data transfers currently made under SCCs, and consider whether the EU personal data being transferred is likely to be of interest to U.S. surveillance authorities (e.g., whether the organization or its service providers that are processing EU personal data are potentially subject to receiving FISA requests under Section 702, and whether the personal data being collected and processed by the organization and/or its service providers is likely to be of interest to U.S. surveillance authorities), and whether they can otherwise comply with the obligations set forth in the SCCs. As appropriate, organizations should implement additional safeguards in furtherance of providing transferred personal data with the same level of protection as afforded under EU law. The CJEU’s decision did not describe any specific safeguards that may be taken, but this is likely a topic on which DPAs will provide guidance in the future.
- Monitor compliance moving forward. Organizations should monitor their own compliance with commitments made in the SCCs moving forward. If organizations subject to SCC commitments receive requests from U.S. authorities for EU personal data, they should assess the scope of the request, analyze the appropriateness of the asserted powers of the requesting U.S. authority, and, as appropriate, object to such requests. To the extent that access to any EU personal data is provided to U.S. authorities, organizations should analyze additional, necessary actions in light of their EU data protection obligations.
- Monitor Schrems case developments. Organizations should monitor future developments in the Schrems case, which is being sent back to the Irish High Court.
If currently relying on other data transfer mechanisms, such as BCRs or derogations under Article 49 of the GDPR:
- Analyze data transfers on a case-by-case basis to determine necessity of applying additional safeguards. Similar to SCCs, organizations that rely on other data transfer mechanisms should analyze each data transfer or set of data transfers currently made under the data transfer mechanism, and consider whether the data being transferred may be of interest to U.S. authorities, and whether the U.S. organization (or any of its processors that are transferring or storing EU personal data) is subject to U.S. surveillance laws. As appropriate, additional safeguards should be considered and implemented.
- Consider appropriateness of use of derogations. Article 49 of the GDPR allows, in the absence of an adequacy decision or of appropriate safeguards pursuant to Article 46 (such as BCRs or SCCs), a transfer or a set of transfers of personal data to a third country or an international organization to take place only under certain conditions, such as when the data subject provides their explicit consent to the transfer or the transfer is necessary for the performance of a contract. However, organizations should be aware of DPA guidance, such as the European Data Protection Board’s Guidelines 2/2018 on derogations of Article 49, that highlight that derogations are not generally intended to be used for regular, ongoing transfers of personal data.
Document Decisions and Rationale. Organizations should document the decisions they make regarding data transfer mechanisms to be utilized, including recording any additional safeguards to be put in place, and the rationale for determinations concerning the sufficiency of the chosen transfer mechanism and whether and what additional safeguards are merited.
Monitor developments in the EU, Switzerland, and the UK. Organizations should keep a close eye on EU developments, including DPA commentary and enforcement actions involving data transfer mechanisms. Organizations transferring personal data from Switzerland should monitor developments with the Swiss-U.S. Privacy Shield framework in response to the CJEU’s decision. The Swiss data protection authority has advised that it is examining the opinion and will “comment on it in due course.” Similarly, organizations transferring personal data from the UK should monitor UK developments to see whether data transfers to the UK will be permitted post-Brexit under any framework similar to the Privacy Shield. The UK Information Commissioner’s Office (“ICO”) is currently stating that the ICO is currently reviewing the Schrems II Decision and is requesting that organizations already using the Privacy Shield continue to do so until new guidance becomes available, but that organizations should not start using the Privacy Shield if they are not already doing so.
If you have any questions concerning this important legal development, please reach out to us.
Eleazar Rundus, a third-year law student at the University of Kansas School of Law, contributed to this post. Mr. Rundus is a law clerk with Fey LLC.