In the wake of the Court of Justice of the European Union’s (CJEU or Court) Schrems II decision invalidating the Privacy Shield but upholding Standard Contractual Clauses (SCCs), many EU Data Protection Authorities (DPAs) have provided initial thoughts and reactions to the decision and indications that guidance from such DPAs will be forthcoming. Below, we have summarized the reactions and initial guidance provided by key DPAs to date:
Shortly following the ruling, the European Commission Vice President provided opening remarks emphasizing the Commission’s intent to “continue to work to ensure the continuity of safe data flows.” The remarks further detail that the Commission has already been working intensively to ensure a broad toolbox is available and fit to protect EU personal data, including by the modernization of the SCCs. The Commission is working to swiftly finalize the modernized SCCs in consultation with the EDPB and DPAs, and to ensure the updated SCCs are “fully in line with” the CJEU’s decision.
European Data Protection Board
Initial Statement. The day after the CJEU’s ruling, the European Data Protection Board (EDPB) issued a statement calling the ruling “one of great importance.” The statement notes that the EDPB intends to continue playing a constructive part in securing the transatlantic transfer of personal data and “to provide the European Commission with assistance and guidance to help it build, together with the U.S., a new framework that fully complies with EU data protection law.” The statement also discusses the continued validity of the SCCs, provided that an assessment occurs to determine whether the third countries to which data is transferred offer adequate protection of such data. The assessment is primarily the responsibility of the data exporter and the data importer, and requires the exporter (with the importer’s assistance, if necessary) to consider (1) the content of the SCCs; (2) the specific circumstances of the transfer; and (3) the legal regime applicable in the importer’s country. If the assessment reveals that the importer’s country does not provide adequate protection, the exporter may consider putting measures in place in addition to those included in the SCCs. Finally, the EDPB asserts that it is looking further into what such additional measures could consist of and will also provide further clarification for stakeholders and guidance on the use of instruments for personal data transfers to third countries.
Schrems II Guidance. About a week after the CJEU’s decision was released, the EDPB published guidance in the form of Frequently Asked Questions. Please see our Key Takeaways from EDPB Schrems II Guidance post for a summary of the EDPB’s guidance.
European Data Protection Supervisor
The European Data Protection Supervisor (EDPS) issued a statement the day after the CJEU’s decision, welcoming the Court’s ruling and stating that European supervisory authorities will advise the Commission on any future adequacy decisions in line with the ruling. The EDPS emphasizes that the protection of personal data is not just a “European” fundamental right, but a fundamental right widely recognized around the globe. Against this background, the EDPS states that it trusts that the U.S. will deploy all possible efforts and means to move towards a comprehensive data protection and privacy legal framework, which genuinely meets the EU’s requirements for adequate safeguards. The EDPS also states that, as the supervisory authority of the EU institutions, bodies, offices, and agencies, it is carefully analyzing the consequences of the ruling on the SCCs entered into by EU institutions, bodies, offices, and agencies.
Ireland’s Data Protection Commission
Ireland’s Data Protection Commission (DPC), the DPA that brought the Schrems II proceedings, published a press release “strongly welcom[ing]” the CJEU’s judgment, and emphasizing that the Court’s decision firmly endorsed the DPC’s concerns that EU citizens do not enjoy the level of protection required by EU law when their data is transferred to the U.S. The DPC also states that the Court ruled that the SCCs transfer mechanism used to transfer personal data to countries worldwide “is, in principle, valid, although it is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable.” The DPC concludes that this issue will require further and careful examination, in particular because assessments will need to be made on a case-by-case basis.
United Kingdom’s Information Commissioners Office
In its initial press release following the CJEU’s decision, the United Kingdom’s Information Commissioner’s Office (ICO) stated that the ICO is considering the judgment and its impact on international data transfers, and that the ICO will be working with the UK Government and international agencies to ensure that global data flows may continue and that people’s personal data is protected.
On July 27, the ICO issued an updated statement on the judgment, in which the ICO emphasized that the CJEU’s decision “confirmed how EU standards of data protection must travel with the data when it goes overseas, which means this judgment has wider implications than just the invalidation of the EU-US Privacy Shield.” The ICO states that work is underway by the European Commission and the EDPB to provide more comprehensive guidance on extra measures that entities may need to take, and advises that, in the meantime, entities should analyze all international transfers they make and react promptly as guidance and advice for such transfers becomes available. In light of the Court’s judgment that supervisory authorities have an important role to play in the oversight of international data transfers, the ICO is “taking the time to consider carefully what this means in practice” and will “continue to apply a risk-based and proportionate approach in accordance with [its] Regulatory Action Policy.”
Germany’s Data Protection Authorities
Multiple German DPAs have provided statements regarding the CJEU’s ruling:
- Federal Commissioner for Data Protection and Freedom of Information
Following the CJEU’s decision, the German Federal Commissioner for Data Protection and Freedom of Information (BfDI) released a statement emphasizing that the decision makes it clear that international data traffic is still possible, so long as the fundamental rights of European citizens are respected. The BfDI also states that it will provide advice regarding the transition away from use of the Privacy Shield and special safeguards that should be in place for data transfers to the U.S. The BfDI also addresses the decision’s impact on DPAs, noting that the CJEU confirmed and “strengthened” the role of DPAs by requiring DPAs to confirm that the requirements set forth by the CJEU’s decision are met for data transfers, and prohibit the transfer if requirements are not met.
- German Conference of Data Protection Authorities
The recently released guidance, that optimistically stated data transfers to the U.S. and other 3rd countries would be possible under SCCs or binding corporate rules following an adequacy assessment. If an adequacy assessment revealed the protections provided were inadequate, the Conference recommended implementing additional measures. The Conference stated that the effectiveness of any additional measures employed must also be regularly assessed for actual effectiveness.
- Hamburg Commissioner for Data Protection and Freedom of Information
The Hamburg DPA released a statement following the CJEU’s decision, praising the ruling in light of the fact that the Privacy Shield was instituted and approved without any real change in the U.S.’s practice of mass surveillance without cause, and no substantial strengthening of data subject rights was achieved. However, the DPA expresses skepticism with the Court’s decision to uphold the validity of SCCs as an appropriate data transfer instrument. Under the DPA’s reasoning, if the invalidity of the Privacy Shield is primarily due to the escalating secret service activities in the U.S., the same must also apply to the SCCs because contractual agreements between a data exporter and data importer are equally unsuitable to protect those affected from governmental access.
The DPA also commented on the decision’s impact on EU DPAs, noting that DPAs will now be faced with the task of critically questioning overall data transmission to third countries using SCCs. The DPA concluded its statement by asserting that data transmission to countries without an adequate level of data protection will no longer be permitted, and that DPAs are challenged to develop and implement a common strategy.
On the day of the CJEU’s ruling, the Rhineland-Palatinate DPA released a statement emphasizing that protection of EU citizens’ fundamental rights does not end at the EU border, and protection of such rights requires an examination of whether and how U.S. security authorities have access to data. The DPA states that the CJEU made it clear that companies cannot free themselves from their audit obligations by using the SCCs. Companies cannot avoid carefully analyzing the national laws of the third country to which they want to transmit data in connection with their analyses of whether their transfers of personal data to such third countries are legally permissible. If the data recipients in the third country are subject to the legal rules of their home country that violate EU data protection law, then data recipients may not be able to comply with the contractual provisions of the SCCs. Because of the importance of appropriate data transfers for many countries, the DPA expects a rush of questions from those responsible and from data subjects, and requests understanding if the processing of some questions take some time.
The Lichtenstein DPA’s statement on the CJEU’s decision states that, at least until a new agreement with the U.S. on data transmission can be concluded by the EU Commission, those responsible must rely on other data transfer instruments such as SCCs rather than relying on Privacy Shield certification. Like other DPAs, the Lichtenstein DPA will analyze the Court’s decision and its consequences for data transfers to third countries, and will publish further instructions in the near future.
Norwegian Data Inspectorate
In its recently published guidance on the CJEU’s ruling, the Norwegian Data Inspectorate (NDI) advises that, in connection with the data exporter’s assessment of whether a third country to which personal data is transferred offers adequate protection of such data, and taking into account the circumstances of the transfer, it is particularly important to examine whether there are circumstances that mean that the level of protection that the chosen transfer mechanism is intended to ensure will not be realized in practice; whether there are surveillance laws or other laws that give authorities in the third country disproportionately large access to the data; and whether the data subject’s rights can be safeguarded in practice. It is also important to investigate whether the data importer, the data importer’s infrastructure, or any subcontractors are subject to any laws, rules, or systems that are in conflict with the data importer’s obligations under the transfer mechanism or that otherwise lower the level of protection.
If the assessment reveals that the level of protection will be inadequate, additional measures, which may consist of legal, technical, or organizational measures, must be implemented to compensate for the deficiency. The NDI acknowledges that there is currently great uncertainty about what kind of additional measures may be sufficient if the third country has laws that take precedence over the obligations under the transfer mechanism or otherwise lower the level of protection afforded to transferred data. Notably, the NDI states that this means it is presently challenging to transfer personal data to such third countries, and in practice it will probably not be possible for most people to do so.
As specifically applicable to transfers to the U.S., the NDI states that, even if an approved transfer mechanism is used, the surveillance laws cited by the Court (FISA Section 702 and Executive Order 12333) will mean that the level of protection in the transfer of personal data is not the same as in the EU. If the data importer, the data importer’s infrastructure, or any subcontractors are subject to these or similar laws, additional measures must be implemented if the transfer is to continue. As stated by the NDI, this can be very challenging or impossible to achieve in practice, in which case the transfer of personal data to the U.S. cannot take place.
Slovenian Information Commissioner
In recently published guidance, the Slovenian Information Commissioner (SIC) said that exporting personal data are responsible for assessing the lawfulness of exporting and further processing the data, and ensuring the data is adequately protected. The SIC noted that the Court’s chief issue was with broad U.S. surveillance laws and inadequate protections of EU data rights. The SIC asserted that SCCs and binding corporate rules ensure a higher level of protection for the data and for .
Guidance from Other DPAs
Other noteworthy commentary from DPAs includes the following:
- Switzerland’s Federal Data Protection and Information Commission. Switzerland’s Federal Data Protection and Information Commission (FDPIC) issued a statement shortly after the judgment stating that the FDPIC has taken note of the CJEU’s ruling. The FDPIC noted that, while the ruling is not directly applicable to Switzerland, the FDPIC will examine the judgment in detail and comment on it “in due course.”
- France’s Commission Nationale de l’Informatique & des Libertés. Following the CJEU’s decision, France’s Commission Nationale de l’Informatique & des Libertés (CNIL) published a press release stating that the CNIL is currently conducting a “precise analysis of the judgment,” together with its European counterparts assembled within the EDPB. The goal of the joint work is to draw conclusions as soon as possible on the consequences of the ruling for data transfers from the EU to the U.S.
- Spain’s Agency for Data Protection. A couple of weeks after Schrems II, Spain’s Agency for Data Protection (ADP) issued a statement noting its participation in the recent EDPB statement discussed above.
U.S. International Trade Administration
The Privacy Shield Program, which is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce, recently updated its Privacy Shield Overview page to address the CJEU’s judgment. The updated overview page acknowledges that the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements for trans-Atlantic data transfers, but warns that the “decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework.” Additionally, the ITA asserts that it will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield and maintaining the Privacy Shield List.
Organizations transferring EU personal data to the U.S. should bear in mind that DPAs are treating the invalidation of the Privacy Shield as effective immediately, and recommending a prompt transition to a new transfer mechanism. Some DPAs recommend transitioning to or continuing to use SCCs. However, the Court and some DPAs have advised that, to the extent transferring parties endeavor to rely on SCCs for transfers, they must carefully assess transfers of EU personal data protected by SCCs for practical effectiveness in the legal context of the recipient country . And some DPAs have expressed doubt about whether the SCCs are appropriate for EU-U.S. personal data transfers in light of the CJEU’s rationale for invalidating the Privacy Shield framework, which focuses on U.S. surveillance activities that will be in effect regardless of the transfer mechanism that is used.
Additionally, organizations should be aware that legality of personal data transfers from the EU to the U.S. utilizing various legal transfer mechanisms will continue to be a moving target. In the interim, organizations involved in transfers of personal data out of the EU should consider taking the steps outlined in our prior blog post, which include considering retention of EU personal data only in the EU, if possible; analyzing, on a case-by-case basis, and documenting the most appropriate transfer mechanism for specific EU personal data transfers; analyzing the necessity of additional safeguards and implementing such safeguards where appropriate; withdrawing from the Privacy Shield if applicable; and continuing to monitor further developments in the Schrems II case, guidance issued by DPAs, and any modernized SCCs published by the European Commission. The legality of EU personal data transfers to the U.S. and other countries with expansive national security programs and practices is likely to remain a moving target.
The appropriateness of the SCCs with respect to Facebook’s transfers of data in Schrems II is now back in the hands of the Irish High Court. The activist behind Schrems II, Max Schrems, has indicated that he intends to resist any attempt by Facebook to assert that a different legal mechanism permits its transfers of EU personal data to the U.S. Schrems further asserts that he intends to seek a swift outcome to this case, which began over seven years ago and has resulted in not only the invalidation of the Privacy Shield, but also the Privacy Shield’s predecessor, the U.S.-EU Safe Harbor framework.
For a deeper analysis of the court’s reasoning in the case see our previous blog post, which includes next steps for organizations. Fey, LLC will continue to monitor developments in the wake of the Schrems II decision. To ensure you do not miss any of our articles or alerts, you can follow our LinkedIn page here.
Eleazar Rundus, a third-year law student at the University of Kansas School of Law, contributed to this post. Mr. Rundus is a law clerk with Fey LLC.