Key Takeaways:
- EU-U.S. Privacy Shield Framework invalidated
- Standard Contractual Clauses governing transfers between controllers and processors upheld, but arguably may not be valid on their face without additional due diligence
Executive Summary: On July 16, 2020, in the much-anticipated so-called Schrems II case, the Court of Justice of the European Union (CJEU) struck down the EU-U.S. Privacy Shield Framework (Privacy Shield) as an adequate method of transferring personal data from the European Union (EU) to the United States, invalidating Decision 2016/1250 and immediately eliminating an existing legal framework on which thousands of U.S. companies of all sizes rely for transatlantic data transfers. The CJEU did, however, leave in place the often used “Standard Contractual Clauses (Processors)” (SCCs) between EU-based data exporters to non-EU data importers under Decision 2010/87. This decision may mean, however, that data exporters cannot rely on SCCs alone, without conducting additional analysis.1
The invalidation of Privacy Shield throws the current U.S.-EU privacy infrastructure into disarray, bringing into question whether the over 5,000 U.S. companies currently relying on the program are able to legally transfer personal information out of the EU without further protections. The decision may force these companies to consider other transfer mechanisms identified in the GDPR to lawfully transfer their data.
Background: After today’s decision, SCCs may not always be valid on their face. The Court cautioned in a press release that the “obligation on a data exporter and the recipient of the data to verify, prior to any transfer, whether that level of protection [required by the General Data Protection Regulation (GDPR)] is respected in the third country concerned.” If the data protection laws of the third country do not offer an adequate level of protection, the data exporter is “obliged to suspend the transfer of data and/or to terminate the contract with the [data importer].” This additional language may have significant implications for the use of SCCs in data transfers between the EU and the United States, discussed further below.
The Court’s decision hinged on its view of U.S. law as lacking necessary privacy protections, including the U.S. government’s ability access to private corporations’ records, and questions whether U.S. law provides European data subjects with effective remedies against U.S. government agencies that seek access to their personal data. The Court noted requirements of U.S. national security, public interest, and law enforcement in its decision, which “condon[e] interference with the fundamental rights of persons whose data are transferred to that third country.” To the European Court, U.S. law’s limited protections of personal data regarding access and use by government agencies do not satisfy the GDPR’s requirements. On that basis, the Court struck down Privacy Shield, noting in its judgment that Privacy Shield’s independent administrators “cannot remedy the deficiencies…found in connection with the judicial protection of persons whose personal data is transferred to [the United States].” This is due, the Court said, to perceived influence by U.S. agencies overseeing the program and the context of government bureaucracy within which the office operates. But the CJEU concludes it is not creating a “legal vacuum,” because of the derogations from lawful data transfers identified in Article 49 of the GDPR (even though the European Commission has previously represented to U.S. courts that these derogations should be narrowly construed).
Practical Considerations: In light of this decision, companies may need to reevaluate the legal bases for their international data flows. U.S. businesses can no longer rely on Privacy Shield as a lawful mechanism to transfer personal data between the EU and the United States. Practically, because data exporters now have an apparent duty to determine whether third countries offer adequate data protection in connection with the use of SCCs, U.S. businesses’ use of SCCs also may require further scrutiny. U.S. businesses that seek to use SCCs must consider both the terms of the SCCs themselves and “as regards any access by the [U.S.] public authorities of…the data transferred, the relevant aspects of the [U.S.] legal system.” This could have implications for companies in industries subject to extensive federal oversight, such as financial services and healthcare. Otherwise, the Court’s decision holds that supervisory authorities are required to suspend unilaterally transfers of personal data that do not comport with the requirements of the GDPR.
It is still possible for the Trump Administration to negotiate with the European Commission to enhance Privacy Shield to accommodate today’s ruling; however, apparent policy differences and practical difficulties during a U.S. presidential election year may prove too difficult a hurdle to immediately overcome.
If you need assistance navigating these international transfer issues, we invite you to reach out to a member of Manatt’s privacy and data security team with any questions you may have. For more information, the CJEU’s judgment is available here. The press release accompanying the judgment is available here.
1 Today’s decision does not implicate the rulings which established controller-to-controller standard contractual clauses, but it is conceivable that the implications of today’s decisions apply to those clauses as well.