The Court of Justice of the European Union (CJEU, the EU’s highest court) has delivered its long-awaited decision in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (commonly referred to as Schrems II), invalidating the Privacy Shield as an acceptable method of data export for EU companies into the US but retaining standard contractual clauses (SCCs) as an acceptable method—with a big caveat.
How did the CJEU arrive at these decisions?
The court first looked at what the General Data Protection Regulation (GDPR) required when transferring data to “third countries” or countries outside the EU and countries the European Commission had deemed as providing an “adequate level of protection.” It found that the GDPR required an “appropriate safeguard” to be used to protect the transfer of personal data to one of these third countries which will provide “a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU ….”
In its review of the EU-US Privacy Shield, the CJEU found the Privacy Shield is subject to the national security requirements of the US, such as the Foreign Intelligence Surveillance Act §702, Executive Order 12333, and Presidential Policy Directive 28, none of which is bound to the principles of the Privacy Shield, and some of which do not require US intelligence agencies to abide by the GDPR concept of proportionality (collecting and using only data that is “necessary” for the purpose) and/or do not offer EU citizens the same degree of remedies as US citizens (in some cases none at all, including judicial review) for violations of their data privacy rights.
For these reasons, the CJEU held that the EU-US Privacy Shield did not offer an “essentially equivalent level of protection” and could not be an “adequate safeguard” for the transfer of data. Therefore, the CJEU held that the EU-US Privacy Shield is no longer an acceptable method of data transfer to the US under the GDPR.
With respect to SCCs, the court found that, as with Privacy Shield, US authorities would be able to access data under laws created for national security purposes. But the CJEU held that, unlike the EU-US Privacy Shield, the SCCs remain a valid method to protect data being exported from the EU. Here, the court’s reasoning focused on the fact that the SCCs require the data controller or data processor that is exporting data from the EU to conduct an analysis of the level of protection of the destination third country and to take additional steps to guarantee protection if necessary. Such steps will depend on specific circumstances but may involve conducting an in-depth analysis of the data importer’s ability to meet its SCC obligations and/or contractually imposing guidelines on US data importers for responding to requests by US public authorities. Guidance on this analysis is anticipated in the immediate future from the various data protection authorities (DPAs) across the EU as well as the European Data Protection Board (a group made up of the heads of all the DPAs). Further, in the event that the data exporter cannot guarantee sufficient protection, an EU citizen can complain to the relevant DPA, which can (and should, in the opinion of the court) force the exporter to limit or suspend data flows as appropriate.
What does this mean from a practical perspective?
It means that the 5,300+ companies that successfully went through the EU-US Privacy Shield self-certification program may not value their next renewal, but should do the following:
A. Continue to abide by the Privacy Shield principles as they are required to do for any data collected under Privacy Shield, even though they are no longer certified, and notify the Department of Commerce and customers of the same.
B. Determine what data is subject to a transfer from the EU and could be affected by this decision (subject to review for national security, etc.).
C. Review their agreements (especially those with EU customers and business partners) to determine whether this decision requires them to take a specific action:
1. If their data protection agreements with EU customers and/or partners provide for transfer under SCCs, even as a backup to Privacy Shield, they should still be valid. Companies may wish to update the agreements, though, to rely solely on SCCs.
2. If companies rely exclusively on the EU-US Privacy Shield, they should review agreements, especially those with customers in the EU, to find an alternative:
a. SCCs. Parties should quickly provide to customers/partners an updated document incorporating the SCCs, as they are still valid, and offer a quick and comparatively inexpensive solution.
b. Derogations. In limited and specific instances, when there is no appropriate safeguard, a data exporter can rely on derogations under GDPR Article 49 in transferring data to a third country, but an in-depth legal analysis is required, and this should not be a blanket alternative.
c. De-identify/anonymize data. Once personal data that is subject to the GDPR has been irreversibly de-identified or anonymized, it is no longer subject to the GDPR. If it is a financially and practically viable option, companies should consider having EU customers perform this step before exporting data to the US.
d. Binding corporate rules (BCRs). Although technically an option, BCRs are a costly and lengthy process involving approval by a European DPA and are not practical for many US companies.
D. If companies are importing personal data from Switzerland, the Swiss-US Privacy Shield program remains valid, and it may be worth it for a company to continue participating in Privacy Shield for this purpose.
Action will be required by many companies, and if you have questions about your legal or contractual obligations or how to proceed, the attorneys at McCarter & English can help.