GDPR, the key piece of European privacy law, sets out strict controls on the transfer of personal data from the EU to non-EU jurisdictions and makes it unlawful to transfer personal data from the EU to a non-EU based business. A transfer of personal data also includes access to personal data stored in the EU from a non-EU country. Some jurisdictions have been excepted from the rule, as the EU has deemed that they have equivalent privacy law standards to the EU. In addition, GDPR sets out some limited circumstances in which data transfers are permitted where certain safeguards are in place. Only when businesses comply with GDPR’s rules on data transfers, can such transfers be deemed lawful under GDPR.
Two of GDPR’s approved safeguards have been recently scrutinized by the European Court of Justice, the highest legal authority in the EU, namely the EU-US Privacy Shield (Privacy Shield) and the Standard Contractual Clauses (SCCs). The Privacy Shield is an agreement between the EU and the US which allows data to flow from the EU to the US, provided that the US recipient of the data has achieved certain privacy compliance standards which replicate EU privacy laws, and has self-certified to the jurisdiction of the Department of Commerce for enforcement purposes.
SCCs are a contractual framework which have been approved by the EU and allow contracting parties to agree to replicate standards of EU privacy law by entering into agreements in a form approved by the EU with their contracting parties outside of the EU.
What has happened?
On July 16, 2020, the European Court issued a landmark decision striking down the Privacy Shield but upholding the validity of SCCs. The case, known as Schrems II (after the privacy activist Maximillian Schrems) was originally a challenge by Schrems against Facebook Ireland for transferring his personal data from Ireland to the US in reliance on SCCs. The case was referred by the Irish Privacy regulator to the European Court to determine certain questions about the validity of SCCs. In a surprise move, the European Court took the decision to review and invalidate the Privacy Shield, despite the fact that the Privacy Shield was not billed as a legal issue to be determined in the case.
Why has the EUROPEAN Court made this decision?
The European Court discussed at length its view that US laws authorizing public authorities to access data transferred from the EU to the US are not compatible with EU privacy laws. The European Court also concluded that the independent ombudsperson mechanism referred to in the Privacy Shield Decision does not provide effective administrative or judicial redress for EU individuals. The European Court therefore held that the Privacy Shield does not provide protections that are “essentially equivalent” to those set out in EU law.
What is the effect of this decision?
The Privacy Shield has been invalidated with immediate effect. In a separate part of its judgment, the European Court upheld the validity of SCCs, which many EU entities currently rely on to transfer data internationally. In doing so, the European Court explained that use of SCCs requires an assessment of the context of the transfer, including the laws of the country where the recipient is based, and any additional safeguards adopted by the parties. In the European Court’s words, EU law requires entities relying on SCCs “to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.” In other words, the SCCs are a more selective and flexible standard of protection for personal data of EU citizens but should be used carefully with full scrutiny that the recipient of personal data is able to comply with its obligations under the SCCs.
What to do now?
The European Court’s decision to invalidate the Privacy Shield is certainly disappointing for US businesses which have spent time and resources planning for and implementing the Privacy Shield. The Court’s decision to uphold the ability to use SCCs for personal data transfers to the US, however, will be a huge relief to companies across Europe and the US. Data flows between Europe and the US are an integral part of the European economy and of the day-to-day lives of millions of European consumers, and SCCs are the backbone for many of those data transfers.
As for the Privacy Shield, the European Commission has already stated that it will be highly focused on finding a resolution and will be actively working work with the US Government to identify a path forward.
Many international organizations which are Privacy Shield-certified and are reliant on the Privacy Shield to make transfers of data from the EU to the US will, as an interim measure, and pending response from European data protection authorities, need to seek alternative ways to transfer personal data from the EU to the US.
The most effective remaining GDPR compliant data transfer mechanism is SCCs because they are by contractual agreement and do not need regulatory approval. Businesses which find themselves in the position that they can no longer rely on the Privacy Shield as their data transfer mechanism will need to work quickly to put SCCs in place to be compliant with GDPR. Care must be taken, however, as the Irish privacy regulator has already commented that SCCs must be thoughtfully entered into to determine whether the recipient of the data can comply with the privacy protections that they agree to when they sign SCCs. Most privacy commentators agree that reliance on SCCs could leave businesses open to scrutiny about their compliance with the obligations that SCCs place on them as recipients of EU personal data.