A Blog About FTC regulations and happenings
Schrems II Screams: CJEU Decision Puts Companies in Tailspin Over EU-US Data Transfers
The privacy world is abuzz about the European Court of Justice’s July 16, 2020 decision in Schrems II: Europe’s highest court invalidated the EU-US Privacy Shield framework.
The Privacy Shield provides a streamlined mechanism to facilitate personal data transfers from Europe to the U.S. It was implemented in 2016 following the invalidation of an earlier “safe harbor” system. Europe deems the U.S. to have insufficient privacy protections and the Privacy Shields was a means for companies to certify compliance, with oversight by the U.S. Department of Commerce, to meet Europe’s higher standards.
A decision in the case had been expected—and the outcome even predicted—by many experts. But the holding could not come at a worse time. COVID-19 has derailed economies across the globe and companies are using up the lifelines given them in government-issued capital infusions. Companies had to pivot quickly to work with shelter-in-place mandates. Now, organizations impacted by the Schrems II decision will have to pivot again, having to address whether their transfers of personal data from the EU to the US are illegal following the Schrems II decision.
Schrems II Upshot
The EU-US Privacy Shield is held to be invalid under European law. Personal data transfers from the EU to the US made under the Privacy Shield framework are no longer compliant with the EU’s General Data Protection Regulation (GDPR). Companies found not compliant with the GDPR could face steep penalties. The decision will impact the 5300+ companies that participate in the framework.
Post-Schrems II Path Forward
The Privacy Shield framework is not the only mechanism for personal data transfers from the EU to the US. Another mechanism, which was affirmed by Schrems II, is use of Standard Contractual Clauses (SCCs), which were created by the European Commission. SCCs are perhaps the most used means of addressing European data protection law and are commonly attached to data protection agreements and addenda. Companies that relied on the Privacy Shield should do an inventory of their arrangements for EU to US data transfers and determine whether they can and should enter into SCCs for those transfers. Binding Corporate Rules are another mechanism that can be used, though they can require a heavy upfront investment in drafting and approvals.
An important caveat for companies considering moving their transfer mechanism from Privacy Shield to SCCs: While the Schrems II decision affirmed the validity of SCCs for data transfers outside Europe, it raised the possibility that SCC-based data transfers to some countries—including the US—may not pass muster. Data exporters wishing to use SCCs will have to assess the law and practice of the country to which data will be transferred (e.g., the US). If public authorities have access to the data (e.g., the U.S. National Security Agency), the data transfer from Europe may require additional safeguards. More importantly, the personal data may not be legally transferred to that country if there is no way to address the target countries’ laws that are incompatible with European laws.
In the Coming Days
The U.S. Department of Commerce, which oversees the Privacy Shield Framework issued a statement shortly after the CJEU’s decision was published, emphasizing that it still would enforce the Privacy Shield from its end (thus, companies who participate should continue compliance) and noting that it “will remain in close contact with the European Commission and European Data Protection Board (EDPB)” to address how Privacy Shield participants can continue to transfer data. We can anticipate activity from the US side to draw up an alternative and possibly an interim solution. We can anticipate news from the European Commission, EDPB, and data protection authorities across Europe with additional guidance following Schrems II.
In this summer of upheaval and economic turmoil, the CJEU throws yet another wrench in our COVID recovery. We will be following this closely to help advise our clients on next steps and providing additional guidance on our site.