The General Data Protection Regulation (GDPR), the European Economic Area’s (EEA) restrictive data protection law that impacts even organizations outside of Europe, prohibits cross-border transfers of personal data from the EEA to other countries (and subsequent or onward transfers). Exceptions are permitted only if derogations apply that ensure adequate protection of such data, commensurate with the level of protection provided by the GDPR. As discussed more fully in our previous client alert, the Court of Justice of the European Union (CJEU) recently invalidated the EU-U.S. Privacy Shield Program (“Schrems II decision”), one such derogation that was relied upon by over 5,300 United States organizations to facilitate cross-Atlantic data transfers.1 The decision also analyzed the use of standard contractual clauses (SCCs), another means by which data controllers and processors facilitate data transfers from the EEA to countries that are not deemed to have an adequate level of protection, by contractually guaranteeing a certain level of protection. The Schrems II decision suggested that SCCs may be relied on to transfer personal data from the EEA to the U.S., but that the data exporter relying on SCCs must assess whether an organization can provide appropriate protection to the personal data, including whether the laws of the receiver country allow for said protection.
This alert will discuss the cross-Atlantic impact of the Schrems II decision. Since the decision on July 16, 2020, the following developments have impacted the data transfer practices of entities both inside and outside of the EEA:
On September 8, 2020, the FDPIC determined that the Swiss-U.S. Privacy Shield, which is separate and distinct from the EU-U.S. Privacy Shield and was not directly addressed by the Schrems II decision, nonetheless fails to provide an adequate level of protection for personal data transferred from Switzerland to the United States.2 The Swiss-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and Swiss administration to provide organizations with a mechanism to comply with data protection requirements when transferring personal data from Switzerland to the U.S.3 The FDPIC deleted the reference to ‘adequate data protection under certain conditions’ for the U.S. in the FDPIC’s list of countries providing adequate protection for data transfers out of Switzerland, which effectively invalidates the Swiss-U.S. Privacy Shield by rendering it useless on its own.4 The FDPIC followed the reasoning of the CJEU. This decision – though widely predicted – is significant, as the entirety of the U.S. Privacy Shield Framework has now been deemed invalid.5 Similar to the Schrems II decision, the FDPIC further concluded that the SCCs may not provide adequate protection for transfers to the U.S. or other third countries.
The U.S. Department of Commerce has not yet released a formal statement regarding this development. However, on September 16, 2020, the U.S. Privacy Shield website updated its Frequently Asked Questions (FAQs) to include a statement that the FDPIC issued an opinion that the Framework does not provide an adequate level of protection for data transfers from Switzerland to the U.S.6 The FAQs suggest that organizations relying on the Swiss-U.S. Privacy Shield should seek guidance from the FDPIC or counsel.7 Notably, the FAQs state that the FDPIC’s opinion does not relieve participants of their obligations if they are currently in the program. The FDPIC has not released any further guidance, but it is expected that the FDPIC will closely follow the actions of regulations in the European Union.
On September 3, 2020, the LIBE Committee held a meeting to discuss the Schrems II decision and the future of personal data transfers between the EEA and the U.S.8
Justice Didier Reynders, the EU Commissioner for Justice, stated that conversations with U.S. counterparts (most likely the Department of Commerce) on a possible new data transfer framework have started, but that it is impossible to predict or provide a clear timeline.9 The European Commission is currently working on an amended set of SCCs that will address the concerns of the Schrems II decision and incorporate the GDPR.10 A draft of the new SCCs should be available by the end of September. The European Commission hopes to finalize new SCCs by the end of 2020.11 The adoption of new SCCs requires both the opinion of the EDPB and a vote from the EU member states. 12 Additionally, the new SCCs will address the GDPR, as well as transfer scenarios between an EU data processor and a non-EU data processor (which the current SCCs do not address), and that the new SCCs must reflect the realities of data processing in our modern economy.13
Dr. Andrea Jelinek, Chair of the EDPB, made clear that the EDPB is committed to supporting the European Commission in creating a new method for EU-U.S. data transfers.14 Currently, each company that is transferring personal data must take their responsibilities seriously and perform case-by-case analyses based on the protections in place for the data transfer.15 The EDPB expects to release further guidance for companies’ completed transfers, and currently released opinions will be updated to reflect the Schrems II decision.16 As discussed more fully below, the EDPB has also established a task force to review complaints, and the EDPB will work closely with national Data Protection Authorities (DPAs) in responding to complaints.
Maximillian Schrems, the plaintiff in landmark privacy cases in the EEA (including Schrems II), stressed that there is a fundamental clash between U.S. intelligence surveillance laws and the EU Charter of Fundamental Rights. 17 Accordingly, he has expressed an intent to file a legal challenge to a new framework unless it can somehow comply with the GDPR and the Schrems II decision.18
On September 4, 2020, the EDPB announced that it had created two task forces following the Schrems II decision. 19 The first task force will prepare recommendations to support controllers and processors regarding their duties in “identifying and implementing” appropriate measures to meet the required standard when transferring data to third countries.20 The EDPB noted that there will be no quick-fix solution, and that each organization will be required to evaluate its own data-processing operations and transfers.
The second task force will handle and review complaints received by EEA DPAs.21 Each member state of the EEA has a DPA, which are independent public authorities that supervise the application of the GDPR. As of the date of the announcement, 101 identical complaints had been lodged with EEA DPAs against several controllers in EEA member states regarding the controllers’ use of Facebook and Google services involving the transfer of personal data.22 The complaints were also brought against Google and Facebook in the U.S. for continuing to accept data transfers.23 The complainants are all represented by Schrems’ organization. Schrems asserts that EEA and U.S. organizations ignored the Schrems II decision by continuing to transfer data through the use of SCCs.
Although fraught with challenges, these developments suggest that governing entities are invested in finding a way to continue cross-Atlantic business activity and the inevitable data transfers that accompany such activity.
On September 7, 2020, the EDPB issued draft guidelines clarifying the concepts of “controller,” “joint controller,” “processor” and “third party” under the GDPR. These concepts are important under the GDPR, as they determine which party is responsible for compliance with particular GDPR provisions and how data subjects can exercise their rights. The guidelines, when finalized, will replace the previous Article 29 Working Party Opinion issued in 2010.24 The concepts of “controller” and “processor” have not changed since the Article 29 Working Party Opinion, but the CJEU’s decision and the obligations placed on these roles by the GDPR provided a need for clarification and harmonization across the EEA.25 The guidelines provide clarity to the different roles and responsibilities, and stress the importance of a clear and consistent interpretation of the concepts across the EEA. The following is a summary of some of the significant takeaways:
The guidelines are still in draft form and are open for public consultation until October 19, 2020.26 Expect a forthcoming detailed analysis of the guidelines upon their final release.
Facebook Ireland routinely transfers user data through the use of SCCs to its parent company, Facebook Inc., in the U.S. In August 2020, following the Schrems II decision, the Irish Data Protection Commission (Irish DPC) issued a preliminary order that directed Facebook Ireland to suspend such transfers. On September 14, 2020, following a public statement on its website, Facebook Ireland filed an application for Judicial Review in the Irish High Court.27 Facebook Ireland argued that the CJEU decision declared SCCs valid. This issue and these parties will likely return to the Irish High Court soon, as Schrems is involved and determined to enforce the decision. Until the Irish High Court issues a substantive decision on the merits, the business world will anxiously anticipate a ruling, as the invalidation of SCCs as a transfer mechanism to the U.S. would substantiate the fears of all those tracking the Schrems II decision and this specific issue. A decision here has the potential to influence all transfers of EEA personal data to the U.S.
As expected, the Schrems II decision is presenting challenges in the U.S. and the EEA. Organizations should continuously evaluate their data transfer practices to comply with the most recent guidance from enforcement bodies. There is no grace period for transfers that fail to comply with the GDPR, and enforcement has begun. Whether SCCs provide enough protection for organizations making data transfers subject to the GDPR remains unclear, but with the current Foreign Intelligence Surveillance Act laws in place and the language in the Schrems II ruling, it is highly unlikely. For organizations that relied on the privacy shield or SCCs for international data transfers from the EEA, there is no one-size-fits-all solution. Organizations that transfer data between the EEA and third countries, specifically the U.S., should seek assistance in establishing new, secure channels for data transfers that satisfy GDPR standards.