European High Court Invalidates Privacy Shield; Upholds Standard Contractual Clauses for International Data Transfers Under GDPR
The General Data Protection Regulation (GDPR), Europe’s restrictive data protection law, permits the transfer of personal data from the European Economic Area1 (EEA) to other countries only under limited circumstances. On July 16, 2020, the Court of Justice of the European Union (CJEU or Court) issued a highly anticipated decision in a case brought by Maximillian Schrems, an Austrian privacy advocate, who challenged Facebook Ireland’s reliance on standard contractual clauses (SCCs) as a legal basis for transferring his personal data to Facebook, Inc. in the United States (U.S.).
The Court upheld SCCs (with conditions) and, although not directly challenged by Schrems, invalidated the EU-U.S. Privacy Shield Framework (Privacy Shield). These two mechanisms are commonly used by companies to facilitate the transfer of personal data from the EEA to the U.S. under the GDPR.2 Notably, this decision has far-reaching effects because many U.S.-based companies are subject to the GDPR (even those who have offices only in the U.S.) and/or engage in cross-border data transfers that are subject to the GDPR, sometimes without even realizing it – e.g., by e-mailing or mailing data to recipients located outside of the EEA, hosting data on servers in the EEA (but making that data accessible to individuals in the United States), using service providers located in the EEA, acting as a service provider to companies in the EEA, or collecting data of individuals in the EEA through a website. Even transfers within the same company or among affiliated companies may constitute cross-border data transfers. Violations can result in suspension of data transfers, administrative fines (up to 20 million euros or 4 percent of gross global earnings, whichever is higher), and, in some cases, even criminal penalties.
STANDARD CONTRACTUAL CLAUSES REMAIN VALID, BUT MUST WITHSTAND HEIGHTENED SCRUTINY
The GDPR permits data transfers from the EEA only to countries that the European Commission (Commission) has determined to have data protections commensurate to European data protections, as evidenced by an adequacy decision issued by the Commission.3 Absent an adequacy decision, such as in the case of the U.S., cross-border data transfers are only permitted if appropriate safeguards are in place, such as SCCs.4 SCCs are standard contractual terms aimed at providing data protections that are approved by the European Commission and must be included in contracts between data exporters and data importers.5
The Court held that SCCs may be used in contracts between EEA data exporters (as data controllers) and non-EEA data importers (as data processors)6 to provide adequate protection for data transfers. EEA data exporters (in collaboration with importers, where appropriate), however, are charged with verifying, on a case-by-case basis prior to any transfer, whether the laws of the destination country ensure adequate protection, particularly with respect to law enforcement access to transferred data. The Court noted that it may be necessary to supplement the SCCs with additional contractual terms to provide additional safeguards. The data importer must notify the data exporter of any law enforcement request for transferred data or, if prohibited to provide such notification (such as may be the case in criminal investigations), advise of its inability to be able to comply with the SCCs. Data exporters, in turn, may be obligated to suspend the transfer of data or terminate its contract with the data importer. Data exporters, once advised by data importers, must also provide notice to the relevant data protection authority (DPA) of any change in legislation in the recipient country that is likely to have a substantial, adverse impact on the warranties and obligations provided by SCCs. Pursuant to SCCs, the DPA may suspend or prohibit data transfers, or conduct an audit of data processors and even sub-processors.
PRIVACY SHIELD DEEMED INVALID7
In 2016 (the same year that the GDPR was adopted), the Privacy Shield was designed by the U.S. Department of Commerce and the European Commission to permit regular cross-border data transfers from the EEA to the U.S. with ease, even absent an adequacy decision.8 The Privacy Shield requires U.S. organizations to self-certify their adherence to certain data protection principles, among other things.
The Court struck down the Privacy Shield, finding that it enables interference with the fundamental rights of the persons whose personal data is transferred from the EEA to the United States based on national security concerns, public interest or domestic laws. The Court was particularly concerned about federal surveillance programs and noted that the Privacy Shield did not confer EEA citizens actionable rights against U.S. authorities if their rights are violated.
IMPACT OF THE DECISION
The most significant impact of the decision is that the EU-U.S. Privacy Shield certification is no longer a legally “valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States.”9 This decision will have a significant impact on the over 5,000 U.S. organizations that rely on the Privacy Shield Framework. The U.S. Department of Commerce announced that it will “continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List,” and appears poised to negotiate a new framework by “remain[ing] in close contact with the European Commission and European Data Protection Board (EDPB) on this matter … to limit the negative consequences to the $7.1 trillion transatlantic economic relationship.”10 The European Commission echoed this desire for cooperation in a press conference shortly after the ruling.11 The EDPB, the European body charged with ensuring consistent application of the GDPR, offered its assistance in efforts to establish a new framework that would guarantee an adequate level of protection essentially equivalent to that provided by the GDPR.12
Notwithstanding the foregoing, a new framework is not guaranteed and can take time to develop. In the meantime, organizations should quickly identify alternative mechanisms for cross-border data transfers from the EEA and the United States. Indeed, DPAs across the EEA are responding to the CJEU’s decision in varied ways. The United Kingdom’s DPA advised companies to continue using the Privacy Shield while it reviews the decision and until it issues new guidance.13 It also advised, however, that companies should not begin using the Privacy Shield during this time.14 The Ireland DPA has stated that the use of the SCCs to transfer data to the U.S. is “questionable” and its assessments on such use will “need to be made on a case-by-case basis.”15 Germany’s DPA released a statement that transfers of personal data to the U.S. are not possible until the legal framework is reformed, stating that the SCCs could not be used where the receiving country has state access to the data not permitted under the GDPR.16 In yet another interpretation, France’s DPA stated that the CJEU’s decision validated the use of the SCCs.17 While a formal, uniform grace period has been ruled out by the EDPB18, there is a brewing divide in the application of the Court’s decision, and some DPAs appear less inclined to immediately bring enforcement actions against organizations that continue to use the Privacy Shield in the short term. It is important that organizations review guidance issued by the particular DPA with authority over their business arrangements.
For organizations that use or will use SCCs for international data transfers, it is further important to analyze and record the determination of an adequate level of protection before any transfer to a country outside of the EEA (whether to the U.S. or elsewhere); understand obligations created by SCCs (e.g., DPA audit and enforcement rights, notification of law enforcement requests or inability to comply with SCCs, compensation to EEA data subjects for breach of SCCs); evaluate the SCCs’ impact on business operations; and implement an SCC compliance process (e.g., continuous monitoring of changes in domestic laws, internal mechanisms to identify any inability to comply with SCC terms, etc.).
About the author: Anna Mercado Clark, CIPP/E is a partner at Phillips Lytle LLP and leader of the firm’s Data Security & Privacy and E-Discovery & Digital Forensics Practice Teams. She can be reached at firstname.lastname@example.org or (212) 508-0466.
- The EEA includes all European Union countries as well as Iceland, Liechtenstein and Norway.
- Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18.
- Art. 45, GDPR.
- Art. 46, GDPR.
- Art. 46(2)(c), GDPR.
- Data controllers determine the purpose and means of processing data, whereas processors process data on behalf of data controllers. Note that a data processor may also be a co-controller. Art. 4(7),(8), GDPR. The Court focused on standard contractual clauses between a data controller and processor but did not issue a decision on the use of such clauses for data transfers from one controller to another controller.
- Switzerland, which is not part of the EEA, and the U.S. Department of Commerce established the Swiss-U.S. Privacy Shield Framework, which is not directly impacted by the Court’s ruling.
- 12 https://edpb.europa.eu/news/news/2020/statement-court-justice-european-union-judgment-case-c-31118-data-protection_en.
- https://www.datenschutz-berlin.de/fileadmin/user_upload/pdf/ pressemitteilungen/2020/20200717-PM-Nach_SchremsII_Digitale_ Eigenstaendigkeit.pdf.
- https://edpb.europa.eu/sites/edpb/files/files/file1/20200724_edpb_faqoncjeuc31118. pdf.