GDPR Landmark Development: Privacy Shield Invalidated by European Court of Justice, Standard Contractual Clauses Still Valid, with Clarifications

On July 16, 2020, the Court of Justice of the European Union (“CJEU”) announced its decision in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18), commonly referred to as the “Schrems II case.” Specifically, the CJEU declared the EU-US Privacy Shield (“Privacy Shield”) invalid, but upheld the validity of Standard Contractual Clauses (“SCCs”) as a valid data transfer mechanism under the EU General Data Protection Regulation (“GDPR”). The CJEU additionally noted that in certain instances, it may be necessary for data controllers to supplement the SCCs with other clauses or additional safeguards. Details on the Schrems II decision and its impact for companies transferring data in and out of the EU are below.

Privacy Shield

The GDPR, which is the EU’s data privacy regime, provides that the transfer of personal data to a country outside the European Economic Area (“EEA”) may take place only if the country in question ensures an adequate level of data protection. For example, if the European Commission issues an adequacy decision for a country, as it has for Japan, Argentina, and New Zealand, among others, then the GDPR permits transfers of personal data from countries within the EEA to such outside country. Previously, the European Commission had found that the US ensured an adequate level of data protection through the Privacy Shield program, meaning that US companies that participate in the Privacy Shield program were permitted to receive personal data transferred from countries in the EEA. However, Schrems, the plaintiff in the Schrems II case, challenged this notion, claiming that US security and surveillance laws and practices do not offer sufficient protection against access and use of transferred data by the US public authorities even for Privacy Shield participants.

A non-binding opinion from the Advocate General of the CJEU issued in December 2019 proposed that the CJEU need not review the validity of the Privacy Shield in the Schrems II case. However, the CJEU chose to review the validity of the Privacy Shield and sustained Schrems’ challenge, finding that the limitations in US law on the protection of personal data transferred from the EU and relating to the access and use by US public authorities of such data “are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law.” In part, the CJEU found that this is because US surveillance laws are not limited to what is strictly necessary, as is required by the principle of proportionality, which is a fundamental principle of the GDPR. Additionally, the CJEU found that certain surveillance laws do not indicate any limitations on the power they confer, do not provide data protection guarantees equivalent to those in EU law for potentially targeted non-US persons, and do not grant EU data subjects actionable rights before the courts against the US authorities. As a result, the CJEU declared that the Privacy Shield provides an inadequate level of data protection and is thus invalid as a data transfer mechanism.

The CJEU’s decision notes that its invalidation of the Privacy Shield does not create a “legal vacuum.” Rather, with the Privacy Shield declared invalid, the over 5,300 US companies that currently rely on the EU- US Privacy Shield framework for data transfers from the EEA will need to identify and rely on alternative data transfer mechanisms to continue transfers of personal data from the EEA. Such companies may be able to rely on derogations set forth in the GDPR for specific situations involving the transfer of personal data, such as when the data subject has provided explicit and informed consent to the proposed transfer or the transfer is necessary to perform a contract. However, such derogations are typically meant for use in specific situations and not as a routine basis. Thus, US companies that currently rely on the Privacy Shield for data transfers from the EEA should look to lasting alternative data transfer mechanisms, such the SCCs, or binding corporate rules for internal transfers within a multinational group of companies.

Standard Contractual Clauses

Schrems also challenged the validity of the SCCs because of the lack of protection against access and use of transferred data by the US public authorities, in part because the SCCs are contractual in nature and US public authorities are not bound to them because they are not a party to such contract. However, the CJEU found that the validity of the SCCs was not called into question by the mere fact that the SCCs do not bind authorities of countries outside of the EEA where personal data is transferred. Rather, the key inquiry is whether transferred data is adequately protected.

While the CJEU upheld the validity of the SCCs, it also provided further clarifications for and raised particular scrutiny with the application of the SCCs. The CJEU noted that even in using the SCCs it may be necessary to supplement the data protection guarantees contained in the SCCs with other clauses or additional safeguards. For example, additional safeguards are necessary when a country’s laws impose obligations on the recipient of data from the EEA which are contrary to the data protection guarantees in the SCCs and thus, are capable in impinging on the contractual guarantee of an adequate level of protection against access by the public authorities of that country. The CJEU’s decision notes that if the parties entering into the SCCs cannot guarantee the data protections in EU law, whether by using the SCCs or implementing additional safeguards when necessary, the controller and processor are required to suspend or end the transfer of personal data to the country at issue.

While SCCs remain valid, organizations that currently rely on them will still need to consider whether there is an “adequate level of protection” for the personal data transferred through the SCCs, and if not, implement additional safeguards to provide this level of protection, as required by EU law. Companies should review their use of the SCCs and document their decisions and assessments regarding the adequacy of protection for data transfers from countries in the EEA.

Moving Forward

In a press release issued July 16, 2020, the US Department of Commerce, which administers the Privacy Shield, stated that it was “deeply disappointed” that the CJEU invalidated the Privacy Shield, while also noting that it is “still studying the decision to fully understand its practical impacts.” The US Department of Commerce said that it hopes to “be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments.” How exactly it will do so it currently unknown, so it is on companies to take active measures within their organizations to continue data transfers with countries in the EEA.

Importantly, the US Department of Commerce confirmed that it will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification. Further, the US Department of Commerce noted that the CJEU decision “does not relieve participating organizations of their Privacy Shield obligations.”

Many companies will be faced with questions and concerns about the continuation of transfers of personal data from the EEA. Companies should proceed with actions to confirm and ensure that they carry out data transfers with countries in the EEA pursuant to a mechanism that provides adequate protection for the data, as required by EU law.

The CJEU’s press release can be found here and the CJEU’s decision can be found here. If you need assistance complying with the GDPR or creating policies and agreements for transfer of data subject to the GDPR, please contact one of our Cybersecurity & Data Privacy attorneys.