GDPR Landmark Development: Privacy Shield Invalidated by European Court of Justice, Standard Contractual Clauses Still Valid, with Clarifications

On July 16, 2020, the Court of Justice of the European Union (“CJEU”) announced its decision in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18), commonly referred to as the “Schrems II case.” Specifically, the CJEU declared the EU-US Privacy Shield (“Privacy Shield”) invalid, but upheld the validity of Standard Contractual Clauses (“SCCs”) as a valid data transfer mechanism under the EU General Data Protection Regulation (“GDPR”). The CJEU additionally noted that in certain instances, it may be necessary for data controllers to supplement the SCCs with other clauses or additional safeguards. Details on the Schrems II decision and its impact for companies transferring data in and out of the EU are below.

Privacy Shield

The GDPR, which is the EU’s data privacy regime, provides that the transfer of personal data to a country outside the European Economic Area (“EEA”) may take place only if the country in question ensures an adequate level of data protection. For example, if the European Commission issues an adequacy decision for a country, as it has for Japan, Argentina, and New Zealand, among others, then the GDPR permits transfers of personal data from countries within the EEA to such outside country. Previously, the European Commission had found that the US ensured an adequate level of data protection through the Privacy Shield program, meaning that US companies that participate in the Privacy Shield program were permitted to receive personal data transferred from countries in the EEA. However, Schrems, the plaintiff in the Schrems II case, challenged this notion, claiming that US security and surveillance laws and practices do not offer sufficient protection against access and use of transferred data by the US public authorities even for Privacy Shield participants.

A non-binding opinion from the Advocate General of the CJEU issued in December 2019 proposed that the CJEU need not review the validity of the Privacy Shield in the Schrems II case. However, the CJEU chose to review the validity of the Privacy Shield and sustained Schrems’ challenge, finding that the limitations in US law on the protection of personal data transferred from the EU and relating to the access and use by US public authorities of such data “are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law.” In part, the CJEU found that this is because US surveillance laws are not limited to what is strictly necessary, as is required by the principle of proportionality, which is a fundamental principle of the GDPR. Additionally, the CJEU found that certain surveillance laws do not indicate any limitations on the power they confer, do not provide data protection guarantees equivalent to those in EU law for potentially targeted non-US persons, and do not grant EU data subjects actionable rights before the courts against the US authorities. As a result, the CJEU declared that the Privacy Shield provides an inadequate level of data protection and is thus invalid as a data transfer mechanism.

The CJEU’s decision notes that its invalidation of the Privacy Shield does not create a “legal vacuum.” Rather, with the Privacy Shield declared invalid, the over 5,300 US companies that currently rely on the EU- US Privacy Shield framework for data transfers from the EEA will need to identify and rely on alternative data transfer mechanisms to continue transfers of personal data from the EEA. Such companies may be able to rely on derogations set forth in the GDPR for specific situations involving the transfer of personal data, such as when the data subject has provided explicit and informed consent to the proposed transfer or the transfer is necessary to perform a contract. However, such derogations are typically meant for use in specific situations and not as a routine basis. Thus, US companies that currently rely on the Privacy Shield for data transfers from the EEA should look to lasting alternative data transfer mechanisms, such the SCCs, or binding corporate rules for internal transfers within a multinational group of companies.

Standard Contractual Clauses

Schrems also challenged the validity of the SCCs because of the lack of protection against access and use of transferred data by the US public authorities, in part because the SCCs are contractual in nature and US public authorities are not bound to them because they are not a party to such contract. However, the CJEU found that the validity of the SCCs was not called into question by the mere fact that the SCCs do not bind authorities of countries outside of the EEA where personal data is transferred. Rather, the key inquiry is whether transferred data is adequately protected.

While the CJEU upheld the validity of the SCCs, it also provided further clarifications for and raised particular scrutiny with the application of the SCCs. The CJEU noted that even in using the SCCs it may be necessary to supplement the data protection guarantees contained in the SCCs with other clauses or additional safeguards. For example, additional safeguards are necessary when a country’s laws impose obligations on the recipient of data from the EEA which are contrary to the data protection guarantees in the SCCs and thus, are capable in impinging on the contractual guarantee of an adequate level of protection against access by the public authorities of that country. The CJEU’s decision notes that if the parties entering into the SCCs cannot guarantee the data protections in EU law, whether by using the SCCs or implementing additional safeguards when necessary, the controller and processor are required to suspend or end the transfer of personal data to the country at issue.

While SCCs remain valid, organizations that currently rely on them will still need to consider whether there is an “adequate level of protection” for the personal data transferred through the SCCs, and if not, implement additional safeguards to provide this level of protection, as required by EU law. Companies should review their use of the SCCs and document their decisions and assessments regarding the adequacy of protection for data transfers from countries in the EEA.

Moving Forward

In a press release issued July 16, 2020, the US Department of Commerce, which administers the Privacy Shield, stated that it was “deeply disappointed” that the CJEU invalidated the Privacy Shield, while also noting that it is “still studying the decision to fully understand its practical impacts.” The US Department of Commerce said that it hopes to “be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments.” How exactly it will do so it currently unknown, so it is on companies to take active measures within their organizations to continue data transfers with countries in the EEA.

Importantly, the US Department of Commerce confirmed that it will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification. Further, the US Department of Commerce noted that the CJEU decision “does not relieve participating organizations of their Privacy Shield obligations.”

Many companies will be faced with questions and concerns about the continuation of transfers of personal data from the EEA. Companies should proceed with actions to confirm and ensure that they carry out data transfers with countries in the EEA pursuant to a mechanism that provides adequate protection for the data, as required by EU law.

The CJEU’s press release can be found here and the CJEU’s decision can be found here. If you need assistance complying with the GDPR or creating policies and agreements for transfer of data subject to the GDPR, please contact one of our Cybersecurity & Data Privacy attorneys.

Firm Highlights
Client Alert

Supreme Court Hands Down Unanimous Decision Limiting FTC’s Ability to Seek Monetary Relief

More
News

Kansas City Office of Lewis Rice Names New Member

More
Client Alert

Have You Done Your Annual CCPA Housekeeping?

More
Client Alert

COVID-19 Rescue Plan Act Expands Paid Leave Availability but Does Not Revive Employer Mandates

More
News

Brian P. Pezza Gives Advice on Vaccination Acceptance in the Workforce in Society for Human Resource Management Article

More
Client Alert

Temporary COBRA Changes Under the American Rescue Plan Act

More
Client Alert

Virginia Passes Sweeping Data Privacy Legislation Similar to CCPA and GDPR

More
Diversity & Inclusion

Law Firm ILN-telligence Podcast Hosts Ronald A. Norwood to Discuss Mentorship, Diversity & Inclusion in the Legal Industry, and the Importance of Equity for All

More
Diversity & Inclusion

Two Lewis Rice Members Selected for Leadership Council on Legal Diversity Programs

More
Diversity & Inclusion

Fatima G. Khan Elected President of South Asian Bar Association of Metropolitan St. Louis

More
Client Alert

Model COBRA Notices Under the American Rescue Plan Act

More
News

Jeremy P. Brummond’s Article on Waivers of Consequential Damages is Published in Construction Executive

More
News

Meghan S. Largent and Lindsay S. C. Brinton Negotiate $700,000 Award to Cobb County, Georgia Landowners in Rails-to-Trails Case

More
Client Alert

New York State Regulator Discourages Ransomware Payments and Publishes New Cyber Insurance Risk Framework

More
News

Lindsay S. C. Brinton and Meghan S. Largent Negotiate $1.4 Million Settlement for Landowners along Legacy Trail

More
Client Alert

Federal Appellate Court Determines a Website Is Not a “Place of Public Accommodation” Under the ADA

More
Diversity & Inclusion

Lewis Rice Member Ronald A. Norwood Serves on Missouri Bar’s Special Committee on Lawyers of Color to Establish Diversity, Inclusion Programs

More
Client Alert

CROWN Act Legislation on the Verge of Passage in St. Louis City & County

More
News

Jerina D. Phillips Offers COVID-19 Vaccination Advice for Employers in St. Louis Magazine Article

More
Client Alert

Public Access to Electronic Court Records in Missouri

More