On Thursday, July 16, the European Court of Justice (“CJEU”) invalidated the EU-U.S. Privacy Shield framework for international data transfers in its decision in the “Schrems II” case (Data Protection Commissioner v. Facebook Ireland Limited, Maximilian Schrems, and intervening parties, Case C-311/18).
Why is this important?
Many U.S.-based as well as multi-national companies rely on the Privacy Shield framework as their means for legally transferring personal data from the European Economic Area (“EEA”) to the United States. As a result of the CJEU’s ruling, transfers made solely under Privacy Shield are now illegal. Without the Privacy Shield, it’s as if these companies are left with a broken bridge across the Atlantic. They’ll now need to implement a new legal means for transferring the personal data. In the worst-case scenario, these companies may be left with no choice but to suspend data transfers completely. This can impact internal transfers as well as external/onward transfers of personal data.
Backstory:
GDPR requires a valid legal mechanism for cross-border (aka international) transfers of personal data (Articles 44 through 46) that ensures the recipient provides a level of data protection that is “essentially equivalent” to the level of protection provided under the GDPR. It’s important to note that the GDPR affirmatively prohibits data transfers unless this “essentially equivalent” level of protection is met. In other words, GDPR-level protections are meant to follow the personal data wherever it goes. This standard is designed to protect the data–and the individual data subjects–when the data is transferred outside of Europe. Privacy Shield was established as a means to meet the requirement for “essentially equivalent” protection. Because of concerns regarding U.S. government surveillance, the validity of Privacy Shield was brought into question, and ultimately, the CJEU ruled that Privacy Shield does not meet the standards required of a “compliant” transfer mechanism under GDPR.
What Does This Mean for Us—Key Take-Aways
- Key Take-Away: All transfers of personal data from the EEA to the U.S. are on shaky ground right now, regardless of the transfer mechanism used. The impact of this ruling also goes beyond transfers to the U.S. to any third country where “essentially equivalent” protections could be in question.
- Find a new transfer mechanism: If you’re using Privacy Shield as your data transfer mechanism, either for internal (aka “intra-group”) transfers or external/onward transfers, you’ll need to find an alternative. There are other options–primarily the Standard Contractual Clauses (“SCCs”), which are a set of contractual terms in the form of a standardized agreement that has been approved by the European regulators. However, the ability of the SCCs to provide “essentially equivalent” protections for transfers to the U.S. has also been called into question.
- No grace period: In a set of FAQs about the Schrems II judgment, the European Data Protection Board (“EDPB”) stated that there is no grace period for transfers taking place under Privacy Shield.
- Privacy Shield is still in effect: It’s important to note that even though the Privacy Shield has been invalidated, it hasn’t gone away. Privacy Shield is still in effect, and the Department of Commerce has issued a statement that it intends to continue administering the framework. According to the statement, the CJEU’s judgment “does not relieve participating organizations of their Privacy Shield obligations.” (See below for a link to the statement.) That means organizations certified under Privacy Shield are still on the hook for complying with its requirements.
- Risk assessments needed: While the CJEU did not invalidate the SCCs outright, it did state that they may not provide a sufficient level of protection depending on the laws of the country where the data is received. This is particularly true of the United States and its current surveillance laws. Where transfers are taking place under the SCCs, it’s now advised that companies conduct a risk assessment on a case-by-case basis to evaluate whether the SCC’s protections would meet the “essentially equivalent” standard under GDPR. According to the EDPB’s FAQs, the assessment should consider the circumstances of the transfer and supplementary protections that could be implemented. Based on input from European regulators, if there are large volumes of data and/or sensitive data at issue, a company will likely need to implement additional protections, perhaps contractually as well as security safeguards. The EDPB stated that it is currently working on guidance regarding possible additional safeguards. Companies will also need to document the risk assessment and the rationale for why a chosen transfer mechanism is sufficient to meet the GDPR standards. The EDPB stated that if appropriate safeguards cannot be assured, companies are required to suspend the data transfers. If transfers cannot be suspended, companies would need to notify their relevant local EU Supervisory Authority.
- Proactively manage transfers: The CJEU pointed out in its ruling that recipients of data (aka data importers) are required to notify the data exporter of any inability to comply with the SCCs or any supplementary protections. In the event of any inability to comply, data exporters would need to suspend the transfer and/or terminate the contract with the importer. This necessitates a proactive approach when it comes to transfers, which would include active monitoring of transfers and of importer compliance, and may even require suspensions of transfers. In the past, the suspension of transfers seemed a remote and very unlikely possibility. In the current climate, what we once thought was impossible is now a very real possibility that we need to be prepared to manage.
- New SCCs are coming: It’s important to note that the European Commission has been developing an updated set of SCCs. As a result, it’s likely that new SCCs will be issued at some point in the future. It’s possible that the new SCCs could address some of the concerns raised by the Schrems II ruling.
What Should We Do—Recommended Action Steps
- If you were relying on Privacy Shield to facilitate any cross-border data transfers, you’ll want to find and implement a new mechanism to facilitate those transfers right away. Your most likely bet right now is the SCCs (see above).
- If you were planning to self-certify under the EU-U.S. Privacy Shield framework, we recommend not moving forward with the certification at this time.
- If you are currently certified under Privacy Shield, you will still need to comply with its principles and requirements. We recommend retaining your Privacy Shield certification for the time being, until more guidance is made available.
- If any of your vendors were relying on Privacy Shield to facilitate transfers, you will need to amend your agreements to implement the SCCs or another compliant cross-border transfer mechanism.
- If you’re relying on the SCCs and/or begin to implement SCCs as your transfer mechanism, conduct a risk assessment to determine if the level of “essentially equivalent” protection is met and document your assessment. Consider implementing additional protections where large volumes of data or sensitive data are involved, if possible. If the “essential equivalence” standard is not met, you may need to consider suspending transfers or turning to data localization in the EU, if possible.
- Review and evaluate your current international data transfers to all third countries. Limit the volume and scope of data transferred wherever possible. Identify whether you need to implement new or additional safeguards for other countries beyond the United States.
- Don’t panic. This is not new or unexpected. Back in 2015, the predecessor to Privacy Shield, the EU-U.S. Safe Harbor framework, was invalidated. Privacy Shield was put in place in an effort to resolve the concerns around Safe Harbor. Just as we did back in 2015, we will figure this one out and find a path forward! It’s time to get creative and find new solutions.
Resources
- For the SCCs, go to: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en
- For the EDPB’s FAQs, go to: https://edpb.europa.eu/sites/edpb/files/files/file1/20200724_edpb_faqoncjeuc31118.pdf
- For the Department of Commerce’s statement, go to: https://www.commerce.gov/news/press-releases/2020/07/us-secretary-commerce-wilbur-ross-statement-schrems-ii-ruling-and
We recognize that we’re current in a period of stormy waters for international data transfers, but we’re ready to help you identify your next steps. If you have questions, please feel free to reach out a member of your Paradigm Team. If you do not know who to contact please send an email to jackie@paradigmcounsel.com or maureen@paradigmcounsel.com.