On July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated the European Commission’s decision establishing the Privacy Shield framework for international personal data transfers from the European Union to the United States. Other data transfer mechanisms, in particular the Standard Contractual Clauses adopted by the European Commission (SCCs), remain valid. But the SCCs are on shaky ground. That’s because the reasons invoked by the CJEU to invalidate the Privacy Shield – relating to U.S. government surveillance practices – apply to any data transfer mechanism. Below is an analysis of the specific implications of the CJEU ruling on Privacy Shield and an assessment of what happens next with SCCs.
Max Schrems, an outspoken privacy activist in the EU, lodged a complaint with the Irish Data Protection Commissioner (DPC) in 2013 alleging that Facebook Ireland was unlawfully transferring his personal data to Facebook Inc. in the U.S. because the U.S. did not ensure adequate protection of personal data against government surveillance activities. The matter was referred through the Irish courts to the CJEU, which ruled, in October 2015, that the Safe Harbor framework (Privacy Shield’s predecessor) was invalid. When the matter went back to the DPC, the plaintiff reformulated his complaint to question transfers based on SCCs. Again, the matter was referred to the CJEU by way of the Irish High Court with questions covering both Privacy Shield and SCCs.
Before addressing the specific impacts on Privacy Shield and SCCs, it is important to highlight several significant clarifications provided by the CJEU in its ruling:
Based on this third conclusion, the court invalidated the Privacy Shield, but left open the question whether data transfers to the U.S. pursuant to SCCs could meet the “essentially equivalent” standard.
The Privacy Shield framework has now been invalidated, effective the date of the decision. And the CJEU concludes this will not create a legal vacuum because the GDPR provides alternatives to the Privacy Shield data transfer mechanism. So, companies relying on Privacy Shield can no longer do so and must adopt an alternative (like SCCs, discussed below). But their Privacy Shield commitments remain binding and are enforceable by the Federal Trade Commission. Companies self-certifying to the framework must therefore continue to satisfy their respective obligations including the requirements for transparency and dispute resolution.
It’s possible that the European Commission and the Department of Commerce will go back to the drawing board for an updated framework. But they cannot accomplish this task alone, as the CJEU’s decision suggests this will require U.S. legislative action, either to revise surveillance norms or provide for effective redress mechanisms.
SCCs will undoubtedly become the default data transfer mechanism. But now they will require more than the administrative effort of filling in the blanks and executing. Instead, as the CJEU’s decision indicates, the contracting parties will now have to analyze each data transfer to determine whether essentially equivalent protections are provided for. And this analysis must be documented consistent with the GDPR’s accountability principle.
Adopting SCCs will require the data exporter to determine whether the data importer has been or is likely to be the subject of a foreign surveillance data request and whether the data involved in the transfer is of the type typically subject to such a request. In practical terms, though, it will fall upon the data importer to provide sufficient guarantees that it (or the data) is unlikely to be the target of a government data request. Certain data sets may more easily allow for such guarantees, but others – and especially if used in certain sectors – may not.
Last, the CJEU decision will prompt the European Commission to update the SCCs, which predate the GDPR. This may be a welcome development.
In ruling that the Privacy Shield is invalid, the CJEU called into question U.S. law surrounding government surveillance activities. And those questions exist despite whether a data transfer is conducted under Privacy Shield or any of the other data transfer mechanisms provided for in the GDPR. Companies will have to be thoughtful in their approach to data transfers and assess those transfers to ensure an “essentially equivalent” level of protection as provided under the GDPR.
If you have any questions, please contact Camila Tobón.