On July 16, the Court of Justice of the European Union cited concerns raised about the level of protection for personal data transferred from the EU to the U.S. and determined the EU-U.S. Privacy Shield Framework (Privacy Shield) is invalid—removing one of the mechanisms available to lawfully transfer personal data from the EU to the U.S. under the GDPR.
The court found the Privacy Shield inconsistent with requirements under the EU GDPR. As the CJEU is the highest court in the EU, this ruling cannot be appealed or challenged. See C-311/18, Data Protection Commissioner v. Facebook Ireland Limited and Max Schrems (Schrems II).
The result in the Schrems II case is largely the same as the CJEU’s decision in Schrems I, where the CJEU declared Safe Harbor (the predecessor to Privacy Shield) was invalid based on the fact that U.S. legislation did not limit interference with an individual’s rights to what is strictly necessary. See Case C-362/14, Maximillian Schrems v. Data Protection Commissioner ECLI:EU:C:2015:650 (Schrems I).
Other Mechanisms for Cross-Border Data Transfers
After Schrems I, in order to lawfully transfer personal data into the U.S. from the EU, organizations had to utilize one of the other mechanisms for cross-border data transfers authorized under the GDPR’s predecessor, the EU Data Protection Directive, until Privacy Shield was approved in July 2016. Now, companies that relied on Privacy Shield must utilize one of the alternative mechanisms authorized under GDPR.
One of those mechanisms, the standard contractual clauses previously approved by the European Commission in Commission Decision 2010/87/EU in February 2010, was also challenged in Schrems II.
However, unlike Privacy Shield, the CJEU affirmed that the standard contractual clauses are still a valid transfer mechanism and may remain a viable option to lawfully transfer personal data, however, that affirmation was conditioned on ensuring the use of the standard contractual clauses for a given transfer are sufficient to ensure a level of protection that is “essentially equivalent” to that of the EU.
This requires an assessment of not only the terms of the standard contractual clauses, but also all of the circumstances around the disclosure, including assessing governmental authority to access the imported data.
If an exporter and importer determine that their use of standard contractual clauses for a particular transfer cannot ensure a level of protection adequate to the GDPR, an alternative transfer mechanism (if available) must be used. Otherwise the transfer is non-compliant with the GDPR. The CJEU also noted in their opinion that where the exporter and importer fail to meet these obligations, the supervisory authorities would have an obligation to step in and stop such transfers. In response, German supervisory authorities in Hamburg and Berlin, as well as the Autorieteit Persoonsgegevens in the Netherlands, have released statements cautioning EU controllers against cross-border transfers to the U.S. based upon standard contractual clauses.
Given that the standard contractual clauses were approved more than eight years before GDPR went into effect, they represent an imperfect solution. As they were drafted to comply with the Directive’s requirements (which were not as robust as the requirements under the GDPR), entities that utilize standard contractual clauses typically must enter into additional data protection agreements to ensure the transfers comply with the GDPR’s additional requirements.
Also, the standard contractual clauses only apply to controller-to-controller and controller-to-processor transfers. Thus, there are no standard contractual clauses available for a processor to transfer personal data to a sub-processor outside the European Economic Area.
One hope is that the decision in Schrems II will serve to expedite the European Commission’s work on updating the standard contractual clauses to harmonize them with the GDPR and the complexities involved in global commerce.
Issues with Consent, Binding Corporate Rules
The GDPR provides other mechanisms to transfer personal data from the EU to the U.S. These include obtaining a data subject’s consent to the transfer. However, this is not available for all transfers. For example, an employer cannot transfer employee personal data on the basis of consent, given the disparate bargaining power between an employer and an employee.
Another mechanism, binding corporate rules, may be available to multinational organizations to facilitate internal transfers.
Binding corporate rules are an internal mechanism designed to allow multinational companies to transfer personal data from a company within group that is located within the EU to a company within the group that is located within a country outside the EU. Binding corporate rules, unlike standard contractual clauses, cannot simply be utilized.
For example, an organization seeking to utilize binding corporate rules must first put adequate safeguards in place designed to protect personal data throughout the entire organization in line with the requirements under the GDPR, and, before relying on those rules to engage in personal data transfers to companies within the group that are located outside the EU, the organization must obtain approval from the competent data protection authority in the EU. The approval process may involve several data protection authorities if the organization has entities in more than one EU country.
Additional Steps Necessary
In addition to implementing new mechanisms to transfer personal data from the EU to the U.S., companies that relied on the now invalid Privacy Shield likely need to take additional steps in light of the Schrems II decision.
While this may appear to be an easy process, before doing so, companies should evaluate whether certain disclosures made in their privacy policies in connection with Privacy Shield can simply be deleted.
Aside from updating privacy policies, companies will likely need to take additional actions, including modifying data protection agreements and evaluating whether internal policies and procedures are consistent with the requirements in the standard contractual clauses or the binding corporate rules.
If history is any lesson, there is room for optimism that the Privacy Shield will be replaced, just as with Safe Harbor, however, there is no timetable as to when that may happen or what the mechanism will look like.
There is also the hope that this will spur the European Commission to adopt new standard contractual clauses that are align with the GDPR and provide a more consistent structure for companies to lawfully transfer personal data from the EU to the US.
Although it is expected that data protection authorities will offer some type of limited grace period for compliance as they did with Safe Harbor, companies that have relied on the Privacy Shield should begin establishing alternative mechanisms that comply with the GDPR and ensure that their contractual obligations, procedures and policies align with the necessary changes.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Elizabeth Rogers is a partner in Michael Best’s Privacy & Cybersecurity Group, where she counsels clients on a variety of regulatory, cybersecurity compliance, and technology-specific privacy matters.
Rebecca Gerard is an associate in Michael Best’s Privacy & Cybersecurity Group, where she works closely with clients to help them protect their data assets and comply with complex regulations.
Guy Sereff is a senior counsel in Michael Best’s Privacy & Cybersecurity Group, where he counsels clients on privacy and data security matters including compliance with U.S. and E.U. data protection and privacy laws, the development of company privacy programs, and responding to and mitigating data breaches.