On July 16, 2020, the European Court of Justice issued one of its most important decisions on data privacy law (Schrems II), holding that the EU-US Privacy Shield is no longer a viable mechanism for EU-US data transfers under the European General Data Protection Regulation (GDPR). Entities that relied on the Privacy Shield will immediately need to find another basis for their EU-US personal data transfers.
Under the GDPR, international transfers of European Union residents’ data must come with some kind of assurance that the data, once transferred to the other country, will retain essentially the same protections that it did under the GDPR. One form of assurance is an “adequacy determination,” made by the European Commission on a per-country basis, that the country to which the data will be transferred protects data at an adequate level.
The U.S. has not received a full-blown adequacy determination because of European concerns regarding the level of personal data protection in the country, especially relating to government surveillance. (Those concerns led to the invalidation, in 2015, of the “Safe Harbor” arrangement that allowed for transfer of personal data to the U.S.) But in 2016, the European Commission found the U.S. adequate only for those companies that complied with the EU-US Privacy Shield, developed after the invalidation of Safe Harbor. The Privacy Shield is a program administered by the Department of Commerce, through an agreement with the European Commission, under which entities self-certify that they will protect personal data in certain ways. Thus, European entities were free to transfer data to U.S. companies that self-certified under the Privacy Shield, without violating the data transfer provisions of the GDPR.
The Schrems II Decision and Its Effects
The Schrems II decision invalidates the European Commission’s adequacy decision with respect to the Privacy Shield. Essentially, the court held that the surveillance powers of the United States government exceed what would have been permitted under European law. In other words, the Privacy Shield is insufficient because it does not adequately protect Europeans’ data from U.S. public authorities. Thus, under Schrems II, companies can no longer rely on the Privacy Shield’s self-certification framework to transfer data between the EU and the U.S.
The decision has immediate effect, and companies that have relied on the Privacy Shield should at once begin devising alternative methods to transfer data to the U.S. (see below). It is possible that national regulators will forgo enforcement for a short time to enable companies to come into compliance. This occurred after the invalidation of Safe Harbor. While no longer a member of the European Union, the UK has issued such guidance – its national regulator (the Information Commissioner’s Office) has stated that companies that are currently using the Privacy Shield may keep doing so until it issues further guidance. Other regulators have not weighed in as of the time of publication.
Alternatives to the Privacy Shield
Schrems II does not rule out any of the other methods for transferring Europeans’ data to the U.S. under the GDPR. Currently, the primary alternative method is for the sending and receiving entities to enter into a contract requiring both entities to take certain measures to protect Europeans’ data. The European Commission has created a standard form for such contracts (known as “Standard Contractual Clauses”) which entities must use without amendment. Another method is for certain entities sharing data to each implement a set of “binding corporate rules” approved by national regulatory authorities. Finally, entities can also obtain specific consent from individuals to authorize cross-border transfers, although obtaining such consent can be cumbersome: it requires specific language noting that the risks of transfer to the U.S. and requires further interaction with member state data protection authorities.
While national data protection authorities retain discretion on enforcement of data privacy transfers, individuals retain private rights of action to enforce violation. This means that individuals who are damaged by future international data transfers that rely on the Privacy Shield could have legal recourse against entities involved in the transfer. One important open question is to what extent those rights are retroactive (that is, whether individuals can challenge transfers under the Privacy Shield since Privacy Shield came into existence); as well as whether courts will find liability when entities have complied in good faith with Privacy Shield.
The U.S. Department of Commerce issued a statement on the heels of the decision noting both that it will continue to administer the program (that is, it will continue to accept certification and re-certification applications), but also that Privacy Shield certified companies remain responsible under the program for the obligations that have been committed to.
If you are Privacy Shield certified, you should seek the advice of counsel to determine how this decision affects your policies, contracts, and transfer practices. The picture is currently fluid, and we will alert you with to any further significant changes