European Union's Highest Court Invalidates EU-U.S. Privacy ShieldPDF
On July 26, in the Schrems II decision, the Court of Justice of the European Union (CJEU) announced that the EU-U.S. Privacy Shield is no longer an acceptable mechanism for trans-Atlantic personal data transfers. The EU has always deemed U.S. data protection law to be inadequate. That means that under the EU's General Data Protection Regulation (GDPR), transferring personal data of EU residents to the United States is presumed to be illegal. One way around the problem was for U.S. companies receiving EU data to sign up for the U.S. Department of Commerce's Privacy Shield, under which the U.S. company certifies that it provides EU-level data protection. Thousands have done so. But that option is now closed, with Schrems II taking immediate effect.
At the core of the CJEU's Schrems II decision is the concern that U.S. public authorities can compel the disclosure of the personal data of EU residents without granting them rights before those authorities that are equivalent to those provided under the GDPR. The CJEU explained that "the limitations on the protections of personal data arising from the domestic law of the United States on the access and use by US public authorities…are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary." This decision comes five years after the Schrems I case, in which the CJEU invalidated the Privacy Shield's predecessor, the Safe Harbor, due to similar concerns about public authorities accessing the information in a manner inconsistent with the privacy rights of EU residents.
SCCs Are Still Valid
The CJEU did, however, uphold the continuing use of Standard Contractual Clauses (SCCs), which many companies also rely on to make trans-Atlantic data transfers legal. The SCCs are contractual provisions published by the EU that data exporters and importers can sign (without varying them in any way), pursuant to which the parties to the transfer commit to EU-level protections. But the CJEU made clear that businesses must look closely at whether their data is particularly vulnerable to public authorities and, if it is, take as-yet-unspecified measures to provide an adequate level of protection. Companies must ensure that the SCCs provide a "level of protection essentially equivalent to that guaranteed within the EU by the GDPR." Further, companies must do their due diligence in monitoring their compliance and ability to satisfy their obligations.
What Comes Next?
Given the impact of Schrems II, urgent U.S.-EU negotiations have already begun. The U.S. Department of Commerce will continue to administer the Privacy Shield, which means that Schrems II does not relieve parties of their obligations under the Privacy Shield framework. Nonetheless, it remains unclear whether the Privacy Shield will be replaced or reformed and what Schrems II means for U.K.-U.S. data transfers in the context of Brexit. The GDPR will apply in the United Kingdom until the end of 2020, but what happens next year is unknown at this point.
For now, there are two realistic approaches that U.S. companies can take to make their data transfers from the EU legal:
- Obtain specific consent from the affected EU data subjects to export their data from the EU to the United States; or
- Use the SCCs.
(It is also possible for companies to adopt "Binding Corporate Rules" — essentially, to amend their charter — to ensure EU-level data protection, but few U.S. companies have tried this cumbersome approach.) In addition, companies should monitor U.S.-EU negotiations as well any guidance the EU may issue.
The lawyers of Robinson Bradshaw's Cybersecurity and Privacy Practice Group are following developments daily and stand ready to help.
This article was prepared with the assistance of Camila Rohena-Maldonado, a rising 3L student at UNC School of Law.