Schrems II: Court of Justice of the European Union Ruling
On Thursday July 16, 2020, the Court of Justice of the European Union (“CJEU”) issued a ruling in the case known as Schrems II (C-3111/18), in which mechanisms for personal data transfers between the EU and U.S. were challenged based on the argument that U.S. law does not adequately ensure protection of EU personal data. In the Schrems II decision, the CJEU struck down the EU-US Privacy Shield and called into question the adequacy of Standard Contractual Clauses (“SCCs”) in the context of data transfers to the U.S.
The General Data Protection Regulation (“GDPR”) provides that the transfer of EU personal data to a non-EU country may only take place when there is an adequate level of data protection guaranteed. Some countries have received an “adequacy decision” indicating that their national laws ensure a level of protection that is substantially similar to the GDPR. In 2015, the Schrems I decision invalidated the previous adequacy agreement between the EU and the U.S., the so-called safe harbour. The safe harbour was eventually replaced by the EU-U.S. Privacy Shield, which the European Commission declared adequate in 2016. Since then, the only acceptable U.S.-specific mechanism for transfers of EU personal data to the U.S. has been the EU-U.S. Privacy Shield.
The CJEU in Schrems II explained that it rejected the adequacy determination of the Commission for two reasons. First, U.S. intelligence agencies have access to personal data in a way that the Court views as violating the fundamental rights of EU data subjects. Second, the EU data subjects are not afforded an effective remedy for redress of the violations of their rights. The Schrems II ruling effectively renders the EU-US Privacy Shield useless.
There are other established ways to provide for the transfer of EU personal data out of the EU into the U.S., which are not U.S.-specific. Some companies incorporate EU approved Standard Contractual Clauses (“SCCs”) into their agreements, contractually binding parties to adhere to stringent data protection standards that meet GDPR requirements. Some families or groups of companies put in place Binding Corporate Rules (“BCRs”) that guarantee a certain level of data protection for intra-group data transfers and use SCCs for transfers to third parties outside the group.
The CJEU has clearly rejected the EU-U.S. Privacy Shield, but what is less clear is how its ruling will impact the validity of the other two mechanisms, SCCs and BCRs. In its ruling, the CJEU validated the use of SCCs for transfers, affirming that this mechanism makes it possible in practice to ensure compliance with the level of protection required by EU law. However, the CJEU’s opinion that U.S. law does not provide adequate protection for the personal data once it arrives in the U.S remains an issue. The CJEU’s decision requires data controllers to assess the level of data protection in the data recipient’s country and to suspend transfer if deemed non-adequate. In addition, the court stressed the obligation of each data protection authority (“DPA”) in all EU member states to suspend the transfer of personal data if they deem the transfer unsafe according to EU data protection requirements. Since the CJEU has already proclaimed that ability of U.S. intelligence agencies to access personal data stored on U.S. servers to be a violation of fundamental human rights, the implication is that companies may be required to suspend the transfers to the U.S. because of the inadequacy of the data protection provided by U.S. law. The CJEU in its decision noted that organizations may implement additional safeguards, over and above those contained in the SCCs, to ensure an “adequate level of protection” for personal data transferred. It is unclear at this stage what form those additional safeguards would take or whether it is even feasible for private companies to offer any level of protection against U.S. government surveillance that would be deemed adequate.
Given this uncertainty, it is not clear how companies that have self-certified to the EU-U.S. Privacy Shield and rely upon it as the mechanism for EU-U.S. data transfers should proceed. Since the EU-U.S. Privacy Shield is now not a valid transfer mechanism for EU personal data, these companies will need to decide upon an alternative legal basis to enable transfers under GDPR. SCCs with or without BCRs are among the options to be considered. However, in light of the fact that the CJEU called into question whether either of these would be sufficient, these are not perfect options.
U.S. companies facing this problem could also review GDPR Article 49 for a derogation that would provide an avenue to legitimize the transfer. This may be the solution for some, but it will leave others in a conundrum. The “derogations,” which the European Data Protection Board clarified in 2018 could be used for certain otherwise non-compliant data transfers, are not supposed to be used for repetitive or regular transfers. The guidelines issued in 2018 note that personal data may only be transferred under these derogations if the transfer is occasional and not repetitive. In other words, the transfer “may happen more than once, but not regularly,” and may occur “under random, unknown circumstances and within arbitrary time intervals.”
Under current circumstances, the best option--though admittedly imperfect—may be to use SCCs and or BCRs and attempt to implement internal measures to ensure an adequate level of protection for the personal data transferred from the EU. At this point, it is not clear what measures will be deemed adequate, but it is clear that the EU-U.S. Privacy Shield is not. If you have previously relied on self-certifying to the EU-U.S. Privacy Shield to legalize data transfers from the EU to the U.S., please let us know if you require assistance or guidance related to other mechanisms available after Schrems II.