As discussed in a previous advisory, the European Union’s supreme court, the Court of Justice of the European Union (CJEU), invalidated the EU-U.S. Privacy Shield Framework (Privacy Shield) in its July 16, 2020 decision in the “Schrems II” case ( case C-311/18). Though this development complicates the transfer of personal data from the European Union into the United States, it does not completely bar it. The CJEU’s ruling upheld the use of standard contractual clauses (SCCs) as a valid transfer, subject to a potential need to implement additional safeguards. Other transfer mechanisms, such as binding corporate rules and specific derogations for certain limited transfers also remain valid.
The more than 5,400 companies signed up under the Privacy Shield program now seek guidance from U.S. and European authorities regarding how to continue to legally transfer data. Responses from regulatory authorities on each side of the Atlantic have been mixed.
European Response
The national data protection authorities of most EU nations immediately issued statements regarding the July 16 decision. In its response to the ruling, Spain’s data protection authority echoed the sentiment of many other authorities in emphasizing the desire to craft a common approach and response to the decision through cooperation in the European Data Protection Board (EDPB), a European body composed of representatives of the national data protection authorities.
On July 23, 2020, the EDPB adopted guidance on a set of frequently asked questions related to the July 16 CJEU ruling. Critically, the EDPB points out that companies have no grace period during which they can continue to transfer data in reliance on the Privacy Shield. Whether a company is using binding corporate rules or SCCs, the EDPB instructs companies to conduct a case-by-case assessment of contemplated data transfers, “taking into account the circumstances of the transfers, and supplementary measures [companies] could put in place.” The EDPB will continue its analysis of the July 16 ruling and will provide further guidance regarding the types of legal, technical or organizational measures that could be used to ensure compliance with the ruling.
In Germany, where multiple data protection authorities exist, Germany’s Federal Commissioner for Data Protection and Freedom of Information stated that after full publication of the ruling and deliberations in the EDPB, “the focal point will be the revision of the standard contractual clauses by the European Commission, as well as the need for the USA to ensure that the European people enjoy the same fundamental rights as US-nationals.” Certain data protection authorities of the German Länder took a more aggressive position. The Hamburg Data Protection Commissioner called the CJEU decision to uphold the use of the SCCs inconsistent with the logic behind the court’s Privacy Shield decision. The Berlin Commissioner for Data Protection and Freedom of Information directed Berlin companies that are transferring personal data to service providers in the US to switch to service providers in the EU or in a country with an appropriate level of data protection.
The UK’s Information Commissioner’s Office also issued a statement on July 27, 2020 recognizing the challenges imposed on businesses by the CJEU decision and vowing to apply “a risk-based and proportionate approach” in its role as a supervisory authority.
U.S. Response
Both the U.S. Department of Commerce and the Federal Trade Commission have said that they expect companies to continue to comply with their obligations with respect to transfers made under the Privacy Shield Framework. The Federal Trade Commission further advised companies to “continue to follow robust privacy principles, such as those underlying the Privacy Shield Framework, and to review their privacy policies to ensure they describe their privacy practices accurately, including with regard to international data transfers.”
On August 10, 2020, the U.S. Department of Commerce and the European Commission issued a joint press statement reporting that they had “initiated discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework to comply with the July 16 judgment” and recognized “the vital importance of data protection and the significance of cross-border data transfers to our citizens and economies.”
Practical Guidance
- Organizations that have historically relied on Privacy Shield should inventory all transfers of data from the EU to the U.S. to determine what legal mechanism may be used going forward. In the short term, SCCs or derogations for specific transfers may be appropriate.
- Organizations should not abandon their adherence to the Privacy Shield Principles with respect to information they have collected and transferred under the Privacy Shield Framework. U.S. regulators have made clear that organizations are expected to continue to comply with their public commitments to protect personal data, consistent with the Privacy Shield Principles.
- Organizations that choose to use SCCs as an alternative data transfer mechanism must evaluate whether additional safeguards may be required to ensure an adequate level of protection for personal data being transferred. Although data protection authorities have not provided guidance on what additional safeguards may be adequate, organizations may consider supplementing SCCs to include processes to report any circumstances where a party cannot comply with SCCs due to a government access request and make contingency plans should a need arise to suspend any particular transfer.
- Organizations should continue to monitor guidance from European data protection authorities and U.S. regulators, including any potential replacement of the Privacy Shield to inform their long-term compliance strategy with respect to cross-border data transfers.