EU Strikes Down EU-US Privacy Shield; Validates Standard Contractual Clauses for Data Transfers
On July 16, 2020, the European Union’s Court of Justice (“CJEU”) issued its much-anticipated decision in the Schrems II case. The decision invalidates the EU-US Privacy Shield mechanism for transferring data from the EU to the US, finding that the Privacy Shield, the replacement for the EU-US Safe Harbor mechanism struck down in the first Schrems case, also lacked the protections afforded to EU residents under the General Data Protection Regulation (“GDPR”). However, the decision did leave companies with a means for transferring data from the EU to the US, as it also found that the “standard contractual clauses” are a valid means of transferring data from the EU to the US that ensures adequate protections for EU residents.
Maximillian Schrems, an Austrian resident and Facebook user since 2008, had some or all of his personal data collected by Facebook Ireland and transferred at some point to Facebook servers in the United States where that personal data was then processed by Facebook. Believing that the US failed to provide adequate protections for his personal data under the GDPR, Schrems lodged a complaint with the Irish supervisory authority in an effort to block the transfer of his personal data out of the EU. In an October 6, 2015, decision, the CJEU found that the EU-US Safe Harbor did not offer sufficient protection for EU residents’ rights and that transfers using the Safe Harbor were not valid under EU law. With the Safe Harbor now dead, Facebook Ireland began transferring data out of the EU pursuant to a set of standard data protection clauses deemed to protect, albeit contractually, the privacy rights of EU citizens.
Schrems, in the meantime, continued his complaint alleging that the laws of the US as a whole fail to protect EU privacy rights under the GDPR and that personal data in the US cannot be protected adequately, whether transferred under such standard data protection clauses or under the newly negotiated EU-US Privacy Shield (which replaced the Safe Harbor with increased data privacy protections).
On July 16, 2020, the CJEU agreed with Schrems in part and disagreed in part.
The CJEU first looked at the protections afforded by the standard contractual clauses and how those protections work in a country like the US, where the protections afforded are not of the level required in the EU. The CJEU said that in such circumstances, it must consider not just the clauses themselves, but how those clauses would work in such a country to make sure that the level of protection afforded is as required in the EU. If a determination is made that the contractual clauses are sufficient but the laws of the country in which they are being enforced limit the effectiveness of those clauses, then transfers to that country under standard contractual clauses must be suspended or prohibited. Looking at standard contractual clauses and their enforcement in the US, the CJEU found that effective mechanisms are in place “that make it possible, in practice to ensure compliance with the level of protection required by EU law.”
The CJEU then turned to the Privacy Shield. Considering US concerns for national security, public interest, and law enforcement and particularly that such concerns are given primacy over concerns of privacy, the CJEU found that the Privacy Shield does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law. And that such a deficiency meant that the Privacy Shield lacked adequate protections to allow for the transfer of data from the EU to the US under the GDPR.
The first effect of this decision is that all the companies which, to date, had complied with, and transferred data under, the EU-US Privacy Shield must now cease transferring data out of the EU until they find a new way to do so that protects the privacy of EU residents. The second effect is that those companies are likely to shift to the use of standard contractual clauses. With the focus on standard contractual clauses, it is likely that new versions of those clauses may emerge to account for differences in practice, expanding the scope and usefulness of such clauses.
Regardless, what is clear from the Schrems II decision is that the protection of EU data subject privacy needs to be a focus of those businesses working in the EU or with EU residents. Any failure to account for such privacy rights appropriately is likely to lead to issues that will impact their businesses, their business practices, and their bottom lines adversely.