For months, the global digital trade community has been awaiting the decision of the European Court of Justice (CJEU) in the “Schrems 2” case, a case that focused on conditions for the transfer of personal data from the European Union to the United States. The details of the original complaint that was filed initially against Facebook by Maximillian Schrems have become almost irrelevant because the decision affects countless organizations located throughout the world. The major question was whether standard contractual clauses (SCC) used as a means of establishing “adequate protection” of personal data transferred from data exporters located in the European Union or European Economic Area did in fact result in that expected “adequate protection”. The CJEU decision is comprised of two elements:
- The EU-US Privacy Shield is invalidated
- The Standard Contractual Clauses Controller to Processor are upheld, but they are facing major challenges and hurdles
In its decision published on July 16, the Court of Justice of the European Union looked at both the EU-US Privacy Shield and the SCCs. It invalidated the Privacy Shield, thereby destroying the virtual bridge that allowed 5,378 US based self-certified organizations to conduct business with entities located in the European Union and European Economic Area. It preserved, but created significant challenges to the SCC (Controller to Processor) ecosystem by creating new constraints and obstacles, to the countless organizations located both in the US and abroad, in their global digital trade with their European Partners.
The Basic Premise
The premise of the decision is that currently the US national security, public interest and law enforcement laws, have primacy over the fundamental rights of persons whose personal data are transferred to the US. They do not take into account the principles of proportionality and are not limited to collecting only that data which is necessary. In addition, according to the EUCJ decision, US law does not grant data subjects actionable rights before the courts against US authorities.
EU-US Privacy Shield Invalidation
The EUCJ determined that the protection provided to personal data in the United States is inadequate to meet the level of protection of privacy and privacy rights guaranteed in the EU by the GDPR and the EU Charter of Fundamental rights.
According to the decision, the US surveillance programs are not limited to what is strictly necessary, and the United States does not grant data subject actional rights against the US authorities. Further, the Ombudsperson program does not provide data subjects with any cause of action before a body that offers guarantees substantially equivalent to those required by EU law. Therefore, the EU-US Privacy Shield is no longer a legal instrument for the transfer of personal data from the EU to the US.
The immediate consequence of the invalidation of the EU-US Privacy Shield is that more than 5,000 US organizations, and their trading partners throughout the European Union and the European Economic Area are left stranded with no way out. The invalidation declared by the EUCJ take immediate effect. These transfers must cease. This is likely to prove a catastrophic hurdle for many companies already weakened by the Covid pandemic.
Standard Contractual Clauses
The Standard Contractual Clauses for the transfer of personal data to processors established in third countries remain valid. However, the Court found that, before a transfer of data may occur, there must be a prior assessment of the context of each individual transfer, that evaluates the laws of the country where the recipient is based, the nature of the data to be transferred, the privacy risks to such data, and any additional safeguards adopted by the parties to ensure that the data will receive adequate protection, as defined under EU Law. Further, the data importer is required to inform the data exporter of any inability to comply with the standard data protection clauses. If such protection is lacking the parties are obligated to suspend the transfer, or terminate the contract. Thus, while the SCC (controller-to-processor) remain valid, their continued validity is subject to an additional step: the obligation to conduct the equivalent of a data protection impact assessment to ensure that the adequate protection is and will be provided.
- Organizations that exchange or have access to personal data of residents of the EU or EEA should promptly assess the mechanisms currently in place to ensure the legality of their transfer of personal data outside the European Union.
- If the organization has relied only on the EU-US Privacy Shield as a mechanism to ensure the legality of its personal data transfers, it should immediately halt the transfer of personal data out of the EU. It should evaluate alternative means, most likely in the form of Standard Contractual Clauses. For transfers that cannot be covered by SCCs, derogations under Article 49 of the GDPR might apply.
- If the organization – whether located in the United States, or anywhere in the world – has already in place SCC, the EUCJ decision adds a significant hurdle in the form of a requirement for a prior evaluation of the protection to be offered to individuals.
- As always, ensure that these decisions and analysis are adequately documented, and proper records kept.
- Keep in mind that while the Privacy Shield is invalidated as a means to legalize cross-border data transfers, US organizations that have signed up with the Shield program remain responsible for continuing to protect previously collected data in accordance with the promises and representations made in their privacy policies and self-certifications.
- Stay informed of the developments in the next few days. It is expected that EU/EEA member state data supervisory authorities will publish useful guidance on how to react to the decision. Some have already published comments and provided guidance.