In a landmark case, the European Court of Justice has invalidated the EU-US Privacy Shield framework. This decision, Schrems II, is a major development impacting the operations of United States businesses transferring data from the European Union. With the Privacy Shield framework invalid, U.S. businesses operating in Europe should consider developing new strategies to ensure data privacy compliance.
Why the Decision Matters
Schrems II impacts data privacy compliance for U.S companies operating in the European Union. While the decision does not halt the transfer of information from the European Union to the United States, it does complicate the legal analysis. For example, data transfers may continue subject to “standard contractual clauses” and other “supplementary measures.” The Schrems II decision does not allow for a grace period, meaning the change is effective immediately.
U.S. companies may be subject to European data privacy laws, including the General Data Protection Regulation (GDPR), if they have as little as one customer, employee, or business contract in the European Union.
The Privacy Shield was criticized by European privacy groups from its inception. The Privacy Shield legal framework governed the transfer of data from the European Union to the United States. Established after the invalidation of the International Safe Harbor Privacy Principles in 2015 (the Schrems I decision), the Privacy Shield allowed United States companies to obtain the information of European Union citizens. The Privacy Shield framework attempted to balance compliance with European Union data privacy laws, most notably GDPR, with maintaining commercial activity and contractual obligations.
The United States announced that it will continue to abide by the Privacy Shield. U.S. Commerce Secretary Wilbur Ross stated, “Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. Today’s decision does not relieve participating organizations of their Privacy Shield obligations.”
What Caused the Decision?
Decided on July 16, 2020, Schrems II cites concerns regarding the lack of U.S. protection for the data privacy of European citizens under Section 702 of the Foreign Intelligence and Surveillance Act (FISA), Executive Order 12333, and other electronic mass surveillance programs.
The lead plaintiff in the case is European privacy-activist Max Schrems, who brought the action in his individual capacity as a Facebook user. Applauding the historic decision, Schrems commented, “The Court clarified for a second time now that there is a clash between EU privacy law and US surveillance law. As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley.”
What Happens Now?
U.S. companies should review their data privacy programs to ensure compliance with both domestic and European laws. The European Data Protection Board issued an FAQ document with important initial guidance.
Among other issues, the FAQ addresses the possibility of using Binding Corporate Rules (BCRs) and Standard Contract Clauses (SCCs) to transfer data to the United States. Whether or not personal data may be transferred on the basis of BCRs will depend on assessing the specific circumstances of the transfers, and any supplementary measures in place.
Similarly, SCCs remain enforceable on a case by case basis. Subject to limitations, companies may also rely on “derogations” under GDPR Article 49. These may include consent, or any transfers necessary for the performance of a contract.
Companies can also implement technical changes to mitigate compliance risk. Although these measures are not comprehensive solutions, they may be important steps. Some of these technical changes may include greater use of data encryption and physically storing data in the European Union rather than the United States.
Companies may need to amend their privacy policies to provide notice that the Privacy Shield is no longer their only method for the cross-border transfer of data. It is important to note companies should continue to maintain their Privacy Shield obligations to minimize risk under U.S. laws.
Schrems II signals a new era for the transfer of data from Europe to the United States. Updated guidance from the European Data Protection Board is anticipated to provide additional clarity on important details. In the interim, companies should consider a comprehensive review of their data privacy policies. This may include meeting with counsel to assess their specific legal obligations.