If you receive personal information from the European Union, there has been a significant change in the law. On July 16, 2020, the Court of Justice for the European Union released its decision in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (“Schrems II”), which altered the law governing data transfer from the European Union to the United States under the General Data Protection Regulation (GDPR). Understanding the impact will be important not only to stay in compliance with the GDPR, but also to anticipate questions and issues from counter-parties who must comply with the GDPR in their data transfers.
Under the GDPR, international transfers of European Union residents’ data must come with some kind of assurance that the data, once transferred to the other country, will retain essentially the same protections that it did under the GDPR. One form of assurance is an “adequacy determination,” made by the European Commission on a per-country basis, that the country to which the data will be transferred protects data at an adequate level.
The U.S. has not received a full-blown adequacy determination because of European concerns regarding the level of personal data protection in the country, especially relating to government surveillance. (Those concerns led to the invalidation, in 2015, of the “Safe Harbor” arrangement that allowed for transfer of personal data to the US.) But in 2016, the European Commission found the U.S. adequate only for those companies that complied with the EU-US Privacy Shield, developed after the invalidation of Safe Harbor. The Privacy Shield is a program administered by the Department of Commerce, through an agreement with the European Commission, under which entities self-certify that they will protect personal data in certain ways. Thus, European entities were free to transfer data to U.S. companies that self-certified under the Privacy Shield, without violating the data transfer provisions of the GDPR.
The Schrems II Decision and Its Effects
The Schrems II decision invalidates the European Commission’s adequacy decision with respect to the Privacy Shield. Essentially, the court held that the surveillance powers of the United States government exceed what would have been permitted under European law. In other words, the Privacy Shield is insufficient because it does not adequately protect Europeans’ data from U.S. public authorities. Thus, under Schrems II, companies can no longer rely on the Privacy Shield’s self-certification framework to transfer data from the EU and the U.S.
In addition to the Privacy Shield, however, another regularly-used mechanism for data transfer – Standard Contractual Clauses (SCCs) – are in question. While the CJEU did not invalidate the SCCs as a data transfer mechanism, the court’s reasoning did call into question whether they could be used to transfer personal data to the U.S. given the court’s surveillance concerns.
The decision does not permit a grace period. Companies that have relied on the Privacy Shield should at once begin devising alternative methods to transfer data to the U.S. (see below). However, the U.S. Department of Commerce and Federal Trade Commission have made clear that they will still hold companies to their commitments under the Privacy Shield program, and plan to continue the program. While there may be certain market or contractual benefits to continuing to certify, it is important to understand that the primary purpose of the Privacy Shield – to allow for lawful transfer of personal data from the EU to the U.S. – is no longer a functioning aspect of the program.
Enforcement and Guidance
The GDPR places enforcement power on individual EU member states (and violations of the law can lead to fines of up to 4% of global revenue), apart from rights of action that individuals have. Each EU member state has different enforcement priorities and resources, different data privacy offices, and different implementing legislation. This means there have been and will be differences in how EU member states approach enforcement. As of this writing, EU data protection authorities are largely following guidance from the European Data Protection Board that, “Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your [risk] assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place.” What this means in practice remains unclear. While member state authorities have taken the CJEU decision seriously, in practice widespread enforcement could slow trans-Atlantic data transfers to the detriment of economic activity.
For now, businesses that transfer personal data from the EU to the U.S. can no longer rely on the Privacy Shield. Relying on SCCs might still be reasonable, but businesses should think carefully about how they can control for privacy and security and understand the risk of possible enforcement for an invalid transfer. Where possible, businesses should consider using consent as a transfer mechanism, but the consent must be worded carefully and, in some instances, might be difficult to obtain. If you have a complex data transfer needs, consult with counsel, and try your best to be patient: the situation is still in some flux.