The World According to Schrems: The CJEU Invalidates the Privacy Shield for Data Transfer from the EU to the US. What Now?
What Happened?
On July 16, 2020, the Court of Justice for the European Union (CJEU)[1] issued its much-anticipated opinion addressing the available privacy and data protection mechanisms in the EU’s General Data Protection Regulation (GDPR) that govern the cross-border transfer of personal data between the EU and the US. Unofficially referred to as “Schrems II,”[2] the main questions before the Court were whether the EU-US Privacy Shield and the standard contractual clauses (SCCs) remain valid mechanisms for international data transfers from the EU to the US under current US law. In a long and nuanced opinion, the CJEU invalidated the Privacy Shield creating a major compliance question for thousands of companies and bringing to a halt one of the most commonly used mechanisms for facilitating data transfers from the EU to the US.
The Privacy Shield is Invalidated—But What about Standard Contract Clauses?
While its ruling invalidated the Privacy Shield[3], the Court did uphold and strengthen the use of SCCs as an international data transfer mechanism.[4] However, the Court’s reasoning left open whether SCCs could remain a viable replacement for EU-US data transfers, noting that US government surveillance and the lack of judicial redress are fundamentally incompatible with the European Charter of Human Rights, which guarantees the right to a private life and protection for one’s personal data. Simply stated, the EU’s Charter characterizes privacy and data protection as a “human” right, and under US law, privacy is not codified in the Constitution and has been classified as a “property” right.
There is No Simple Fix, but there are Steps to Take
Of course, it is not realistic for companies to wait for further clarity. With Schrems II invalidating the Privacy Shield as of July 16, 2020 (with no grace period as yet defined), the immediate concern is what can organizations implement in place of the Privacy Shield. If the Privacy Shield is the only mechanism in place to govern data transfers from the EU to the US, most privacy professionals advise adopting the SCCs for these transfers as soon as possible, even though there were no definitive answers from the Court as to whether or not the SCCs will be viable for US transfers in the future. For those entities with SCCs currently implemented, the general recommendation is to “wait and see,” but there are certain steps a company can take to protect its data transfers using SCCs. In the interim, it is likely that the European Data Protection Board (EDPB) will issue further guidance on these issues in the near future. Additionally, most expect that the European Commission will release the much-anticipated updates to SCCs[5] after incorporating the Court’s opinion and bringing them further in line with the GDPR. The European Commission and the member state Data Protection Authorities understand that companies will have to find a solution sooner rather than later, despite the risk and uncertainty.
Navigating a compliant path post-Schrems II will be challenging without experienced legal counsel. The Privacy and Data Protection team at Butzel has worked in this area of law since the 1995 implementation of the EU’s Data Protection Directive. We have assisted clients as they have self-certified under both the US Safe Harbor and the Privacy Shield, and have drafted Data Protection Agreements implementing the SCCS. We would be pleased to guide you whether your focus is replacing your Privacy Shield mechanism with SCCs, or conducting the necessary assessment on your existing SCCs to address the inadequacies raised in the CJEU opinion.
Claudia Rast
734.213.3431
rast@butzel.com
Ashley Glime
734.213.3631
glime@butzel.com
Jennifer Dukarski
734.213.3427
dukarski@butzel.com
[1] The CJEU is the highest court in the EU.
[2] A prior decision from October 2015, known as Schrems I, invalidated the US Safe Harbor self-certification program developed by the Department of Commerce to address the cross-border transfer of personal data between the EU and the US in response to the EU’s 1995 Data Protection Directive (Directive 95/46/EC). With the invalidation of the Safe Harbor, the Department of Commerce developed and implemented the Privacy Shield in August 2016, that purported to address the data privacy and security concerns voiced in Schrems I. Effective May 25, 2018, the General Data Protection Regulation (GDPR) replaced the EU’s Data Protection Directive.
[3] The US Department of Commerce issued a quick response stating that the Privacy Shield was still valid within the United States and would continue to be enforced by the FTC.
[4] Standard Contract Clauses originated with the Data Protection Directive and have been used both for data transfers to Controllers and to Processors located outside of the EU as a transfer mechanism by hundreds of thousands of organizations since 1995.
[5] The SCCs, also called the Model Clauses, were developed to align with the 1995 Data Protection Directive. Amendments to these Clauses have been expected since the GDPR superseded the Data Protection Directive in 2018.
