The sword finally fell. Last week, the European Union’s (EU) highest court, the Court of Justice (CJEU) invalidated Privacy Shield. Privacy Shield was a legal framework that enabled EU companies to process data in the United States. Briefly, the CJEU determined that Privacy Shield conflicted with the EU’s General Data Protection Regulation (GDPR). The CJEU pinpointed U.S. jurisprudence on electronic monitoring as incompatible with European data privacy standards. The decision also called Standard Contractual Clauses (SCCs), an alternative data transfer mechanism into question. Theoretically, SCCs remain an option. For now.
The case, Facebook Ireland Ltd. v. Maximillian Schrems, was popularly known as Schrems II after Austrian gadfly and privacy advocate Max Schrems. Schrems, a former exchange student at Temple University in his law school days, has long campaigned against transferring European data to the United States. In Schrems I, a case decided by the CJEU in 2013, he got the CJEU to strike down Privacy Shield’s predecessor, Safe Harbor. Privacy Shield was the replacement mechanism.
The United States, European Commission, and Switzerland had negotiated the Privacy Shield framework. It was a legal mechanism to ensure that any personal EU data transfer to the United States complied with European law. Under the program, companies could register with the Department of Commerce. They agreed to adhere to a set of standards in processing EU data. In return, the EU permitted the transfer of personal data to the United States. Technically, this permission was an “adequacy” determination. Observers had long predicted that Privacy Shield was on shaky legal ground. Their predictions proved accurate at the CJEU last week.
Schrems II originated in a complaint against Facebook to the Irish Data Protection Commissioner. Schrems complained that Facebook was impermissibly relying on SCCs to transfer data to the United States. He argued that the arrangement violated fundamental European privacy principles. The Irish Data Protection Commission referred the question to the CJEU. The CJEU addressed the issue along with various others, including Privacy Shield, in its decision.
The CJEU did not have to strike down Privacy Shield to address Schrems’ concerns. Schrems had focused on a different mechanism, the SCCs. But the court opted to reach the Privacy Shield issue anyway. It determined that Privacy Shield did not provide adequate protection of EU personal data in the United States. It was concerned with several American legal issues. It alluded to standing requirements in American courts which it viewed as a way to deny legal redress for privacy violations. And it viewed large scale electronic surveillance combined with sweeping data collection practices as disproportionate, and at odds with the EU’s fundamental data privacy principles.
The CJEU highlighted U.S. government access to personal data combined with the lack of legal recourse. In paragraph 168, it expressed doubts about whether American law furnishes an adequate level of protection. It also expressed skepticism whether the United States could offer “effective judicial protection” against government interference.
The CJEU was also concerned with Section 702 of the Foreign Intelligence Surveillance Act (FISA). In paragraph 180 it noted that Section 702 did not restrict the powers it conferred to undertake surveillance for foreign intelligence purposes. Not did Section 702 contain guarantees for non-U.S. persons potentially targeted. Absent such protection, Privacy Shield could not stand.
That said, in Schrems II, the CJEU did not directly strike down SCCs. It held that SCCs may adequately protect EU personal data. But SCC use does not guarantee such protection. The parties that rely on them must evaluate the arrangement to determine whether the United States offers adequate protection for EU personal data. Since the judgment has already disparaged U.S. legal protections elsewhere, and since the United States will not share the details of, much less extensively revise intelligence data collection practices, SCCs seem to be a dead letter as well. The CJEU held that where a country falls short, the parties could buttress SCCs with “additional safeguards.” But it offered no guidance on the shape of such safeguards.
The CJEU did approvingly refer to a third potential mechanism: derogations. How derogations are used in private contracts remains to be seen. Nor did the CJEU prohibit the GDPR’s Binding Corporate Rules. These remain valid for now.
What happens next is an open question. There is justified indignation in the United States about the ruling. After all, EU member states reserve the right to protect their own national security despite GDPR strictures. And the CJEU did not address the adequacy of any other country’s data collection practices. Many have data collection regimes far more sweeping than the United States. Washington is unlikely to offer any more concessions at this point. Particularly if the United States appears to confront moving goalposts, and is singled out for scrutiny.
Companies need immediate guidance, however, the Berlin DPA responded to the Schrems II decision by withdrawing permission to transfer data under Privacy Shield. Others are awaiting instructions from the European Data Privacy Board. Three steps seem appropriate. First, the Commerce Department and Federal Trade Commission continue to enforce Privacy Shield. Since certification no longer offers benefits, companies should consider withdrawing from the program. Note that most, though not all, EU regulators, offered grace periods following Schrems I. EU officials have already spoken of revising Privacy Shield to address the decision. Companies will need to determine whether they can conform to such revisions in the short term. In the long term, they need to consider whether a revised Privacy Shield can survive a Schrems III.
Second, they should evaluate the basis of any data transfer from the EU. In particular, they should determine whether such a transfer offers an adequate level of protection. Given the secrecy surrounding intelligence programs, this may be difficult. Third, they should monitor incoming guidance, an incorporate it into their contractual obligations.
Companies should identify alternative options as the basis of data transfers in the short term. These can be interim measures, for example consent where available. Longer term, they will need a more permanent legal foundation such as Binding Corporate Rules. If you receive EU personal data, Poyner Spruill will be glad to help you evaluate the impact of Schrems II, and identify the best path forward.