In an action with major ramifications for data transfers from the European Union (EU) to the United States (U.S.) the Court of Justice of the European Union (CJEU) on July 16 invalidated the EU-U.S. Privacy Shield framework (Privacy Shield), which provided a critical, lawful method for transferring personal data from the EU to the U.S. Entities relying on the Privacy Shield need to act quickly to rework the legal basis for those transfers. The CJEU somewhat limited the impact by finding that the Standard Contractual Clauses (SCCs) remain valid. As a result, transfers based on the SCCs may continue, subject to some additional guidance and caveats from the CJEU.
The CJEU’s finding resolved an appeal from the Irish High Court regarding a case known as Schrems II, initiated by Austrian privacy advocate, Max Schrems. The Irish High Court asked the CJEU for a preliminary ruling on the validity of the SCCs and Privacy Shield.
The SCCs are contract provisions that the European Commission issued for the international transfer of personal data outside of the EU, and they impose certain privacy compliance obligations on non-EU data recipients. The Privacy Shield is a separate scheme that permits the transfer of EU personal data to the U.S., which requires companies to self-certify that they comply with certain privacy principals.
The CJEU held that the Privacy Shield program is invalid because it does not provide adequate data protections for people in the EU. The Court found that the data collection and surveillance programs operated by U.S. intelligence agencies “are not limited to what is strictly necessary” and that “[t]he requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred.” Additionally, the Court found that U.S. law does not provide EU citizens with adequate remedies to seek protections.
The CJEU did not, however, invalidate the SCCs. The CJEU determined that the SCCs do offer sufficient protections if data importers and exporters can verify that appropriate legal protections are in place prior to the completion of a data transfer. Further, non-EU importers have a duty to inform EU data exporters if they cannot comply fully with the SCCs, in which case the exporter must suspend the transfer and/or terminate the contract with the importer.
As a result of the CJEU’s finding, businesses that transfer personal data from the EU to the U.S. should take the following steps:
- Determine which of its data transfers rely on the Privacy Shield.
- Begin implementing alternative data transfer mechanisms. For most entities, this means amending contracts to incorporate the SCCs.
- Review the SCCs to confirm that the parties can comply and that EU data is adequately protected given the context of the particular data transfer. Executing the SCCs is no longer a rote, check-the-box exercise. For sensitive data, companies may rely more on encryption. In some cases, companies may choose data localization in the EU.
- Revise data-processing notices so that they accurately reflect the new mechanisms used to transfer data lawfully.
- Monitor statements from EU supervisory authorities for guidance going forward, and adapt practices as necessary.
The European Data Protection Board published a Frequently Asked Questions (FAQs) to provide answers to some of the common questions received by the supervisory authorities in connection with the Schrems II decision. It provides information on the Court’s holding and offers guidance for companies moving forward. The FAQs can be found here.