At long last, the European Court of Justice (EUCJ) has published its decision in the “Schrems 2” case. The EUCJ was tasked with reviewing the effectiveness of the mechanisms used in the context of crossborder data transfers. A key question was whether standard contractual clauses (SCC) used as a means of establishing “adequate protection” for personal data transferred out of the European Union or European Economic Area did in fact result in ensuring the level of “adequate protection” defined in the EU General Data Protection Regulation and the European Charter of Fundamental Rights.
The decision, published on July 16, looked at both the EU-US Privacy Shield and the SCCs. It invalidated the Privacy Shield, thereby destroying the virtual bridge that allowed 5,378 US based Shield self-certified organizations to conduct business with entities located in the European Union and European Economic Area. It preserved, but created significant challenges to the SCC (Controller to Processor) ecosystem by creating new constraints and obstacles, to the countless organizations located both in the US and abroad, in their global digital trade with their European Partners.
The Basic Premise
The premise of the decision is that currently the US national security, public interest and law enforcement laws, have primacy over the fundamental rights of persons whose personal data are transferred to the US. They do not take into account the principles of proportionality and are not limited to collecting only that data which is necessary. In addition, according to the EUCJ decision, US law does not grant data subjects actionable rights before the courts against US authorities.
EU-US Privacy Shield Invalidation
The EUCJ determined that the protection provided to personal data in the United States is inadequate to meet the level of protection of privacy and privacy rights guaranteed in the EU by the GDPR and the EU Charter of Fundamental rights.
According to the decision, the US surveillance programs are not limited to what is strictly necessary, and the United States does not grant data subject actional rights against the US authorities. Further, the Ombudsperson program does not provide data subjects with any cause of action before a body that offers guarantees substantially equivalent to those required by EU law. Therefore, the EU-US Privacy Shield is no longer a legal instrument for the transfer of personal data from the EU to the US.
The immediate consequence of the invalidation of the EU-US Privacy Shield is that more than 5,000 US organizations, and their trading partners throughout the European Union and the European Economic Area are left stranded with no way out. The invalidation declared by the EUCJ take immediate effect. These transfers must cease. This is likely to prove a catastrophic hurdle for many companies already weakened by the Covid pandemic.
Standard Contractual Clauses
The Standard Contractual Clauses for the transfer of personal data to processors established in third countries remain valid. However, the Court found that, before a transfer of data may occur, there must be a prior assessment of the context of each individual transfer, that evaluates the laws of the country where the recipient is based, the nature of the data to be transferred, the privacy risks to such data, and any additional safeguards adopted by the parties to ensure that the data will receive adequate protection, as defined under EU Law. Further, the data importer is required to inform the data exporter of any inability to comply with the standard data protection clauses. If such protection is lacking the parties are obligated to suspend the transfer, or terminate the contract. Thus, while the SCC (controller-to-processor) remain valid, their continued validity is subject to an additional step: the obligation to conduct the equivalent of a data protection impact assessment to ensure that the adequate protection is and will be provided and, subsequently, continuously monitored.
What’s Next?
- Organizations that exchange or have access to personal data of residents of the EU or EEA should promptly assess the mechanisms currently in place to ensure the legality of their transfer of personal data outside the European Union.
- If the organization has relied only on the EU-US Privacy Shield as a mechanism to ensure the legality of its personal data transfers, it should immediately halt the transfer of personal data out of the EU. It should evaluate alternative means, most likely in the form of Standard Contractual Clauses. For transfers that cannot be covered by SCCs, derogations under Article 49 of the GDPR might apply.
- If the organization – whether located in the United States, or anywhere in the world – has already in place SCC, the EUCJ decision adds a significant hurdle in the form of a requirement for a prior evaluation of the protection to be offered to individuals and ongoing monitoring.
- As always, ensure that these decisions and analysis are adequately documented, and proper records kept.
- Remember to ensure integration and consistency with existing documents such as the organization’s privacy policy or its records of processing activities.
- Keep in mind that while the Privacy Shield is invalidated as a means to legalize cross-border data transfers, US organizations that have signed up with the Shield program remain responsible for continuing to protect previously collected data in accordance with the promises and representations made in their self-certifications.
- Stay informed of the developments in the next few days. It is expected that EU/EEA member state data supervisory authorities will publish useful guidance on how to react to the decision. Some have already published comments and provided guidance.