CJEU Invalidates the EU-U.S. Privacy Shield
- KO Firm
- July 17, 2020
On July 16, 2020, the Court of Justice of the European Union (CJEU) released its opinion in the “Schrems II” case and invalidated the EU-U.S. Privacy Shield Framework as a method for transferring personal data from the European Union to the United States. In the same opinion, the CJEU upheld the use of Standard Contractual Clauses (SCCs) as a valid transfer mechanism generally, but indicated that data exporters in the EU who enter into the SCCs must carefully evaluate the law and data protection practices of countries where they will transfer personal data.
The ruling takes immediate effect, and companies that currently use the Privacy Shield as a transfer mechanism should act quickly to select and implement an alternative method.
Who is affected?
Any company that currently relies on the EU-U.S. Privacy Shield as a mechanism for transferring or receiving personal data from the European Union could be affected. This includes companies that transfer personal data to vendors, service providers, partners, affiliates, subsidiaries, and other parties that are Privacy Shield certified, as well as any U.S. companies that have self-certified to the EU-U.S. Privacy Shield. Over 5,400 companies are self-certified to the Privacy Shield. To see the full list of participating companies, check the Privacy Shield List.
What are the alternatives to the EU-U.S. Privacy Shield?
The Standard Contractual Clauses are one of the most common tools used to transfer personal data out of the EU. Companies that can no longer rely on Privacy Shield should review their existing agreements that involve the processing of personal data from the EU and consider entering into the SCCs with counterparties who are either exporting or receiving EU personal data. Although the Schrems II decision validated the use of SSCs generally, the CJEU indicated that they may not be sufficient alone to ensure that the importing country provides an adequate level of data protection. The CJEU highlighted the fact that data exporters must assess the data protection environment of the United States (and any other third country like China or Russia) where EU personal data will be transferred and consider adding additional clauses or additional safeguards if needed. Notably, the CJEU highlighted that some importers of EU personal data may be subject to local or national obligations to disclose such data to public authorities or intelligence agencies, a circumstance that would require the recipient to breach the SCCs.
Companies that choose to rely on the SCCs for data transfers should pay close attention to guidance from European authorities following the CJEU’s decision in Schrems II relating to the use of SCCs. In addition, now that the SCCs have been validated, the European Commission is expected to release an updated version of the SCCs that would modernize and align the terms with the EU GDPR.
Other alternatives to the EU-U.S. Privacy Shield include reliance on Binding Corporate Rules, explicit consent of the data subject, or other derogations provided for under Article 49 of the GDPR.
What can affected companies do now?
Affected companies should take stock of contracts that include references to the Privacy Shield to determine whether the company, or the other party to the contract, has guaranteed Privacy Shield compliance and what the company, or the other party to the contract, is obligated to do if the Privacy Shield is invalidated. It may be necessary to consider one or more of the alternative transfer mechanisms described above.
For companies with active certifications, note that both the EU-U.S. and the Swiss-U.S. Privacy Shield Frameworks are still in place in the U.S. and their requirements are still in force. The U.S. Department of Commerce stated that it “will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. Today’s decision does not relieve participating organizations of their Privacy Shield obligations.” For the time being, transfers from the U.K. and Switzerland to the U.S. are still covered under the Privacy Shield Framework.
Remember that we have been here before. History provides important lessons. The Privacy Shield’s predecessor, the Safe Harbor, was invalidated by the CJEU in 2015 (in the Schrems I case). Then, the U.S. Department of Commerce and the European Commission and Swiss Administration launched the Privacy Shield within a year. There could be another EU-U.S. self-certification mechanism available sometime in the near future. In the meantime, the U.S. will be treated similar to other third countries without the benefit of a special arrangement like the Privacy Shield.