Privacy Shield Invalidated: Implications for US Businesses

Over the summer, the Court of Justice of the European Union (CJEU) released its ruling on 16 July in Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillan Schrems (Schrems II), which invalidated the EU-US Privacy Shield.  The EU-US Privacy Shield was designed by the US Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Economic Area to the United States. As a result of the Schrems II decision, the EU-US Privacy Shield framework is no longer a valid mechanism to comply with General Data Protection Regulation (GDPR) requirements when transferring personal data from the European Union to the United States. The transfer of data between the EU and the US is essential for commerce between these two regions and this decision has profound implications for data transfers between the US and the European Economic Area as more than 5,000 businesses are currently certified under the EU-US Privacy Shield.

Businesses can’t simply attach SCCs to a contract and assume the data transfer complies with the GDPR.

Schrems II was brought by an Austrian privacy activist, Max Schrems, a Facebook user who challenged the legality of Facebook’s handling of his personal information under European privacy law. Schrems later filed a complaint with the Irish Data Protection Commissioner, challenging Facebook Ireland’s reliance on Standard Contractual Clauses (SCCs) as a legal basis for transferring personal data to Facebook servers in the US. The Irish Data Protection Commissioner, who investigated Schrems’ complaint, brought proceedings against Facebook. Ireland’s High Court referred these issues to the CJEU to determine the validity of the SCCs and the EU-US Privacy Shield. In the Schrems II decision, the CJEU evaluated the requirements of US national security laws, that in certain cases enables access by the US government to personal data which, according to the CJEU, results in insufficient protection of EU personal data. The CJEU noted that the Privacy Shield could not prevent access and use of personal data by US government authorities. Further, the Ombudsperson mechanism in particular does not provide substantially equivalent guarantees to those required by EU law. As a result, the CJEU found that EU data subjects do not have actionable rights before the US courts. While businesses can no longer rely upon for EU-US data transfers, the CJEU did uphold the SCCs which are still a permissible legal transfer mechanism with certain caveats. Businesses can’t simply attach SCCs to a contract and assume the data transfer complies with the GDPR. The CJEU explained that some due diligence will be required prior to any transfer of data to verify whether the law of the third country of destination ensures adequate protection.

In response to the Schrems II decision, some European Data Protection Authorities (DPA) have responded by issuing public statements or guidance on data transfers. Norway’s DPA issued frequently asked questions explaining how businesses should handle data transfers. The German DPA has taken an extreme stance in recommending that data transferred to the US should stop, even when using SCCs that include additional safeguards. The European Data Protection Board, whose mission is to ensure consistent application of the GDPR, published frequently asked questions on 24 July 2020. On 10 August 2020, European Commissioner for Justice Didier Reynders and US Secretary of Commerce Wilbur Ross released a joint press statement announcing that they have initiated discussions to evaluate the potential for an enhanced EU-US Privacy Shield framework to comply with the Schrems II decision but haven’t set a timeline for any new framework.

While there is no longer an incentive to stay Privacy Shield certified, from a corporate governance point of view, Privacy Shield does have principles embodied by European law so companies may still want to uphold those principles by keeping their current certification.

Since Switzerland is not a member of the European Union, CJEU’s decision didn’t invalidate the Swiss-US Privacy Shield, however, in the aftermath of Schrems II, the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland published its own statement on 8 September 2020. The FDPIC undertook its own analysis of the Swiss-US Privacy Shield and followed the lead of the CJEU in the Schrems II decision by arriving at the same conclusion that the Swiss-US Privacy Shield does not offer an adequate level of protection to safeguard personal data. Similar to the Schrems II decision, the FDPIC found that a lack of an enforceable legal remedy with regard to data access by US authorities warrants an invalidation of the Swiss-US Privacy Shield. Transfers that were previously based on the Privacy Shield framework will now need to be restructured using other transfer mechanisms.

If businesses are relying on SCCs, then businesses will need to determine if supplemental measures should be adopted taking into account the circumstances of the transfer and the law in the receiving country as required in Schrems II.

What does this all mean for US companies? For US companies that are certified under Privacy Shield, they are still obligated to abide by the Privacy Shield according to guidance issued by the US Department of Commerce in response to the Schrems II decision. In its guidance, the Department of Commerce stated that it is going to continue to administer the Privacy Shield and those obligations still exist for Privacy Shield certified companies. Companies that wish to withdraw need to formally withdraw and update their public privacy notices and contractual commitments. While there is no longer an incentive to stay Privacy Shield certified, from a corporate governance point of view, Privacy Shield does have principles embodied by European law so companies may still want to uphold those principles by keeping their current certification. But these Privacy Shield certified companies must adopt an alternative transfer mechanism such as SCCs or Binding Corporate Rules (BCRs) that will provide adequate safeguards for the continued transfer of the personal data. There is no grace period under the Schrems II decision so an alternative transfer mechanism will need to be implemented immediately. Customer agreements and data protection addendums will need to be evaluated and updated to reflect the new data transfer mechanism relied upon by the business to perform legal data transfers. If businesses are relying on SCCs, then businesses will need to determine if supplemental measures should be adopted taking into account the circumstances of the transfer and the law in the receiving country as required in Schrems II. European DPAs are still evaluating data transfers and may issue further guidance on data transfers so companies that are specifically concerned about data transfers from a particular EU member state, should continue to monitor guidance issued by the DPA in the relevant member state.

Ashley Thomas is an associate in the cybersecurity and privacy group at Morris, Manning and Martin LLP. She can be reached at athomas@mmmlaw.com or at 202.971.4266.