On 16 July 2020, the European Court of Justice (CJEU) invalidated the European Union (EU)-US Privacy Shield Decision, while upholding the validity of the Standard Contractual Clauses Decision (SCC Decision), and therefore the use of standard contractual clauses in order to transfer personal data to third countries.
The judgment compared and contrasted in detail the data protection regime in the US with that in place within the EU. Coming five years after invalidating the ‘Safe Harbor’ arrangement, which protected organizations transferring personal data from the EU to the US, an initial reading of the CJEU’s Privacy Shield decision suggests that organizations transferring data from EU jurisdictions to the US will no longer find it relatively straightforward, with significant additional measures now required.
However, our more business-oriented pragmatic view is that there are a number of elements in the decision which do not necessarily mean that this is the case. Most organizations will need to re-think their data strategy when it comes to EU data – including dealing with jurisdictions other than the US – but this may not necessarily halt business operations. Depending on features of the local legal system in third party countries receiving EU data, transferring entities will need to establish additional safeguards when access to personal data by public authorities is not balanced, according to EU expectations.
While we do not advocate any reactive moves from EU or US entities that were relying on Privacy Shield, we recommend a number of immediate steps for such organizations to take, including:
- Re-examine data strategy, including any reliance on third parties
- Update data mapping to ensure accurate data flow and volumes are based on current operating models
- Consider whether the “Standard Contract Clauses” (SCCs) may be incorporated into current data transfer arrangements, acknowledging that the EU’s SCCs are due to be updated in the next couple of months
- Consider the organizations’ risk tolerance for the uncertainty caused by the Privacy Shield Decision, including evaluating strategic options such as the process of establishing Binding Corporate Rules (BCRs) covering global data transfers within entities
- Continue to monitor EU responses to the CJEU’s decision, including whether or not to grant a "grace period" for organizations previously relying on Privacy Shield
Maximilian Schrems, an Austrian lawyer and long-time data privacy advocate, requested Facebook prohibit or suspend the transfer of his personal data from Facebook Ireland (its European entity) to Facebook Inc., established in the United States, on the ground that this third country does not ensure an adequate level of personal data protection. Schrems claimed that “law and practice” in US did not adequately protect personal data held in its territory from access by public authorities, and that there was no effective redress for EU data subjects.
The CJEU underlined that in order to meet the adequate level of protection requirement, a third country must ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order.
In its Privacy Shield Decision, the CJEU focuses on the US PRISM and Upstream surveillance programs (section 702 of the Foreign Intelligence Surveillance Act, known as FISA, and Executive Order 12333 and Presidential Policy Directive PPD-28). Under these US laws, adherence to personal data protection principles may be limited “to the extent necessary to meet national security, public interest, or law enforcement requirements.”
With regard to these interferences, the CJEU considers that US law does not provide the required necessary limitations and safeguards on the one hand (i.e., s702 FISA) and Executive Order 12333 do not indicate any limitations on the power they confer to implement surveillance programs for the purposes of foreign intelligence, or the existence of guarantees for non-US persons potentially targeted by those programs. The CJEU also found that US law does not ensure effective judicial protection against these surveillance programs, for example as there are no actionable rights conferred against US authorities, and consequently data subjects have no right to an effective remedy.
One issue raised and dealt with in the judgment is the idea of an independent Privacy Shield Ombudsperson acting as check or balance on the power of US authorities. The CJEU decision specifies that the introduction of a Privacy Shield Ombudsperson cannot remedy the deficiencies set out above, as such a mechanism cannot be regarded as a “Tribunal” within the meaning of Article 47 of the Charter of Fundamental Rights of the European Union (EU Charter). One of the key principles for any such Tribunal is its independence from the Executive. The CJEU believes a Privacy Shield Ombudsperson could not demonstrate such required independence.
Unable to ensure a level of protection essentially equivalent to that arising from the EU Charter, the Privacy Shield Decision cannot ensure an adequate level of protection under Article 45(2)(a) of the GDPR.
While invalidating the Privacy Shield Decision, the CJEU confirms the validity of the SCC Decision. Indeed, the CJEU outlines that the SCC Decision “provides for effective mechanisms which, in practice, ensure that the transfer to a third country of personal data pursuant to the standard data protection clauses in the annex to that decision is suspended or prohibited where the recipient of the transfer does not comply with those clauses or is unable to comply with them.”
The CJEU also outlines that competent supervisory authorities themselves are required to suspend or prohibit a transfer of personal data to a third country “where they take the view, in the light of all the circumstances of that transfer, that the standard data protection clauses are not or cannot be complied with in that country and that the protection of the data transferred that is required by EU law cannot be ensured by other means, where the data exporter established in the EU has not itself suspended or put an end to such a transfer.”
The CJEU’s ruling also invites organizations to assess whether SCCs provide sufficient protection in light of any access by the public authorities of the third country to the personal data transferred, and to consider the alignment of the legal system in place in this third country with EU benchmarks. The CJEU specifically discusses the rule of law, respect for human rights and fundamental freedoms, including legislation dealing with public scrutiny, defense, and public authorities’ rights to access personal data.
This statement not only concerns the US legal system, but, on its face, applies to any non-EU legal system, especially legal systems with differing balances between public security and protection of fundamental rights or system compared to the EU.
The EDPB (European Data Protection Board gathering all EU Member States supervisory authorities, EDPS and the EU Commission representative) has published on 23 July 2020 FAQs (pdf) on the CJEU decision.
The judgment suggests:
- Any transfer of personal data based on the Privacy Shield constitutes a breach of the General Data Protection Regulation (GDPR), especially considering there is no grace period decided as of today either by the EDPB (see EDPB position in FAQs) and/or by Member State Supervisory Authorities (SA).
- In any case, even if State Members Supervisory Authorities do not take enforcement action, it will be possible for data subjects to ask for compensation before the courts. In addition to the necessary shift toward transfer mechanisms which are still valid under GDPR (especially SCCs and BCRs, given approved certification and codes of conduct with binding and enforceable commitments are not yet operational), organizations will have to assess the situation of the third country to develop additional safeguards and supplementary measures.
As indicated by the EDPB in its FAQ “whether or not you can transfer personal data on the basis of SCC (or BCR) will depend on the result of your assessment, taking into account the circumstances of the transfers and supplementary measures you could put in place. The supplementary measures along with SCCs (or BCRs) following a case-by-case analysis of the circumstances surrounding the transfer would have to ensure that US law does not impinge on the adequate level of protection they guarantee. If you come to the conclusion that…appropriate safeguards would not be ensured, you are required to suspend or end the transfer of personal data. However, if you are intending to keep transferring data you must notify your competent SA” (See FAQs).
- There is no clear guidance as of date of publication from the EDPB and Member State Supervisory Authorities about the additional safeguards but it will be difficult for any single organization to perform a comprehensive assessment of the legal system of a non-EU country, as the EU Commission does, when assessing the adequacy of the level of protection under Article 45. Please note that in its July 23 FAQ the EDPB has indicated that it will provide additional guidance shortly (see FAQs) and that “the Court has indicated that SCCs as a rule can still be used to transfer data to a third country, however the threshold set by the Court for transfers to the US applies for any third country. The same goes for BCRs” (See FAQs).
What organizations should do without delay:
- Map vendors/business partners located within the US, specifically focusing on those that are relying on Privacy Shield as the transfer vehicle to legitimize personal data transfers to the US
- Map intra-group cross-border data transfers from the EU to non-EU jurisdictions
- Qualify parties to cross-border data transfers from the EU to non-EU, non-adequate jurisdictions (Data Controller/Data Processor/Joint Controller)
- Map the most appropriate transfer vehicle according to GDPR, depending on transferors’ stakeholders (EU data exporters), transferees’ stakeholders (non-EU data importer) and geographies (such as SCCs or BCRs)
- Implement new transfer entity and methodology within the organization’s group (intra-group and vis-à-vis third parties)
- Evaluate with legal counsel, when using GDPR-valid transfer mechanisms (SCCs or BCRs), the additional safeguards and supplementary measures to mitigate the risks of access to the personal data transferred by the local public authorities when the legal system of the third party does not provide safeguards, enforceable rights and effective legal remedies ensuring a level of protection essentially equivalent to that in the EU
- Review the scope of personal data transferred to non-EU and “non-adequate countries,” update their policies and procedures to reflect this requirement and leverage data encryption, anonymization, and pseudonymization to eliminate or manage the specific concerns around access by public authorities