What to do now that the EU-US Privacy Shield Framework is invalid

The CJEU underlined that, in order to meet the adequate level of protection requirement, the receiving country must ensure, by reason of its domestic law or its international commitments, an essentially equivalent level of protection as provided in the EEA.

Organizations can no longer rely on Privacy Shield as a mechanism for cross-border data transfers from the EU to the US. The CJEU’s reasoning for the invalidation of Privacy Shield was twofold:

• US law gives US authorities the right to collect personal data about EU data subjects without adequate safeguards
• EU data subjects lack effective means to seek redress against the U.S. government.

SCCs remain valid

The CJEU’s decision in Schrems II also creates considerable uncertainty around another legal mechanism that legitimizes transfers of personal data out of the EU: Standard Contractual Clauses (SCCs). The SCCs are a standard set of contractual terms and conditions that are preapproved by EU Data Protection Authorities and that require both the exporter and importer of personal data to offer an equal level of protection for EU personal data and to extend rights of redress, including recognizing the EU data subject as a third-party beneficiary to the contract with a corresponding right to enforce.

The CJEU upheld the validity of the SCCs, but noted that transferred data must receive an equivalent level of protection provided by the GDPR and the EU Charter of Fundamental Rights.

Increased supervisory authority oversights

Supervisory authorities responsible for enforcing the GDPR may suspend or prohibit SCC-based, cross-border data flows if they determine that the SCCs are not (or cannot be) complied with and that the required protections cannot be ensured by other means.

Evaluate risk exposure and potential impacts

With no grace period in place, organizations should immediately evaluate their risk exposure, identifying all personal data flows originating from the EU, as well as any data flow that processes EU citizen personal information. They should prioritize flows to the US and other jurisdictions in which the organization operates and that do not have an adequacy decision by the European Commission.

Countries deemed adequate by the European Commission are jurisdictions where personal data can flow from the EU to that country without any further safeguards being necessary.

Once at-risk personal data sets are identified, organizations should evaluate the impact to their business if the EU personal data set was no longer accessible, which may include a material disruption to business operations, degradation to business intelligence analytics and breach of contract. Legal counsel will require this detail to support risk-informed decisioning on actions that may include agreeing to the other mechanisms or additional protections to data exporters with respect to EU personal data.

Shift to transfer mechanisms still valid under GDPR

All organizations that transfer personal data outside the EEA will need to rethink their strategy when it comes to transferring personal data of EEA citizens to non-EEA countries, and to the US in particular. Since approved certifications and codes of conduct are not yet fully operational, and since derogations usually do not apply, this mainly equates to SCCs and Binding Corporate Rules (BCRs).

Depending on features of the local legal system in third countries, transferring entities will need to establish additional safeguards when an equivalent level of protection could not be guaranteed, for example, if access to personal data by public authorities is not balanced according to EU expectations.

Assess SCCs on a case-by-case basis

Organizations relying on SCCs must now assess whether the level of protection is adequate on a case-by-case basis. Relevant considerations for this include, but are not limited to, any additional contractual provisions that may apply and any applicable third-country laws that give the government access to the transferred data.

BCRs

Notably, BCRs were not addressed as part of the Schrems II decision. BCRs may only be used for intracompany transfers (or transfers between enterprises engaged in a joint economic activity) and must first be approved through a stringent process by multiple data protection authorities.

Organizations also may look to consent, necessity and other derogations outlined under Article 49 of the GDPR that allow for personal data transfers. However, regulatory guidance from the European Data Protection Board has construed these derogations very restrictively, and organizations should approach them with caution.

Transfer of aggregated data

One strategy immediately available to address the sudden loss of data transfers under Privacy Shield is the transfer of aggregated data.

Provided that the fidelity of the aggregated data is determined, many organizations have long utilized the approach of aggregating or de-identifying data so that the ultimate purpose of the data was to study or perform analytics (for example, if an organization transfers financial transactions for the purposes of aggregating them and balancing finances at the end of a business day). This approach avoids the need to use Safe Harbor, Privacy Shield, SCCs or BCRs.

It is important to note that EU-based organizations, in their role as data exporter, remain responsible for ensuring adequate safeguards when transferring personal data to the US. This means that they cannot transfer the personal data when there are insufficient safeguards.

Especially in a controller-to-controller relationship, the suggested actions for the related countries are highly similar (despite their geographical spread). Both US and EU organizations should align to defined actions, such as re-evaluating their data strategy, having insight in data flows, and identity and access management. The GDPR applies to both, and organizations should comply with the requirements.

However, while the GDPR applies for EU countries, US-based global companies should also consider local privacy regulations, such as the California Consumer Privacy Act (CCPA). This can sometimes lead to additional complexities and even conflict.

While organizations will need to replace Privacy Shield reliance with a new legal basis for transfers, it is important to note that existing Privacy Shield obligations remain enforceable by the U.S. Federal Trade Commission. In a statement issued by the U.S. Secretary of Commerce, Wilbur Ross affirmed that “today’s decision does not relieve participating organizations of their Privacy Shield obligations.”

While the U.S. Department of Commerce was quick to respond to the CJEU’s decision, expect the full response from the US to be lengthy and disjointed. The COVID-19 pandemic and upcoming presidential election are likely to stall any effort at comprehensive privacy legislation at the federal level until 2021 at the earliest.

In the absence of meaningful action at the federal level, it is possible that we could see efforts by individual states to obtain adequacy with the EU. Particular attention should be paid to California, which continues to make comprehensive data protection a priority. In recent months, the CCPA has come into force, and the state saw the successful ballot initiative for the California Privacy Rights Act of 2020 (CPRA). That being said, California (and other US states) face an uphill battle in obtaining EU adequacy — if passed, CPRA is not scheduled to come into force until 2023, which would mean significant time before an adequacy decision is made, requiring additional measures to be implemented to fill the vacuum of Privacy Shield.

As of writing, no grace period has been identified for compliance with the CJEU’s decision in Schrems II, and there is consensus that all access and transfers since invalidation could be considered a violation of the GDPR subject to fines amounting to the greater of €20m or 4% of worldwide revenue. Additionally, the stigma of noncompliance has the potential to damage the reputation and brand equity of the 5,400 firms registered for the Privacy Shield, as well as threaten customer loyalty, especially in the EU. Financial costs aside, organizations will need to carefully assess the compliance and reputational risks of noncompliance in light of these developments.