10 minute read 28 Sep 2020
A person on top of a mountain

What to do now that the EU-US Privacy Shield Framework is invalid

Authors
Tony DeBos

EY Global & EMEIA Data Protection and Privacy Leader; EY EMEIA Financial Services ServiceNow Alliance Leader

Strong sense of team orientation and innovative vision. Entrepreneur and forward-thinker. Team builder. Sports lover. Husband and father of three.

Angela Saverice-Rohan

EY Americas Privacy Leader

Promotes cross-functional teamwork. Calm and steady in crisis. Wicked sense of humor. Mother of two.

Fabrice Naftalski

EY Global Head of Data Protection Law Services

Lecturer in Information Technology & Data Protection Law. Faculty member of IAPP. CIPP/E and CIPM holder. Certified EuroPrise Legal Expert. EY France DPO.

10 minute read 28 Sep 2020

The Schrems II ruling creates new challenges for organizations’ cross-border data transfer with far-reaching consequences.

Three questions to ask
  • How should organizations evaluate their risk exposure now that the Privacy Shield Framework is invalid?
  • How can organizations build resiliency to privacy change, with controls that protect personal information while supporting the data needs of an organization?
  • How must organizations rethink data strategy when transferring personal data from the European Economic Area (EAA) to third countries, to the US in particular?

On July 16, 2020, the Court of Justice of the European Union (CJEU) issued its long-awaited decision in Data Protection Commissioner v. Facebook Ireland, Maximillian Schrems, commonly referred to as “Schrems II.” The decision invalidates the EU-US Privacy Shield Framework, which is used by organizations that rely on this mechanism to comply with the General Data Protection Regulation (GDPR) requirements for cross-border data transfers of personal information (PI) to the US. You can access details of this decision in the CJEU press release (pdf) and full text of the judgement.

About Privacy Shield

The EU-US Privacy Shield is a Framework for self-certification agreed upon with the US Department of Commerce and the European Commission, and is one of the mechanisms that is deemed adequate to enable the transfer of EU personal data to the US.

Ernst & Young LLP Privacy Shield privacy statement

This statement outlines our general policy and practices for implementing the Privacy Shield Program.

 Read more

Hikers on glacier
(Chapter breaker)
1

Chapter 1

Key elements of the CJEU decision

The EU-US Privacy Shield Framework is invalid.

The CJEU underlined that, in order to meet the adequate level of protection requirement, the receiving country must ensure, by reason of its domestic law or its international commitments, an essentially equivalent level of protection as provided in the EEA.

Organizations can no longer rely on Privacy Shield as a mechanism for cross-border data transfers from the EU to the US. The CJEU’s reasoning for the invalidation of Privacy Shield was twofold:

  • US law gives US authorities the right to collect personal data about EU data subjects without adequate safeguards
  • EU data subjects lack effective means to seek redress against the U.S. government.

SCCs remain valid

The CJEU’s decision in Schrems II also creates considerable uncertainty around another legal mechanism that legitimizes transfers of personal data out of the EU: Standard Contractual Clauses (SCCs). The SCCs are a standard set of contractual terms and conditions that are preapproved by EU Data Protection Authorities and that require both the exporter and importer of personal data to offer an equal level of protection for EU personal data and to extend rights of redress, including recognizing the EU data subject as a third-party beneficiary to the contract with a corresponding right to enforce.

The CJEU upheld the validity of the SCCs, but noted that transferred data must receive an equivalent level of protection provided by the GDPR and the EU Charter of Fundamental Rights.

Increased supervisory authority oversights

Supervisory authorities responsible for enforcing the GDPR may suspend or prohibit SCC-based, cross-border data flows if they determine that the SCCs are not (or cannot be) complied with and that the required protections cannot be ensured by other means.

Man stand up paddle board
(Chapter breaker)
2

Chapter 2

How organizations should respond

With no grace period, those previously relying on the Privacy Shield should act immediately.

Evaluate risk exposure and potential impacts

With no grace period in place, organizations should immediately evaluate their risk exposure, identifying all personal data flows originating from the EU, as well as any data flow that processes EU citizen personal information. They should prioritize flows to the US and other jurisdictions in which the organization operates and that do not have an adequacy decision by the European Commission.

Countries deemed adequate by the European Commission are jurisdictions where personal data can flow from the EU to that country without any further safeguards being necessary.

Once at-risk personal data sets are identified, organizations should evaluate the impact to their business if the EU personal data set was no longer accessible, which may include a material disruption to business operations, degradation to business intelligence analytics and breach of contract. Legal counsel will require this detail to support risk-informed decisioning on actions that may include agreeing to the other mechanisms or additional protections to data exporters with respect to EU personal data.

Shift to transfer mechanisms still valid under GDPR

All organizations that transfer personal data outside the EEA will need to rethink their strategy when it comes to transferring personal data of EEA citizens to non-EEA countries, and to the US in particular. Since approved certifications and codes of conduct are not yet fully operational, and since derogations usually do not apply, this mainly equates to SCCs and Binding Corporate Rules (BCRs).

Depending on features of the local legal system in third countries, transferring entities will need to establish additional safeguards when an equivalent level of protection could not be guaranteed, for example, if access to personal data by public authorities is not balanced according to EU expectations.

Assess SCCs on a case-by-case basis

Organizations relying on SCCs must now assess whether the level of protection is adequate on a case-by-case basis. Relevant considerations for this include, but are not limited to, any additional contractual provisions that may apply and any applicable third-country laws that give the government access to the transferred data.

BCRs

Notably, BCRs were not addressed as part of the Schrems II decision. BCRs may only be used for intracompany transfers (or transfers between enterprises engaged in a joint economic activity) and must first be approved through a stringent process by multiple data protection authorities.

Organizations also may look to consent, necessity and other derogations outlined under Article 49 of the GDPR that allow for personal data transfers. However, regulatory guidance from the European Data Protection Board has construed these derogations very restrictively, and organizations should approach them with caution.

Transfer of aggregated data

One strategy immediately available to address the sudden loss of data transfers under Privacy Shield is the transfer of aggregated data.

Provided that the fidelity of the aggregated data is determined, many organizations have long utilized the approach of aggregating or de-identifying data so that the ultimate purpose of the data was to study or perform analytics (for example, if an organization transfers financial transactions for the purposes of aggregating them and balancing finances at the end of a business day). This approach avoids the need to use Safe Harbor, Privacy Shield, SCCs or BCRs.

Perito Moreno glacier
(Chapter breaker)
3

Chapter 3

Privacy risk as a data disrupter

How organizations can manage uncertainty and an expanding risk landscape

While the CJEU’s decision provides a bright-line determination on the validity of Privacy Shield, it has simultaneously created a universe of uncertainty in other areas, such as the adequacy of the SCCs and the foreboding of more enforcement with the potential for significant fines under the GDPR penalty regime. 

With this uncertainty and expanding risk landscape, there comes a greater need for a cross-functional contingent of corporate stakeholders (including legal, risk management, compliance, marketing data management, information security and internal audit teams) to assist in navigating the immediate challenges created by the decision and the impact on an organization’s data strategy.

Teams should build resiliency to privacy change, focusing on controls providing the right level of protection for personal information in alignment with risk appetite while maintaining flexibility to support the data needs of the organization. 

Organizations should expect increased scrutiny by EU Data Protection Authorities in response to this decision and be ready to demonstrate to regulators and third parties how privacy controls are designed and operating effectively – and be ready to demonstrate compliance with all aspects of the GDPR, not just cross-border data transfer requirements.

Rappeling rope canyon
(Chapter breaker)
4

Chapter 4

Key takeaways for EU organizations

What should EEA-based organizations consider as they evaluate this decision’s impact?

It is important to note that EU-based organizations, in their role as data exporter, remain responsible for ensuring adequate safeguards when transferring personal data to the US. This means that they cannot transfer the personal data when there are insufficient safeguards.

Especially in a controller-to-controller relationship, the suggested actions for the related countries are highly similar (despite their geographical spread). Both US and EU organizations should align to defined actions, such as re-evaluating their data strategy, having insight in data flows, and identity and access management. The GDPR applies to both, and organizations should comply with the requirements.

However, while the GDPR applies for EU countries, US-based global companies should also consider local privacy regulations, such as the California Consumer Privacy Act (CCPA). This can sometimes lead to additional complexities and even conflict.

Man jumping over crevasse
(Chapter breaker)
5

Chapter 5

Key takeaways for US organizations

What should US-based organizations consider when evaluating their response to the decision?

While organizations will need to replace Privacy Shield reliance with a new legal basis for transfers, it is important to note that existing Privacy Shield obligations remain enforceable by the U.S. Federal Trade Commission. In a statement issued by the U.S. Secretary of Commerce, Wilbur Ross affirmed that “today’s decision does not relieve participating organizations of their Privacy Shield obligations.”

While the U.S. Department of Commerce was quick to respond to the CJEU’s decision, expect the full response from the US to be lengthy and disjointed. The COVID-19 pandemic and upcoming presidential election are likely to stall any effort at comprehensive privacy legislation at the federal level until 2021 at the earliest.

Today’s decision does not relieve participating organizations of their Privacy Shield obligations.
Wilbur Ross
U.S. Secretary of Commerce

In the absence of meaningful action at the federal level, it is possible that we could see efforts by individual states to obtain adequacy with the EU. Particular attention should be paid to California, which continues to make comprehensive data protection a priority. In recent months, the CCPA has come into force, and the state saw the successful ballot initiative for the California Privacy Rights Act of 2020 (CPRA). That being said, California (and other US states) face an uphill battle in obtaining EU adequacy — if passed, CPRA is not scheduled to come into force until 2023, which would mean significant time before an adequacy decision is made, requiring additional measures to be implemented to fill the vacuum of Privacy Shield.

Ice climbing in river
(Chapter breaker)
6

Chapter 6

The cost of noncompliance

Organizations should consider the cost of inaction.

As of writing, no grace period has been identified for compliance with the CJEU’s decision in Schrems II, and there is consensus that all access and transfers since invalidation could be considered a violation of the GDPR subject to fines amounting to the greater of €20m or 4% of worldwide revenue. Additionally, the stigma of noncompliance has the potential to damage the reputation and brand equity of the 5,400 firms registered for the Privacy Shield, as well as threaten customer loyalty, especially in the EU. Financial costs aside, organizations will need to carefully assess the compliance and reputational risks of noncompliance in light of these developments.

The views of third parties set out in this publication are not necessarily the views of the global EY organization or its member firms. Moreover, they should be seen in the context of the time they were made. EY member firms do not practice law in the United States and no legal advice will be provided in the United States.

Summary

On July 16, 2020, the CJEU invalidated the EU-US Privacy Shield Framework for personal data sharing, having far-reaching consequences for all organizations that rely on this mechanism to legitimize their cross-border data flows to the US. All organizations that transfer personal data outside the European Economic Area will need to rethink their data strategy when transferring personal data to third countries, and to the US in particular. Without a grace period in place, organizations previously relying on Privacy Shield should act immediately.

About this article

Authors
Tony DeBos

EY Global & EMEIA Data Protection and Privacy Leader; EY EMEIA Financial Services ServiceNow Alliance Leader

Strong sense of team orientation and innovative vision. Entrepreneur and forward-thinker. Team builder. Sports lover. Husband and father of three.

Angela Saverice-Rohan

EY Americas Privacy Leader

Promotes cross-functional teamwork. Calm and steady in crisis. Wicked sense of humor. Mother of two.

Fabrice Naftalski

EY Global Head of Data Protection Law Services

Lecturer in Information Technology & Data Protection Law. Faculty member of IAPP. CIPP/E and CIPM holder. Certified EuroPrise Legal Expert. EY France DPO.