The more things change, the more they stay the same. On July 16, 2020, the Court of Justice of the European Union ("CJEU") issued its decision in the so called "Schrems II" case. If you need some background on the case, you can find our original blog post on the case here.
The two main takeaways of the Schrems II decision are:
- 1. The CJEU invalidated the EU-US Privacy Shield framework.
- 2. The CJEU reaffirmed the validity of standard contractual clauses ("SCCs").
While the validity of SCCs were upheld, and remain a viable transfer mechanism, the CJEU holding requires businesses utilizing SCCs to analyze whether the destination country provides an adequate level of data protection. Where the country doesn't, the business must provide additional safeguards or suspend the transfer. Similarly, EU data protection authorities must suspend or prohibit a transfer of personal data to a third country if the data protection authority has determined that SCCs cannot be complied with in the third country and data protection cannot be ensured.
Recall that the Privacy Shield worked together in a closely integrated manner with the GDPR. It was not a separate law or a substitute for GDPR compliance. More specifically, and to use a bit of regulatory jargon (we'll leave unexplained for now in the interest of brevity), the Privacy Shield had served as what is known as a "partial adequacy decision" falling under GDPR Article 45. In short then, what the CJEU has done in the Schrems II case is take the Privacy Shield, a proven, centralized system for regulatory oversight and enforcement on both sides of EEA-US data transfer equation, and replace it with a system of self-policing by transferors and ad hoc decision making by local EEA authorities.
That's all likely to work out about as well as it did in 2015 when the EU-US Safe Harbor was invalidated in the Schrems I case. Back then, data transfers continued (and even increased), through a two year period of ambiguity, confusion and almost complete non-enforcement until the Privacy Shield went into effect to fill the void left by the CJEU's invalidation of the Safe Harbor.
So what does all this mean for US businesses who had relied on the Privacy Shield? Not much over at least the next week or two, and likely longer. Contracting counter-parties in the EEA, rather than regulators, will be the most likely source of pressure to adopt the SCCs. The U.S. Department of Commerce, for instance, issued a statement in response to the Schrems II decision informing US businesses that it intends to continue to operate for the time being as if the Privacy Shield remains in effect and, as such, the CJEU decision does not relieve participating businesses of their Privacy Shield obligations.
If US and EU negotiators can't work together to fix this soon, companies will need to start looking at alternative to the Privacy Shield such as SCCs, binding corporate rules or the derogations under GDPR Article 49. Regardless of what happens as a result of Schrems II, US businesses that remember and practice our recurring mantra about applying the Pareto Principle to their data security and privacy compliance obligations will get through this fine. So if you haven't already:
- adopt a risk-based technical and administrative data protection program,
- take the time to actually implement that program ("saying" it is one thing, "doing it" is another)
- tell your employees and customers what you're doing with the data you collect about them and why,
- give your employees and customers some degree of access to, and autonomy over, that data,
- keep a close eye on third parties (including vendors) with whom you share that data, and
- respond swiftly to, and be honest with those affected by, unauthorized use if it occurs.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.