Industries & Practices

Privacy & Data Protection

    Back

    Court of Justice of the European Union strikes down Privacy Shield, but upholds Standard Contractual Clauses

    On July 16, 2020, Europe’s highest court, the Court of Justice of the European Union, struck down the Privacy Shield, an agreement that permitted companies operating in the European Union (EU) to transfer data to the United States without running afoul of the EU’s General Data Protection Regulation (GDPR). In short, the court held that the United States’ reliance on broad digital surveillance is incompatible with European data protection and privacy standards, including GDPR. The decision left intact – though not unscathed – the Standard Contractual Clauses (SCCs) that many companies rely on as a legal basis for transferring personal data from the EU to the U.S.

    Background

    The case, known colloquially as “Schrems II” (named after Max Schrems, an Austrian lawyer and privacy advocate) involved Facebook and, more specifically, how Facebook (and other companies) are permitted to transfer data from the EU to the United States. In 2015, Schrems complained to the Irish Data Protection Commissioner that Facebook should not be permitted to rely on SCCs when transferring personal data to processors outside of the EU because such language does not comport with EU data privacy standards. Schrems’ original ask to the Irish Data Protection Commission was to halt the use of SCCs. The Irish Data Protection Commission did one better – referring a number of questions to the EU’s highest court, the most significant of which has to do with the legality of the EU – U.S. Privacy Shield.  

    What was the Privacy Shield?

    The Privacy Shield program was designed jointly by the U.S. government, the European Commission and the Swiss Administration as a mechanism by which U.S. and European companies could comply with data protection requirements when transferring personal data from the EU (and Switzerland) to the United States. In essence, companies in the United States could register with the U.S. Department of Commerce, the federal body tasked with overseeing the Privacy Shield, and agree to abide by European data protection rules with respect to any data shared from the EU. Of note, the Privacy Shield’s predecessor, known as Safe Harbor, was scrapped by the same court in October 2013 following a challenge from Schrems (“Schrems I”). 

    What did the court say?

    Despite not having to do so in order to resolve the issue specifically raised by Schrems, the court invalidated the Privacy Shield. The Privacy Shield, as the court saw it, failed to provide adequate protection of EU personal data when transferred to the U.S. The court cited U.S. domestic laws, specifically national security laws, which allow for broad data collection practices as a basis for finding that the Privacy Shield was insufficient to protect EU personal data. 

    The court did not, however, invalidate the use of SCCs as a basis for trans-Atlantic data transfers. The court did note that while SCCs may provide sufficient protection of EU personal data, such protection is not a guarantee simply by virtue of using an SCC. In essence, the court stated that organizations relying on SCCs are obliged to evaluate whether the jurisdiction receiving EU personal data offers an “adequate level of protection” for such data.   

    Next steps

    Though the issues in Schrems II are nuanced, if you currently share personal data between the EU and U.S., it is critical to revisit the stated legal basis for such a transfer. Of note, the court did not address the GDPR’s Binding Corporate Rules, which remain a valid legal basis for data transfer, if they are applicable in your situation. However, if part of your legal basis includes reliance on the now-defunct Privacy Shield, it is equally critical to review the SCCs to determine whether they may fit your information sharing needs. However, while moving away from Privacy Shield is the first step, do not overlook the court’s admonition that a country receiving EU personal data must have an “adequate level of protection” for such data. Finally, while SCC language is easily available online, be mindful that legally sufficient language is easy to implement but operationalizing the language may prove more difficult. 

    Download PDF