On 16 July 2020, in the Schrems II case, the Court of Justice of the European Union (CJEU) ruled that, while Standard Contractual Clauses (SCCs) remain valid, the EU-US Privacy Shield is an invalid data protection regime for data flows protected by the European Union’s General Data Protection Regulation (GDPR). What does that mean?
In essence, any “offshoring” of data from the EU to the US that was being effected through the protection of the Privacy Shield regime is no longer valid. Those companies that were moving data from the EU to US-based branches, processors, storage, or other service providers under the auspices of the Privacy Shield regime are no longer allowed to move that data. They can, however, continue to move the data if they enter into and suscept themselves to the EU Standard Contractual Clauses (SCCs) instead (at least for now, see below). Organizations also have the option to enter into Binding Corporate Rules (BCRs), but approval for BCRs will not provide a quick solution since they take time.
This is a moment for companies engaged in the offshoring of data to review their agreements with their data processors to check on whether they were relying on the Privacy Shield. Any such reliance should end immediately and data offshoring should not resume until appropriate data processing agreements enacting the standard contractual clauses can be obtained. Companies that have not mapped their data should use this decision as an impetus to conduct a data mapping exercise as they review their contracts to ensure that everything is in order under this new ruling. Companies that have already engaged in this exercise should be able to quickly ascertain whether the Schrems II decision impacts any of their data flows and take appropriate action accordingly.
Lingering Concerns
In the wake of Schrems II, SCCs have been approved as a valid data transfer mechanism; however, concerns remain as to whether they will offer sufficient protection for the transfer of data from Europe to the United States. Essentially, in approving the SCCs, the Schrems II court stated that SCCs were allowed so long as both the sending and receiving party could ensure that the data will receive the same degree of privacy protection afforded by EU law. This remains an unanswered question in regard to how SCCs work in the EU-US context because of the breadth and depth of information that might potentially be accessible to the government under US surveillance laws.
Recently, Ireland’s privacy regulator, the DPC, sent the social media giant Facebook a preliminary order to suspend its data transfers to the US. Confirmation of the order from Facebook came via VP Nick Clegg in a blog post. This has raised the level of uncertainty surrounding SCCs as the mechanism for effecting data transfers from the EU to the US. In his 9 September 2020 post, Clegg wrote, “The Irish Data Protection Commission has commenced an inquiry into Facebook controlled EU-US data transfers, and has suggested that SCCs cannot in practice be used for EU-US data transfers. While this approach is subject to further process, if followed, it could have a far reaching effect on businesses that rely on SCCs and on the online services many people and businesses rely on.”
The international technology community will be watching the Facebook situation closely. There has been mention of work toward an enhanced privacy shield, but the underlying issue is US surveillance law. It appears that changes to those laws are what the EU would need to see in order to confidently approve of either SCCs or a new, enhanced Privacy Shield. The move to order Facebook to stop its data transfers suggests that the DPC does not anticipate an outcome that approves of any transatlantic transfers in the current climate. However, the order is not yet finalized. Facebook has until 15 September to respond. If the DPC is not persuaded by Facebook’s response, it can then send a new draft of the order to the other European regulators for joint approval.
In his post, Clegg went on to request some leniency for companies in the interim, “While policymakers are working towards a sustainable, long-term solution, we urge regulators to adopt a proportionate and pragmatic approach to minimise disruption to the many thousands of businesses who, like Facebook, have been relying on these mechanisms in good faith to transfer data in a safe and secure way.” In the interim, many companies are examining all of the legal bases they might be able to rely upon in the event that the DPC decides SCCs are not enough. Indicators suggest that Facebook, for one, is also relying upon its contracts with its users as a legal basis.
Written by Marie Kulbeth
Marie Kulbeth is a Co-Founder and General Counsel of SixFifty, and the co-director of BYU LawX, a legal design lab dedicated to solving access to justice problems. She works to make the law straightforward for everyone, regardless of education level or income. Marie keeps her passion for equitable, accessible legal services at the forefront of her career. Her role as...
Full Bio and other articles by Marie Kulbeth
About The Author: Marie Kulbeth
Marie Kulbeth is a Co-Founder and General Counsel of SixFifty, and the co-director of BYU LawX, a legal design lab dedicated to solving access to justice problems. She works to make the law straightforward for everyone, regardless of education level or income.
Marie keeps her passion for equitable, accessible legal services at the forefront of her career. Her role as General Counsel allows her to field-test SixFifty’s products to ensure they’ll work for customers.
Education and Experience
Marie attended Brigham Young University, and spent most of her undergrad studying International Politics and Development. It was during a field study in South Africa that she first decided to become a lawyer. As she researched the new South African constitution and worked with community organizers, Marie became fascinated with the development of the rule of law and how it in turn fosters economic development.
After undergrad, she attended BYU Law, where she continued focusing on improving equity, specifically through access to justice. She spent time interning with a nonprofit at the Human Rights Council in Geneva and with the United Nations International Tribunal for the Rwandan Genocide. At home, she interned with Catholic Charities, focusing on supporting asylum cases. Marie’s work with communities and governments across the globe broadened her understanding of how the law can either uplift or further harm underserved populations.
After law school, Marie worked as a judicial law clerk for the US Fifth Circuit Court of Appeals. She then practiced commercial litigation in Salt Lake City before returning to BYU Law, where she became an Assistant Dean. During her time at BYU Law, Marie built a diversity recruiting program and a storytelling program. Although she has left academia, she continues to keep a hand in by teaching a legal design class at BYU Law School and an undergraduate international politics class that focuses on development and diplomacy at BYU’s Kennedy Center. Both courses help students increase their community engagement and use their skills to create change.
Achievements with SixFifty
Marie’s work with both SixFifty and LawX focuses on making the law less complicated and
more equitable for both companies and individuals.
Marie’s legal specialty is privacy. She has additional focus areas in legal technology; diversity, equity and inclusion; employment; and compliance. She enjoys the opportunity to build products with the legal product team, including pro bono products. This allows her to work with communities she cares about – and complements the work she continues to do at BYU.
With Marie’s guidance and experience, SixFifty is able to offer privacy products that allow even small companies to easily comply with global privacy restrictions. Her passion for making the law accessible to everyone is evident in our pro bono products, which help individuals access free legal help for common issues.
Get to Know Marie
When she’s not helping to advance SixFifty’s mission, Marie travels whenever she can. Keep your eyes open and you may find her anywhere in the world – one of her favorite trips was a seven-day motorbike tour of northern Thailand. She especially loves to canyoneer in southern Utah and explore wilderness areas.
Marie also continues her community development and education work. She is on the board of several nonprofits, including one that runs primary schools in South Sudan and the Utah Tribal Relief Foundation. She recently joined the board of the Mountainland Association of Governments, which focuses on making loans to entrepreneurs from underserved communities who lack access to traditional funding. She’s also a Model UN legend! She is the Executive Director of BYUMUN, Utah’s premier high school Model United Nations learning conference.
Marie loves podcasts and will nerd out on anything related to the law, the history of the English language, and anything done by the people at Radiolab.
Bar Licensed
Utah
More posts by Marie Kulbeth