On 16 July 2020, in the Schrems II case, the Court of Justice of the European Union (CJEU) ruled that, while Standard Contractual Clauses (SCCs) remain valid, the EU-US Privacy Shield is an invalid data protection regime for data flows protected by the European Union’s General Data Protection Regulation (GDPR). What does that mean?
In essence, any “offshoring” of data from the EU to the US that was being effected through the protection of the Privacy Shield regime is no longer valid. Those companies that were moving data from the EU to US-based branches, processors, storage, or other service providers under the auspices of the Privacy Shield regime are no longer allowed to move that data. They can, however, continue to move the data if they enter into and suscept themselves to the EU Standard Contractual Clauses (SCCs) instead (at least for now, see below). Organizations also have the option to enter into Binding Corporate Rules (BCRs), but approval for BCRs will not provide a quick solution since they take time.
This is a moment for companies engaged in the offshoring of data to review their agreements with their data processors to check on whether they were relying on the Privacy Shield. Any such reliance should end immediately and data offshoring should not resume until appropriate data processing agreements enacting the standard contractual clauses can be obtained. Companies that have not mapped their data should use this decision as an impetus to conduct a data mapping exercise as they review their contracts to ensure that everything is in order under this new ruling. Companies that have already engaged in this exercise should be able to quickly ascertain whether the Schrems II decision impacts any of their data flows and take appropriate action accordingly.
Lingering Concerns
In the wake of Schrems II, SCCs have been approved as a valid data transfer mechanism; however, concerns remain as to whether they will offer sufficient protection for the transfer of data from Europe to the United States. Essentially, in approving the SCCs, the Schrems II court stated that SCCs were allowed so long as both the sending and receiving party could ensure that the data will receive the same degree of privacy protection afforded by EU law. This remains an unanswered question in regard to how SCCs work in the EU-US context because of the breadth and depth of information that might potentially be accessible to the government under US surveillance laws.
Recently, Ireland’s privacy regulator, the DPC, sent the social media giant Facebook a preliminary order to suspend its data transfers to the US. Confirmation of the order from Facebook came via VP Nick Clegg in a blog post. This has raised the level of uncertainty surrounding SCCs as the mechanism for effecting data transfers from the EU to the US. In his 9 September 2020 post, Clegg wrote, “The Irish Data Protection Commission has commenced an inquiry into Facebook controlled EU-US data transfers, and has suggested that SCCs cannot in practice be used for EU-US data transfers. While this approach is subject to further process, if followed, it could have a far reaching effect on businesses that rely on SCCs and on the online services many people and businesses rely on.”
The international technology community will be watching the Facebook situation closely. There has been mention of work toward an enhanced privacy shield, but the underlying issue is US surveillance law. It appears that changes to those laws are what the EU would need to see in order to confidently approve of either SCCs or a new, enhanced Privacy Shield. The move to order Facebook to stop its data transfers suggests that the DPC does not anticipate an outcome that approves of any transatlantic transfers in the current climate. However, the order is not yet finalized. Facebook has until 15 September to respond. If the DPC is not persuaded by Facebook’s response, it can then send a new draft of the order to the other European regulators for joint approval.
In his post, Clegg went on to request some leniency for companies in the interim, “While policymakers are working towards a sustainable, long-term solution, we urge regulators to adopt a proportionate and pragmatic approach to minimise disruption to the many thousands of businesses who, like Facebook, have been relying on these mechanisms in good faith to transfer data in a safe and secure way.” In the interim, many companies are examining all of the legal bases they might be able to rely upon in the event that the DPC decides SCCs are not enough. Indicators suggest that Facebook, for one, is also relying upon its contracts with its users as a legal basis.