Privacy Shield Dies, SCCs Survive (With a Catch): CJEU
Today the Court of Justice of the European Union (“CJEU”) ruled that:
- The EU-U.S. Privacy Shield framework (“Privacy Shield”) is no longer a valid mechanism for exportation of personal data from the European Economic Area (“EEA”) to the United States. This is primarily because, in the CJEU’s view, the Privacy Shield fails to remedy two problems with aspects of the legal framework for U.S. intelligence collection: (i) U.S. law gives U.S. authorities the right to collect personal data about non-U.S. persons without sufficient safeguards and (ii) such individuals have no effective manner to seek redress against the U.S. government in U.S. courts.
- The controller-to-processor Standard Contractual Clauses (“SCCs”) (which were first issued in an annex to decision 2010/87/EU) can still be used as a mechanism for exporting personal data from the EEA to outside the EEA, but only if the transferred personal data receives a level of protection essentially equivalent to that provided by the GDPR and the EU Charter of Fundamental Rights.
- The data exporter and the data importer that seek to rely on the SCCs are responsible for assessing whether the level of protection is adequate, and they must take all relevant facts into consideration, including (i) any additional contractual provisions that may apply to the importer, (ii) subsequent transfers of personal data by the importer, and (iii) the domestic laws applicable to the importer, including in particular any legal requirements that give the importer’s government access to the data, such as those mentioned in paragraph 1 above.
- European data protection authorities charged with enforcing the GDPR must suspend or prohibit ongoing SCC-based data flows to companies outside the EEA when they conclude that the SCCs are not or cannot be complied with in the destination country and that the requisite level of protection cannot be ensured by other means.
The decision is available here. The case arose from a complaint by Facebook user Max Schrems to the Irish Data Protection Commission (“DPC”), demanding that the DPC order the suspension or prohibition of the transfer by Facebook Ireland of his personal data to Facebook Inc. (in the U.S.) based on the SCCs in place between those two companies.
The CJEU found that Section 702 of the U.S. Foreign Intelligence Surveillance Act, and Executive Order 12333, which grant U.S. intelligence authorities broad rights to access data held by certain categories of U.S. companies, and data that is outside the United States, respectively, do not contain adequate protections for non-U.S. persons whose personal data may be transferred to the U.S. The CJEU also found that the protections provided to non-U.S. persons under Presidential Policy Directive 28 and the EU-U.S. Privacy Shield did not cure these deficiencies.
While the CJEU declined to invalidate the SCCs in the same manner it invalidated the Privacy Shield, we believe the court’s decision will lead European data protection authorities to conclude that, at least in some situations, the SCCs alone do not remedy these deficiencies either, since SCCs impose no access restrictions on U.S. intelligence authorities. Moreover, collection of data under Section 702 or pursuant to EO 12333 is not connected to a method by which a European could seek redress against the U.S. government. It is true that the SCCs allow the exporter to terminate its contract with the importer when it becomes aware that U.S. law prevents the importer from complying with its obligations under the SCCs (such as the obligation to permit governmental access only when the access is the sort “necessary in a democratic society” as conceived by EU authorities). However, by the time the exporter reaches that conclusion, the data horse is often already out of the importer’s barn. The situation is made more complicated by the fact that the specific identities of companies that are subject to orders under Section 702 are classified. (Given security requirements, there is no publicly available and complete list of companies that have received orders under Section 702.)
In an initial reaction, the DPC stated:
“So, while in terms of the points of principle in play, the Court has endorsed the DPC’s position, it has also ruled that the SCCs transfer mechanism used to transfer data to countries worldwide is, in principle, valid, although it is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable. This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis.”
Consequences and takeaways from this decision include:
- U.S. data importers that hold a Privacy Shield certification still are legally obligated to comply with Privacy Shield with respect to data that was received pursuant to Privacy Shield (and under any promise made to consumers or business partners that this level of protection would be provided), given that they committed to uphold these principles and include such promises in their Privacy Policies. Failure to continue complying with these principles could subject them to an FTC or state AG investigation regarding unfair or deceptive acts or practices.
- There will be an immediate push to rely more on SCCs in place of Privacy Shield, as they are relatively easy to put in place, although it is clear that implementing SCCs must be more than just a “check the box” exercise, and that companies wishing to rely on SCCs for continued data transfers must carefully consider the importer’s ability to comply with all provisions in the SCCs and any additional safeguards they could put in place to protect the personal data.
- The additional safeguards that some exporters may attempt to add include one or both of the following, among others:
- Requiring the importer to represent that it is not the type of company that can be required to disclose data under Section 702 (i.e., that it is not an “electronic communication service provider” as defined here).
- Encrypting the data prior to transfer to the importer, and not sharing the decryption key with them (which is only a practical option for certain sorts of transfers, such as transfers to a data backup provider).
- U.S. service providers (and those in other countries with surveillance laws that have aroused suspicions) will face pressure to offer an EEA-based data center option to which the U.S. entity has no access, which would help avoid the need for SCCs in the first place.
- Exporters may also want to explore whether other data transfer mechanisms (such as binding corporate rules or relying on a specific transfer derogation) permitted under the GDPR are viable.
- The Swiss-U.S. Privacy Shield, which was not the subject of today’s decision, may be the next to fall, but the Swiss Federal Data Protection and Information Commissioner has indicated only that it is examining the decision.
- U.S. companies that have been rumored to be subject to U.S. surveillance under the laws mentioned in the CJEU decision will likely experience the most pressure from users and counterparties and will probably be among the first targets for investigation and enforcement by the European authorities.
We expect to provide further updates and thoughts on our blog and social media as the dust settles from this landmark decision.