On July 16, the European Court of Justice (CJEU) issued a highly-anticipated decision evaluating the validity of two popular mechanisms for transferring personal data from the EU to the United States: Privacy Shield and Standard Contractual Clauses (SCCs). The Court struck down Privacy Shield, but upheld the validity of SCCs – although not without providing a reminder about company responsibilities when implementing them.
As brief background, the EU General Data Protection Regulation (GDPR) requires that businesses have in place mechanisms that ensure an adequate level of protection for EU data subject personal data transferred to the United States. Until July 16, the available transfer mechanisms were Privacy Shield, SCCs, and Binding Corporate Rules. This case arose from a complaint, filed by Austrian privacy activist Max Schrems, with the Irish Data Protection Commission (DPC). Schrems alleged that the transfer of EU personal data to the U.S. via SCCs did not ensure an adequate level of protection (and therefore violated EU data subject rights) because U.S. law enforcement and government agencies were provided essentially unrestricted access to that data. The DPC then referred to the CJEU 11 questions about whether SCCs and Privacy Shield violate EU data subject rights, including the rights to the protection of personal data, under the Charter of Fundamental Rights of the EU.
Schrems had followed the same process in 2015, and in that decision, the CJEU agreed with Schrems, holding that the data transfer framework that existed at that time (Safe Harbor) did not provide protection equivalent to that afforded within the EU, and therefore did not meet the adequacy standards for international transfers. As a result, the EU Commission agreed to replace Safe Harbor with Privacy Shield, which currently has over 5,000 participants. Most companies, including Facebook, switched to SCCs after that decision.
As the CJEU explains in the decision issued on July 16, although Privacy Shield provides an adequate level of protection for data transferred thereunder, it allows derogation from those protections “to the extent necessary to meet national security, public interest, or law enforcement requirements” and therefore “cannot ensure a level of protection essentially equivalent to that guaranteed by the EU Charter [of Fundamental Rights].” As a result, Privacy Shield is invalid, effective immediately. The CJEU upheld SCCs as a valid transfer mechanism, but reiterated that companies cannot simply sign the SCCs and be done with them. Rather, they have an obligation to ensure that their privacy and security practices are in compliance with the requirements within the SCCs, and should therefore be sensitive to sharing any EU personal data with U.S. law enforcement and government agencies.
An appeal is possible, and could result in a different outcome, but Schrems is pleased with the CJEU decision. In the meantime, please reach out for any assistance implementing, or confirming that your practices are in compliance with, SCCs.