US-EU Privacy Shield Perforated – GDPR after Schrems II

On July 16, 2020, the European Court of Justice (ECJ – the European Union’s high court) invalidated the EU-US Privacy Shield Framework as a potential mechanism for meeting the GDPR's cross-border personal data transfer restrictions. Effective immediately, U.S. companies that process EU “personal data” can no longer rely on registration under the Privacy Shield and must establish an alternative legal basis for any continued EU-US transfers. Previously, cross-border transfers to the US were permitted under three mechanisms: 1) the Privacy Shield (http://privacyshield.gov), 2) Standard Contractual Clauses (SCC), and 3) Binding Corporate Rules (BCR).

The Privacy Shield was originally developed in response to a 2005 ECJ decision invalidating the “US-EU Safe Harbor Framework,” an earlier agreement to permit U.S. companies to process EU personal data in a way that protected EU privacy rights. Privacy Shield, administered by the Federal Trade Commission, allowed companies self-certify compliance and was generally considered a workable GDPR solution for U.S. companies that processed (touched) EU personal data.

Impacts

The decision has made waves not just because it declares that any cross-border transfer of personal data under the Privacy Shield is illegal but because it has immediate effect. According to a FAQ issued by the European Data Protection Board on July 24, 2020, “(t)ransfers on the basis of this legal framework are illegal,” and there is no “grace period.”

The Federal Trade Commission and Department of Commerce have already conceded the impact of the Schrems II decision. Curiously, the FTC has not yet provided an easy exit ramp for U.S. companies that presumably joined the Privacy Shield program to achieve GDPR compliance. The FTC’s July 21, 2020 announcement stated:

We continue to expect companies to comply with their ongoing obligations with respect to transfers made under the Privacy Shield Framework. We also encourage companies to continue to follow robust privacy principles, such as those underlying the Privacy Shield Framework, and to review their privacy policies to ensure they describe their privacy practices accurately, including with regard to international data transfers.

The Department of Commerce published a FAQ on July 31, 2020 containing a statement that it will at least attempt to mitigate the impact of the ECJ ruling,

The United States remains committed to working with the EU to ensure continuity in transatlantic data flows and privacy protections. The U.S. Department of Commerce has been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hopes to be able to limit the negative consequences of the decision to the transatlantic data flows that are so vital to our respective citizens, companies, and governments.

but otherwise abdicates responsibility for devising an interim solution to the interruption of data flows. Commerce states, “If you have questions, please contact the European Commission, the appropriate European national data protection authority or legal counsel.”

What about Standard Contractual Clauses? Is Schrems III next?

The ECJ ruling in Schrems II concerned defects in Privacy Shield protections. Under EU law (implemented by the GDPR), privacy rights are fundamental rights. Centrally, the Schrems II ruling held that U.S. law, specifically Section 702 FISA and EO 12333, did not ensure an essentially equivalent level of protection for those privacy rights. While the ECJ did not directly rule on the validity of SCCs or BCRs , privacy professionals including plaintiff Mr. Schrems himself, opine that the current reach of U.S. surveillance laws (e.g., warrantless surveillance) is beyond the control of any contractual protections and thus would fail under the same analysis used by the ECJ in the Schrems II decision.

The European Data Protection Board FAQ  published July 24, 2020 stated that the validity of continued use of SCCs depends on whether there are available effective mechanisms, “that make it possible, in practice, to ensure compliance with the level of protection essentially equivalent to that guaranteed within the EU by the GDPR and that transfers of personal data pursuant to such clauses are suspended or prohibited in the event of the breach of such clauses or it being impossible to honour them.”

The upshot of the European Data Protection Board guidance is that the obligation (and risk) of compliance is placed on, “a data exporter and the recipient of the data (the ‘data importer’) to verify, prior to any transfer, and taking into account the circumstances of the transfer, whether that level of protection is respected in the third country concerned, and that the [existing law] requires the data importer to inform the data exporter of any inability to comply with the standard data protection clauses, and where necessary with any supplementary measures to those offered by those clause, the data exporter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the data importer.”

Thus, in the wake of Schrems II, existing SCCs and BCRs may also be vulnerable. U.S. companies must evaluate the new risks and determine whether some “supplementary measures” are necessary. Without such measures, data exporters will be under pressure to suspend or terminate contracts with U.S. companies.