On July 16, 2020, the Court of Justice of the European Union (CJEU) issued a decision in which it: (1) invalidated the EU-U.S. Privacy Shield framework as a legal basis for transferring personal data from the EU to the U.S.; and (2) upheld the validity of Standard Contractual Clauses as a mechanism for transferring personal data out of the EU in general, but arguably called into question whether such Clauses remain a viable compliance mechanism for transferring personal data from the EU to the U.S.
The CJEU’s decision to invalidate the Privacy Shield framework has upended the cross-border data transfer strategies of many companies. In this First Alert, we analyze the impact of the CJEU’s decision and offer compliance suggestions and next steps for
The EU’s General Data Protection Regulation (GDPR) places a general prohibition on the transfer of personal data from the EU to countries outside the EU (referred to as “third countries”). The GDPR allows such international transfers only if the transferring party has implemented certain approved safeguards to protect the transferred data (e.g., Standard Contractual Clauses) or if the European Commission has determined in an “adequacy decision” that the third country to which the data is being transferred provides adequate safeguards to protect the privacy rights of data subjects in the EU. The
U.S. is not deemed by the European Commission to be a country that provides “adequate” privacy safeguards.
Privacy Shield is a framework that was designed by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism by which to comply with the data protection requirements of EU law, including the GDPR, when transferring personal data from the EU to the U.S. Companies participating in Privacy Shield must publicly commit to comply with the “Privacy Shield Principles” through self-certification and such compliance becomes enforceable under U.S. law by the U.S. Federal Trade Commission or the U.S. Department of Transportation. Once certified under Privacy Shield, companies are (were) permitted to transfer personal data to the U.S. under the European Commission’s Decision 2016/125, which is the
Commission’s “adequacy decision” that upheld Privacy Shield as providing adequate protection under EU law.
THE CJEU’S DECISION
Privacy Shield Invalidated
The CJEU invalidated the European Commission’s 2016 adequacy decision which, from a practical standpoint, means that Privacy Shield certification no longer serves as a viable legal basis for transferring personal data from the EU to the U.S. The CJEU considered several perceived shortcomings of Privacy Shield and ultimately concluded that because U.S. law enforcement
agencies have wide-ranging access to personal data that are received by companies certified under Privacy Shield, such personal data are not subject to the full protections that exist under EU law. In particular, the CJEU found that access to transferred data by U.S. law enforcement agencies is not subject to the principle of “proportionality” and is not limited to what is strictly necessary. The CJEU also found that there is no mechanism that enables data subjects to bring complaints about the processing of their personal data in a manner equivalent to the rights that exist under EU law.
Validity of Standard Contractual Clauses
The CJEU upheld Standard Contractual Clauses as a valid compliance mechanism for the transfer of personal data out of the EU in general. In doing so, however, the CJEU highlighted the existing obligation of both the
exporter and importer to verify, prior to moving forward with the transfer, whether the expected level of protection can be obtained in the third country. The data importer also must inform the exporter of any impending factors that would prevent the importer from complying with the express terms of the Standard Contractual Clauses. Should such factors exist, the data exporter is obligated to suspend the transfer and/or terminate the contract with the data importer. If the exporter fails to act, then the applicable supervisory authority is required to intervene.
With respect to data transfers to the U.S., the CJEU’s rationale for invalidating Privacy Shield raises questions about whether Standard Contractual Clauses remain a viable compliance mechanism for such transfers. As noted above, the CJEU invalidated Privacy Shield based upon its belief that U.S. privacy and
surveillance laws do not adequately protect the rights of EU data subjects. Because those same concerns will apply to data transferred under Standard Contractual Clauses, some privacy experts are speculating that data transfers from the EU to the U.S. will need to come to an immediate halt. Others believe that Standard Contractual Clauses are still a viable option and may be the only practical alternative to Privacy Shield for many companies.
WHAT COMPANIES SHOULD DO
Companies should conduct a risk assessment to determine whether their cross-border data transfers comply with EU law and the CJEU’s decision. In particular:
Halt Privacy Shield Transfers Immediately: Where Privacy Shield is the only legal basis upon which data are being transferred out of the EU, all such transfers should be halted immediately.
Revise Existing Contracts: Companies that relied upon Privacy Shield or committed to comply with that framework in contracts with customers, vendors, etc., should revise those contracts as appropriate.
Revise Privacy Notices: Companies that committed to Privacy Shield compliance in their privacy notices or other public disclosures should revise such documents as appropriate.
Contact Customers: Business-to-business service providers that relied upon Privacy Shield should consider proactively contacting their customers to discuss plans to adopt a new data transfer mechanism that complies with EU law.
Continue Compliance With Privacy Shield Certification Commitments: The U.S. Department of Commerce has indicated that it will continue to enforce the Privacy Shield Principles against “active” participants. Companies should consider withdrawing as a participant or declining to renew if the EU and U.S. do not quickly identify a way to salvage the Privacy Shield framework. Note, however, that the U.S. Department of Commerce has already indicated that it intends to work with the European Commission and the European Data Protection Board to attempt to limit the negative consequences of the CJEU’s decision on transatlantic data flow.
SEC Disclosures: Public companies in the U.S. should update, or consider adding, specific risk factor disclosures in SEC filings regarding cross-border data transfer restrictions. Other companies disclosing risks in investor prospectuses should consider making similar disclosures.
Consider Alternative Mechanisms for Cross-Border Data Transfers: Companies that have relied upon Privacy Shield to transfer data from the EU to the U.S. should identify an alternative legal basis to do so (see discussion below).
Consider Guidance From DPAs: The various data protection authorities located throughout the EU will likely publish statements on the legality of transferring data to certain countries on the basis of Standard Contractual Clauses in light of the CJEU’s decision.
Watch for Updated Standard Contractual Clauses: Although the CJEU declared the use of Standard Contractual Clauses to be valid, it is possible that the European Commission could issue an updated set of Clauses to address the risks identified by the CJEU in its decision.
ALTERNATIVE TRANSFER MECHANISMS
Companies should take inventory of all existing data transfers and identify a legal mechanism by which such transfers can be made in compliance with EU law. Consider the following:
Standard Contractual Clauses: Standard Contractual Clauses contractually impose certain GDPR-like compliance obligations on recipients of data transferred outside the EU. Such Clauses are relatively simple to implement and can provide an appropriate solution for many businesses that are now unable to rely on Privacy Shield. That said, the CJEU’s decision made clear that the validity of Standard Contractual Clauses is not absolute. The CJEU noted that controllers and processors should provide additional safeguards to those offered by the Clauses in order to ensure adequate protection of the personal data in the third country. Companies should consider adding language to their Standard Contractual Clauses that addresses such concerns, including how the recipient company will handle government requests for access to personal data.
Binding Corporate Rules: Binding Corporate Rules are a possible solution for intragroup personal data transfers. Although the use of Rules offers greater flexibility than Standard Contractual Clauses, such use requires preapproval from EU data protection authorities. It can take several years to obtain approval, so Rules are certainly not a quick fix to the invalidation of Privacy Shield.
Derogations: The GDPR sets forth several non-recurring derogations from the general prohibition on transfers of personal data outside the EU. Such derogations include situations in which the affected data subject explicitly consents to the data transfer. But because these derogations are non-recurring, they must be analyzed for every transfer of personal data.
Calfee’s lawyers practicing in the area of Privacy and Data Security are available to assist your company in determining the necessary steps to take to comply with the CJEU's decision. Please contact one of the attorneys listed below or a member of Privacy and Data Security practice group.