Insights

The European Court of Justice Invalidates the EU-US Privacy Shield Framework

On July 16, 2020, the European Court of Justice (“CJEU”) published its decision in the case of Data Protection Commissioner v. Facebook Ireland Ltd., Schrems (“Schrems II”), invalidating the EU-U.S. Privacy Shield Framework (“Privacy Shield”). The Privacy Shield was established between the U.S. Department of Commerce, the European Commission, and the Swiss Administration as a GDPR-compliant mechanism for certifying businesses to transfer personal data from the EU and Switzerland to the U.S. As a result of the CJEU ruling, effective immediately, businesses are not entitled to rely on a Privacy Shield certification to transfer personal data of EU residents from the European Economic Area (“EEA”) to the U.S. In contrast, the CJEU upheld the validity of Standard Contractual Clauses (“SCCs”) as a basis for transferring such personal data from the EEA to third countries; however, businesses must now verify on a case-by-case basis whether the law of the target third country ensures adequate protection, as assessed under EU law, of the transferred personal data.

What U.S. Businesses Need To Know About The New CJEU Ruling

The General Data Protection Regulation (“GDPR”) prohibits the transfer of personal data from the EEA to non-EEA countries unless the transfer meets specific safeguards. Businesses can no longer rely on a Privacy Shield certification to transfer personal data of EU data subjects from the EEA to the U.S. Businesses that currently certify to the Privacy Shield are not relieved from their Privacy Shield obligations, though, meaning that businesses must still continue to comply with the Privacy Shield requirements until further notice. Businesses relying on their Privacy Shield certification should consider alternate methods of cross-border data transfers, such as: 

  • Standard Contract Clauses (“SCCs”). SCCs are enforceable contracts between the EEA data exporter and the non-EEA data importer, which impose obligations on the parties and offer data subjects direct recourse if their personal data is not adequately protected. Notably, as a result of Schrems II, businesses in some industries (such as telecommunications) must evaluate whether SCCs are available for the legal transfer of personal data from the EEA to the U.S.
  • Binding Corporate Rule (“BCRs”). BCRs are data protection policies adopted by multinational businesses and their affiliates to allow the transfer of personal data from the EEA to their affiliates in non-EEA countries. BCRs are not practically feasible for many businesses due to the requirement that the competent data protection authorities in the EU approve BCRs prior to data transfers.
  • Derogations. Personal data from the EEA to the U.S. may be transferred for one of several specific circumstances listed in Article 49 of the GDPR, which include (among others) transfers necessary to perform contractual requirements, pursuant to explicit consent of the data subject, or in the public interest. These derogations are construed narrowly and are designed to provide a legal basis for non-persistent transfers.

Consider The Necessity Of EEA Cross-Border Data Transfers

Schrems II reaffirms the EU’s longstanding concerns about cross-border transfers of EEA data subject personal data, including employee data, to non-EEA countries. Given these concerns, businesses should take this opportunity to assess their data transfer practices and to determine whether cross-border data transfers from the EEA continue to be necessary.

Expect Volatility

As a result of this CJEU decision, businesses should expect significant legal and regulatory activity in the area of EEA cross-border data transfers in the coming months. Diplomatic solutions, legislative changes, judicial decisions, and enforcement practices—among other variables—are expected to inform or change available methods for legally engaging in cross-border personal data transfers from the EEA.

 

Printable version.

If you have questions about these developments, please contact Julia Hesse* or Elizabeth Powers**. Along with associates Preston Bruno* and Ellen Choi*, we can address your questions in collaboration with EEA local counsel.

*Admitted in Massachusetts only
**Admitted in Massachusetts and California