Last week, on July 16, 2020, Europe’s top court invalidated the EU-US data flow arrangement called Privacy Shield. In a world with competing privacy regulations, many thousands of global businesses relied heavily Privacy Shield to conduct their business across EU-US borders (there are 5300+ current Privacy Shield participants, and the transatlantic economic relationship is valued at $7.1 trillion), so the decision sent shockwaves through the business/data privacy community. Further, the decision has implications that extend beyond the Privacy Shield framework, and beyond EU-US data transfers.
The decision arose from a case brought by Mr. Maximillian Schrems, an Austrian lawyer, who requested in 2015 that the Irish Data Protection Commissioner (the “Irish DPA”) order the suspension or prohibition, in the future, of the transfer by Facebook Ireland of his personal data to Facebook, Inc. (the latter being located in the United States), a case commonly referred to in the privacy community as Schrems II. (Notably, Schrems I was an earlier case brought by the same lawyer challenging Facebook’s transfer of personal data to the U.S. under a prior EU-US data transfer framework that had been determined adequate, the US-EU Safe Harbor framework, which was struck down as a result of that case. Following that, Facebook turned to Standard Contract Clauses (SCCs) as a basis for cross-border data transfers, causes Schrems to file the Schrems II case. And thereafter, the Privacy Shield framework was established and determined adequate, providing a second basis for Facebook’s cross-border data transfers.)
In Schrems II, the grounds for review of Facebook’s cross-border data transfers was the United States’ digital surveillance policies and practices, including the Foreign Intelligence Surveillance Act (FISA) and executive order 12,333 (which sanctions bulk data collections)). Schrems argued that these U.S. surveillance practices are inconsistent with European fundamental rights giving citizens the rights to privacy and data protection, as set out in EU Charter of Fundamental Rights, the European Convention on Human Rights, and several pieces of EU legislation, including the General Data Protection Regulation (specifically, Mr. Schrems called out Articles 7, 8 and 47 of the Charter). In other words, transferred EU personal data may be at risk of being accessed and processed by the U.S. government (e.g., the CIA, FBI and/or NSA) in a manner incompatible with privacy rights guaranteed in the EU, and EU data subjects may have no right if this happens to an effective remedy. [Notably, while the original request was focused solely on the SCCs, the Court found the validity of the Privacy Shield Decision relevant to assessing the sufficiency of SCCs, and also any obligations to which the supervisory authority may be subject to suspect or prohibit such a transfer. See, e.g., Decision at 25.]
In reaching its decision to invalidate the Privacy Shield, the European Court pointed out issues with the U.S. surveillance framework, as it applies to EU-US data transfers, such as (1) that “E.O. 12333 allows the NSA to access data “in transit” to the United States, by accessing underwater cables on the floor of the Atlantic, and to collect and retain such data before arriving in the United States and being subject there to FISA”; (2) “activities conducted pursuant to E.O. 12333 are not governed by statute”; and (3) “non-US persons are covered only by PPD-28, which merely states that intelligence activities should be ‘as tailored as feasible’.” See Decision at 14-15. The Court also pointed out, and focused quite heavily on, the lack of remedies for EU citizens whose rights have been violated as a result of US surveillance practices. For example, it pointed out that the Fourth Amendment to the U.S. Constitution does not apply to EU citizens; the NSA’s activities based on E.O. 12333 are not subject to judicial oversight and are non-justiciable; and the Privacy Shield Ombudsperson is not a tribunal within the meaning of Article 47 of the Charter, and thus, U.S. law does not afford EU citizens the protection required. See Decision at 15, 29 (“the existence of such a lacuna in judicial protection in respect to interferences with intelligence programmes based on that presidential decree [E.O. 12333] makes it impossible to conclude, as the Commission did in the Privacy Shield Decision, that United States law ensues a level of protection essentially equivalent to that guaranteed by Article 47 of the Charter.”).
With respect to SCCs, the European Court held that “the competition supervisory authority is required to suspend or prohibit a transfer of data to a third country pursuant to standard data protection clauses adopted by the Commission, if, in the view of that supervisory authority and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by the EU law, in particular by Articles 45 and 46 of the GDPR and by the Charter, cannot be ensured by other means, where the controller or a processor has not itself suspended or put an end to the transfer.” See Decision at 22.
On the same day as the European Court issued its decision, the U.S. Secretary of Commerce Wilbur Ross issued the following statement regarding the ruling: “While the Department of Commerce is deeply disappointed that the court appears to have invalidated the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield, we are still studying the decision to fully understand its practical impacts,” said Secretary Wilbur Ross. “We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments. Data flows are essential not just to tech companies—but to businesses of all sizes in every sector. As our economies continue their post-COVID-19 recovery, it is critical that companies—including the 5,300+ current Privacy Shield participants—be able to transfer data without interruption, consistent with the strong protections offered by Privacy Shield.” The full press release can be found here. [https://www.commerce.gov/news/press-releases/2020/07/us-secretary-commerce-wilbur-ross-statement-schrems-ii-ruling-and]
The United Kingdom’s Information Commissioner’s Office made a similar statement, implicitly acknowledging that the impact of the Schrems II decision extends to all EU cross border data transfers, not just EU-US transfers under the Privacy Shield. A copy of the ICO’s statement can be found here.
Since the decision, the big headline has seemingly been two-fold: (1) SCCs survive, but (2) Privacy Shield has been invalidated. Respectfully, the first half of this is a half-truth. Companies proceeding with cross-border data transfers using SCCs and binding corporate rules should consult with counsel to assess the risk involved in their transfers and evaluate alternative transfer frameworks. Unless and until the United States changes its surveillance practices, including not conducting surveillance of in-transit data (i.e., before it arrives in the U.S.), and providing EU data subjects with a right of redress regardless of the surveillance program that their data is subject to, the Schrems II decision puts nearly all EU-US data transfers at risk in industries subject to government surveillance. For companies that have received requests for information from U.S. law enforcement in the past, and who want to avoid risk, the safest way to proceed may be to (1) consider whether the data at issue is even needed in the first place, and (2) consider simply transfer data processing for European data subjects to Europe. Other bases for data transfers, such as binding corporate rules and SCCs could also be considered, but back-up plans should be in place, as proceeding under these frameworks could be risky in view of the Schrems II decision.
Companies should also take a close look at their policies and practices for responding to requests for information from U.S. law enforcement, such as the number of requests the company has received; the number of user accounts the requests involved and how many of the user accounts were for EU data subjects; the types of requests the company received, e.g., subpoenas or search warrants; the records the company produced, and in what cases those records were for EU data subjects; the bases for the requests (e.g., were they pursuant to government surveillance programs that provide data subjects with a right to a remedy in the event their rights are violated, or subject to, e.g., E.O. 12333 which provides no such remedy); whether, to the company’s knowledge, EU data subjects whose information was shared ever contended that their rights had been violated. The more information a company has to show that it has not provided information to U.S. law enforcement pursuant to surveillance programs that do not offer EU data subjects a remedy in the event their rights are violated, the safer footing the company should be on going forward with respect to their EU-US data transfer practices.
For companies that have not received requests for information from U.S. law enforcement pursuant to surveillance programs, the path forward has more options. While Privacy Shield has been struck down for all companies, it is likely that a new or revised framework will be designed and an adequacy decision will be sought with respect thereto (just as it was for Privacy Shield, when Safe Harbor was struck down). In the interim, it is prudent for these companies to consider alternative data transfer frameworks (such as SCCs), and in the future, try a “belt and suspenders” approach such that their business does not “hang their hat” on a single framework for cross-border data transfers (this is what Facebook and numerous other companies learned, thus causing them to rely on both Privacy Shield and SCCs). Companies should also take a good look at the data they are processing, particularly with respect to EU data subjects, and ask whether it is even necessary, and whether processing in the U.S. is necessary. In some cases the answer may be “yes,” but the more a company can practice data minimization – particularly when cross-border data transfers are at issue – the safer it may be. Finally, just because your company has never received a request from U.S. law enforcement pursuant to a surveillance program yet, does not mean you never will—particularly in certain industries, such as tech and telecommunications. You should plan for such requests prior to them happening.
If you need any help evaluating your company’s risks in view of the Schrems II decision, or determining best practices for going forward, please contact us at firstname.lastname@example.org.