Schrems II: Where Do We Go From Here?
The Court of Justice of the European Union (CJEU) delivered its judgment in the “Schrems II” case on July 16, 2020, dealing with challenges to two principal mechanisms for transferring personal data from the European Union to the United States and other countries: the EU-US Privacy Shield Framework and the EU-approved Standard Contract Clauses (“SCCs”). In the latest expression of long-running European dissatisfaction with the US government’s covert surveillance of trans-Atlantic communications, the CJEU annulled the four-year-old European Commission decision approving the Privacy Shield program, which means that data transfers to its more than 5300 US participants no longer satisfy the requirements of the EU General Data Protection Regulation (GDPR). Alternatives are available, but they are more limited and also under pressure.
While it discarded Privacy Shield entirely, the Court upheld the validity of the Commission’s decision approving the use of SCCs, which are employed by thousands of companies to transfer data to the US and other countries. But the Court pointedly obliged the contracting parties and European data protection supervisory authorities to assess the adequacy of protection in the receiving country, after detailing the perceived deficiencies of the United States. The Court referred the present claim against Facebook back to the Irish data protection authority for such an assessment. The European Commission, meanwhile, signaled in its press conference on the decision that it is examining an overhaul of the SCCs and recognizes that transfers based on SCCs are now subject to further assessment by the regulators; the pressure is on the US government to improve transparency and recourse for non-US citizens. This is unlikely to happen in an election year.
In short, the CJEU judgment requires many organizations to reassess their processing of European personal data and make immediate changes in contracts, privacy notices, consent forms, and other arrangements.
GDPR Alternatives for Transborder Data Transfers
The EU General Data Protection Regulation (GDPR) includes in Article 44 a broad statement that personal data may be transferred to a “third country” (i.e., outside the European Union or, because of treaty commitments, the rest of the European Economic Area [EEA]) only if the “level of protection” guaranteed by the GDPR would not be “undermined.” (Note that accessing data on a server in the EU from abroad is also viewed as a data “transfer.”)
The succeeding GDPR articles provide alternative ways to meet that requirement for assuring the level of protection of European personal data:
Article 45 allows transfers based on an “adequacy decision” by the European Commission, when it concludes there is a similar level of protection in the laws of another country, such as Switzerland, Canada, and Japan or, until now, US companies certifying under the Privacy Shield program.
Article 46 allows transfers based on “appropriate safeguards,” such as an EU-approved code of conduct or the EU-approved SCCs.
Article 47 allows transfers based on binding corporate rules (“BCRs”) within a corporate group, approved by one or several of the European data protection supervisory authorities.
Article 49 lists other possible derogations. It allows transfers based on the informed, “explicit consent” of the individual data subject, “having been informed of the possible risks of such transfers” (49(1)(a)). It also allows transfers “necessary for the performance of a contract” with the data subject, or to enter into a contract with the data subject, or to perform a contract in the interest of the data subject. Transfers are also possible to establish or exercise legal claims, or for “important reasons of public interest” (in the relevant European country). The authorities tend to construe these derogations narrowly, however, and view them as secondary to the preferred alternatives of adequacy determinations or safeguards.
Privacy Shield
The Court rejected the Privacy Shield program because it found that the Commission’s approved safeguards accepted intrusive US government surveillance of European data that is incompatible with the EU Charter on Fundamental Rights. This requires the state to limit its surveillance activities to what is “strictly necessary and proportional” and provide for judicial recourse. The Court found that the US Foreign Intelligence Surveillance Act (“FISA”) and the relevant Executive Order and Presidential Policy Directive did not meet European standards of proportionality, and the provisions for an Ombudsman under the Privacy Shield program did not satisfy the requirement for judicial review.
There is no appeal from the CJEU, and while the European Commission has proclaimed its willingness to discuss revisions to the Privacy Shield and associated measures with its US counterparts, it is daunting to consider how such measures might be agreed and implemented in the last months of a fevered campaign season. The Court has set a difficult (and somewhat vague) standard for the diplomats, and they are unlikely to start work in earnest before early 2021. Business will have to look elsewhere for immediate solutions.
Standard Contract Clauses and BCRs
The Commission’s SCC alternative remains valid, and Privacy Shield companies could promptly execute data transfer agreements (“DTAs”) with SCCs, with their vendors and customers and within corporate groups. These will have to be modified again, if and when the Commission updates the SCCs as promised to take full account of the GDPR.
More importantly, the contracting parties (and their regulators in Europe) must take seriously their obligation under the CJEU judgment to assess the adequacy of protection in the US, and it is not clear how they are to do that. Intelligence agencies such as the NSA are not exactly forthcoming about their targets and methods. Is it sufficient, for example, to argue that the data flows do not involve sensitive data, they are encrypted, and there is no known investigation or demand from law enforcement or any public agency? We will be looking for guidance from the Irish data protection commission handling the Schrems case on remand from the CJEU, and from other opinions of European data protection authorities over the coming months. There is a very real possibility that some of these will be hostile to data transfers to the US in the current environment of trade wars and AI-enhanced surveillance.
The problem, of course, is that making such draconian decisions about data transfers to the US based on the possibility of US government surveillance threatens to call into question the widespread use of SCCs to cover data transfers to many other countries where there may also be government surveillance lacking in transparency, proportionality, and judicial recourse. China and Russia immediately come to mind, but the list readily expands. The best result for business would be acceptance of slightly updated SCCs for the long term, on practicable conditions, but there is no guarantee that this will be the outcome.
Binding corporate rules (“BCRs”) are presumably subject to the same caveats. They take longer to put into place than SCCs, because they require individual drafting and approval, but they similarly require a statement of policies and the creation of enforceable rights on behalf of the affected individuals. They are logically subject to the same objection that governments outside Europe may snoop. A corporate group with approved BCRs and US headquarters or operations would still need to satisfy the European regulators that it offered adequate protection in the US, under the Schrems II standard. No BCR challenge has reached the court yet, but there is no reason to think that the result for this safeguard would be substantially different than in the case of SCCs.
Other Alternatives
For many companies, it will make sense to promptly substitute SCCs for Privacy Shield. But it would also be wise to consider alternatives. Is there processing that could and should be limited to Europe? Are there applicable derogations such as consent or processing necessary for the performance of contract? The derogations need to be well justified and supported – “explicit” and “informed” consent, and “necessary” processing for contract. The Article 49 derogations do not rely on “adequacy” of protection, and it is untested whether that means they would avoid the Court’s critique of US deficiencies compared to the standard of the EU Charter on Fundamental Rights. But it would not hurt to have another legal ground available for transferring data, one that arguably does not depend on US legislation or diplomacy.
Beyond the EU
The Court’s decision in Schrems II may have far-reaching impacts beyond the EU. The US-Swiss Privacy Shield is an almost exact parallel to the EU-US Privacy Shield, and appeals will likely be made to the Swiss courts and data protection authorities to adopt the same reasoning as in the Schrems II judgment. From Argentina to Singapore, many countries with data protection laws on the European model authorize transfers to the US and other countries with dissimilar legal regimes based on contractual safeguards. Some of them (Switzerland and Israel are examples) explicitly accept transfers using clauses based on EU-approved SCCs. If the EU questions the adequacy of these contractual safeguards in the US context, there is a danger that other jurisdictions will do so as well. Post-Brexit, will the UK reconsider a Privacy Shield arrangement, and how will the UK Information Commissioner assess the adequacy of SCCs in contracts with US companies? If the UK does not maintain a position in harmony with regulators in the EEA on this subject, it could conceivably jeopardize data flows between the EEA and the UK, forcing it to choose between its relations with the US and with the Continent.
***** Organizations with trans-Atlantic customers and operations will have to be nimble, in the coming months, to keep data traveling when the visa rules keep changing.