The Court of Justice of the European Union issued its decision in “Schrems II” Thursday, a landmark decision that invalidates the EU-U.S. Privacy Shield arrangement. Until July 16, Privacy Shield had served as an approved “adequacy” mechanism to protect cross-border transfers of personal data from the European Union to the United States under the EU General Data Protection Regulation. More than 5,000 organizations participate in Privacy Shield. Many thousands more EU companies rely on Privacy Shield when transferring data to these organizations. Overnight, it seems the certainty of the conditions for the lawful transfer of this data has been removed.
Fortunately, the CJEU did not invalidate the European Commission’s standard contractual clauses for transfers to data processors. However, the rationale behind the court’s ruling on Privacy Shield (which focused on concerns about U.S. law and practice on government surveillance) would suggest that companies will need to evaluate their use of SCCs. In particular, companies will need to evaluate whether the SCCs provide sufficient protection in light of any access by the public authorities of the third country to the personal data transferred and the relevant aspects of the legal system of such third country.
Historically, when the CJEU invalidated the EU-U.S. Safe Harbor (the predecessor to Privacy Shield) in 2015, the EU data protection authorities collectively advised that they would observe a grace period on enforcement so that companies would have an opportunity to respond. As of the date of this writing, we haven’t received such welcome guidance from the European Data Protection Board, although individual DPAs, such as the U.K. Information Commissioner, have indicated that if companies are using Privacy Shield, they should continue to do so. Moreover, it is not clear what the timeline would be for the European Commission and U.S. government to remediate the infirmities in the Privacy Shield as found by the CJEU, although public statements from both sides suggest that they are in communication on these issues.
So, what now? For U.S. organizations participating in Privacy Shield, next steps can include the following.
Understand what personal data is covered
The first step is to understand what personal data transfers have been covered under the organization’s self-certification to Privacy Shield. Privacy Shield organizations can be data controllers with respect to personal data about internal human resources data (e.g., employees, job applicants, contractors and others of EU subsidiaries or operations), as well as customers (e.g., corporate customer contacts, individual consumers, patients or the like) and other third parties (e.g., contacts for distributors, business partners, suppliers and the like). Privacy Shield organizations also can be data processors that act as vendors to process data related to the consumers, patients and end-users of the organization’s corporate customers.
Develop a plan for each category of data transfer
The organization should develop a plan for how it will address each big picture category of data transfer under Privacy Shield. There is no one-size-fits-all plan, but having a plan will help the organization focus its efforts and also in the event the organization needs to have a discussion with DPAs, customers, business partners, company data protection officers, works councils or others.
Evaluate whether implementation of SCCs can help
Where the organization participates in Privacy Shield as a controller, implementation of the SCCs for such controller to controller data transfers can help strengthen the position that the transfers are permissible. Given the reasoning of the CJEU in “Schrems II,” the organization will still need to undertake due diligence to evaluate and document the risks associated with the transfers, but the organization would be in a better position from a GDPR perspective because the SCCs are still a valid tool for data transfers. Where the organization acts as a data processor on behalf of customers in the EU, the organization should consider preparing and presenting to customers updated terms that include the SCCs for controller-to-processor transfers. The organization should also be prepared to answer due diligence questions from customers regarding disclosures to public authorities and related issues raised in the CJEU opinion. It will be important to have a clear understanding of whether, in practice, the organization has needed to respond to such intelligence gathering by public authorities in the past, as well as what it’s policies and practices are for responding going forward.
Evaluate whether derogations or other legal justifications can help
Depending on the context, some organizations may be able to adopt other strategies. For example, if the organization engages in direct to consumer online transactions, it might be able to narrow the data collections to that which is necessary to perform the transaction with the consumers. Such an approach might require the company to trim out data collections that are unnecessary (e.g., to disable advertising cookies for EU IP addresses) but could be a logical way to proceed.
Remember Privacy Shield obligations still apply
Even though the legal value of Privacy Shield participation has been invalidated from a GDPR perspective, the U.S. obligations to adhere to Privacy Shield promises still apply. If an organization were to decide to disregard its Privacy Shield commitments, it could still be subject to action by the U.S. Federal Trade Commission. The organization might also have obligations in agreements with customers or others to adhere to the Privacy Shield, and those commitments may not be terminated merely because of the CJEU ruling. As such, organizations need to be mindful to continue to adhere to Privacy Shield obligations even in this interim period following “Schrems II.”
Continue monitoring developments
The interpretation and application of “Schrems II” is rapidly changing and developing. We are expecting more guidance from authorities and other developments in the coming days and weeks. Privacy professionals should stay closely aligned with these developments and adjust their plans accordingly.
At the end of the day, no one realistically expects that EU DPAs will immediately launch investigations against thousands of companies that have built and deployed strong privacy programs in reliance on Privacy Shield. Such an approach would be counter to how the EU DPAs have approached their responsibilities over many years. What is to be expected, however, is that organizations participating in Privacy Shield should have a plan for how they are going to address the issues, start implementing that plan as soon as reasonably possible, and be ready to discuss with authorities, business partners, customers and others as needed.
In the coming days, we will issue a series of guidance notes on what to do in the wake of “Schrems II,” including on what “Schrems II” means for companies that rely on Privacy Shield, C2P SCCs, C2C SCCs, derogations, binding corporate rules and what it means for Brexit.