What to do when your company relies on the privacy shield framework or SCC's for international data transfers.

It is still unclear what exactly the impact will be of the landmark decision delivered by the Court of Justice of the European Union (“Court”) last Thursday, July 16th, in the case also known as Schrems II (click here for the press release). It is clear, however, that the EU-US Privacy Shield Framework is declared invalid. Furthermore, although the Court ruled that controller-processor Standard Contractual Clauses (“SCC’s”) remain valid, the Court stipulated that parties should verify if the SCC’s are in compliance with the national laws of the applicable country.

What is Schrems II about?

In 2013, Maximillian Schrems complained to the Irish supervisory authority (“DPC”) about the transfer of his personal data by Facebook to the United States. Schrems had been a Facebook member since 2008 and (some of) his personal data were transferred by the Irish subsidiary to servers located in the United States where the data was processed. His first complaint built upon revelations made by Edward Snowden in 2013 regarding the activities of the US intelligence services, and concerned the fact that these activities were not in line with European data protection law. The DPC rejected his complaint. Schrems, in turn, challenged the decision before the Irish High Court. The High Court referred questions to the Court, about the validity of the Safe Harbor decision. Back in 2015, the Court declared the Safe Harbor decision invalid (also known as Schrems I).

Facebook could fairly easy change from relying on Safe Harbor, to adopting Standard Contractual Clauses. Furthermore, Safe Harbor was replaced by the Privacy Shield. Now in the Schrems II case, Schrems challenged not only the Privacy Shield but also the Standard Contractual Clauses. The Irish High Court again referred questions to the Court, this time on the validity of Decision 2010/87 (the SCC’s) and of Decision 2016/1250 (the Privacy Shield). Furthermore, the questions regarded whether the GDPR applies to transfers of personal data pursuant to the SCC’s, what level of protection is required by the GDPR in connection with such a transfer, and what obligations are incumbent on supervisory authorities in those circumstances. This judgement is relevant for all US companies that rely on the Privacy Shield and/or SCC’s for the processing of personal data.

In short, the Court ruled the Privacy Shield decision to be invalid as it does not provide an adequate level of data protection as required under the GDPR. Furthermore, the Court ruled that controller-processor Standard Contractual Clauses (“SCC’s”) remain valid. The Court did stipulate that parties should verify if the SCC’s can be complied with under the national laws of the applicable country.

Important to know in terms of enforcement, is that, according to this decision, supervisory authorities are required act. The Court ruled that they are required to prohibit or suspend a transfer of data to a third country based on SCC’s if there is (a) no (valid) adequacy decision of the EC and (b) in the view of that authority the SCC’s cannot be complied with in that third country and no other adequate measure can or will be taken.

What should your organization do?

If your company is processing personal data in the US of EU citizens or you are transferring personal data from the EU to the US, you will first need to assess if appropriate measures have been taken.

If your company is relying on the Privacy shield, we suggest looking at alternatives. Alternatives are:

·         Binding corporate rules;

·         SCC’s (if compliance if possible under national law); and

·         Drafting clauses and submitting them for approval to a supervisory authority.

When relying on SCC’s, it is important to assess if these measures are sufficient to ensure the level of protection as required under the GDPR. This means your company should be able to provide appropriate safeguards, enforceable rights and effective legal remedies, equivalent to the level guaranteed within the EU.

If your company is relying on the SCC’s and resides in the US, it is most probable that your company is not able to comply with the SCC’s under the applicable national law. The Court declared the Privacy Shield invalid because of the lack of effective legal remedies for data subjects in case their personal data are processed under surveillance programmes based on Section 702 of the Foreign Intelligence and Surveillance Act and Executive Order 12333. It is likely that therefore your company cannot comply with its obligations under the SCC’s. Please note that the data importer, under article 5 (b) of the SCC’s addendum, is obligated to notify the controller if its obligations under the contract cannot be met.

Because the actual implications are not yet clear and this, of course, is also a matter of international politics, it is wise to keep track of communications of the relevant supervisory authorities and the European Data Protection Board (“EDPB”). The EDPB, consisting of representatives of all national supervisory authorities, did already communicate looking into additional measures to SCC’s. It will also provide further clarification for stakeholders on the use of instruments. We will strive to keep you informed on any important news for your company strategy in tackling these important issues raised by the decision of the Court.

In the process of assessing whether the measures your company has taken are sufficient to match the level of protection as demanded by the EU, our privacy team is happy to be of assistance. Together we can identify possible alternative actions as mentioned above.