On July 16, 2020, the European Court of Justice (ECJ) declared the EU-U.S. Privacy Shield framework (Privacy Shield) invalid. The ECJ upheld the EU Standard Contractual Clauses (SCCs), but ruled that companies must verify prior to any transfer using SCCs that the parties can effectively provide the level of protection required by EU law.
The Privacy Shield and the SCCs are relied on by thousands of companies to transfer personal data under the General Data Protection Regulation (GDPR). These mechanisms are critical to allowing data transfers that facilitate the growth of the global economy. Businesses which currently rely on these transfer mechanisms now face legal uncertainty and disruption, and will need to carefully reconsider their data transfer strategy.
Background
In 2013, privacy activist Max Schrems filed a complaint with the Irish Data Protection Commissioner (DPC) relating to transfers of data from the EU to the U.S. by Facebook Ireland following the Edward Snowden revelations. Schrems relied on Snowden's reports to allege a violation of data protection rights as a result of suspected data sharing between U.S. companies and intelligence agencies. In 2015, the ECJ invalidated the EU-U.S. Safe Harbor adequacy decision, on the basis that it did not provide an adequate level of protection to EU personal data. In the wake of the ECJ decision, many companies began relying on SCCs for data transfers to the U.S. At the same time, the U.S. and the European Commission (EC) made substantial improvements to the Safe Harbor program to address the ECJ's concerns, and in 2016 the EC approved a new safe harbor program: the EU-U.S. Privacy Shield Framework.
Thereafter, Max Schrems filed a new complaint with the DPC, this time challenging Facebook Ireland's use of the SCCs as a transfer mechanism. The case made its way to the ECJ, via a reference for a preliminary ruling from the Irish High Court, in 2018. The Irish High Court's referral contained a wide-ranging list of questions focusing on the validity of SCCs in relation to transfers to the U.S. For the full background on Schrems 1.0 and 2.0, please see The Wilson Sonsini Data Advisor article, "And Then There Were None: Or How Schrems 2.0 May Invalidate the Standard Contractual Clauses and the Privacy Shield."
On July 9, 2019, oral arguments on the referred questions were presented to the ECJ by interested stakeholders. On December 19, 2019 the Advocate General (AG) opined that the SCCs are valid because they are designed to ensure a continuous and adequate level of protection when personal data is transferred by a company in the EU to another company in a third country. The AG also advised that the ECJ is not required to address the Privacy Shield questions raised by the High Court; nonetheless the AG expressed concerns about the conformity of the Privacy Shield with the GDPR. For the full analysis of the AG's Opinion, please see the Wilson Sonsini Alert, "Schrems 2.0: AG Opines that Data Transfers to U.S. Are Valid Under Standard Contractual Clauses."
Privacy Shield Is Invalid
The ECJ invalidated the Privacy Shield on two main grounds: i) it does not offer adequate protection to individuals' data protection rights in light of the potential broad disclosure of personal data to the U.S. intelligence services/public authorities; and ii) the Ombudsperson created by the Privacy Shield framework to address complaints by EU citizens lacks the independence and authority to adopt decisions that bind U.S. intelligence services.
Inadequate protection for EU individuals
The ECJ ruled that U.S. domestic law does not offer a standard of legal protection that is "essentially equivalent" to the standard of protection under EU law. In particular, the ECJ found that national intelligence programs authorized by Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333 do not grant EU individuals actionable rights before the courts against U.S. authorities, rendering the data protection rights insufficient.
The ECJ noted that the Charter of Fundamental Rights of the European Union (Charter) protects individuals' private communications and personal data. Disclosing data to a third party—including public authorities—interferes with these rights, and is permitted only if strictly necessary. However, the ECJ indicated that surveillance programs like Presidential Policy Directive-28 regarding signals intelligence activities may process a disproportionate amount of data and allow access to data in transit to the U.S. without any judicial review. The ECJ reasoned that the surveillance programs are not limited in scope and do not provide guarantees for potentially targeted non-U.S. individuals. As such, individuals do not have an effective judicial remedy to exercise their privacy rights.
The Ombudsperson lacks independence
The ECJ further found that the Privacy Shield's Ombudsperson mechanism cannot remedy the deficiency described above because it lacks the power a tribunal traditionally has. In particular, the Ombudsperson lacks the authority to bind U.S. intelligence services. Accordingly, EU citizens have no redress mechanism for certain surveillance activities.
The ECJ also opined that the Ombudsperson lacks independence because he is appointed by the Secretary of State and is an integral part of the U.S. State Department. The Ombudsperson reports directly to the Secretary of State, and there are no guarantees to protect against the revocation or dismissal of the Ombudsperson, which undermines his independence.
Based on the above, the ECJ invalidated the Privacy Shield. Notwithstanding the substantial business disruption this ruling creates, the Court noted that it does not believe the invalidation creates a legal vacuum since companies can still rely on other transfer mechanisms, including the GDPR's list of derogations (e.g., consent).
Standard Contractual Clauses
ECJ upholds the validity of the Standard Contractual Clauses
In its referral, the Irish High Court had posed several questions regarding the validity of the SCCs, including whether SCCs are capable of ensuring adequate protection if they do not bind the public authorities of the foreign country.
The ECJ explained that the SCCs are a form of appropriate safeguards, which should be distinguished from adequacy decisions. An adequacy decision is based on an assessment of the level of protection of personal data afforded by a particular legal system as a whole, which renders all organizations within that legal system eligible to receive personal data from the EU. Unlike adequacy decisions, the GDPR's provisions on appropriate safeguards specifically allow the EU Commission to adopt standard data protection clauses to govern transfers between data exporters and data importers, irrespective of the legal system of the data importers. As a result, the validity of the SCCs does not depend on, and the EU Commission did not need to assess, the adequacy of the countries to which data could be transferred using SCCs.
Whether SCCs constitute appropriate safeguards, however, depends on whether the SCCs incorporate effective mechanisms to ensure compliance with the level of protection required by EU law. The Court concluded that the SCCs do incorporate effective mechanisms, in part because of the obligation on importers to inform exporters when they cannot comply with the SCCs, and the obligation on exporters to subsequently suspend the transfer.
Organizations and regulators must assess compliance with Standard Contractual Clauses
Because, among other things, the SCCs do not bind public authorities, the ECJ determined that it may be necessary to supplement the guarantees provided by the SCCs. The ECJ explains that it is up to organizations to verify on a case-by-case basis and prior to any transfer whether the SCCs can afford the requisite level of protection required by the GDPR and, where necessary, to implement further safeguards.
For ongoing transfers, exporting organizations must suspend or stop data transfers if they can no longer provide the requisite protection to EU citizen data. Consistent with the provisions of the current SCCs, the ECJ explains that importing organizations must inform exporters if they are no longer able to comply with the SCCs, in which case the exporter is required to suspend the transfer.
Furthermore, if a regulator determines that the SCCs cannot be complied with in a particular country of import, and the required level of protection cannot be provided by other means, the regulator must suspend or prohibit the transfer.
Implications for Companies
The implications for companies are significant. Businesses that have relied on the Privacy Shield to import personal data into the U.S. risk business interruption and will need to carefully consider alternative transfer strategies such as the use of SCCs, Binding Corporate Rules, or other authorized bases for transfer, such as individuals' consent.
Whereas SCCs generally constitute a reliable solution to transfer personal data overseas, companies will need to conduct a case-by-case assessment and ensure that data transfers to third countries conform with the GDPR. We anticipate that regulators and/or the European Data Protection Board (EDPB) will provide guidance in this area. Further, we expect that the ECJ decision will increase pressure on regulators to investigate whether transfers made under the SCCs actually provide the protection they are supposed to offer.
As was the case after the invalidation of the Safe Harbor Framework, the expectation is that the national regulators, assembled in the EDPB, will provide for a grace period for companies to adapt their data transfer solution in light of the judgment.
This milestone judgement will have a deep impact on companies' data storage and transfer strategies. We will report on the case in more detail as well as on further guidance that may become available in the near future.
Wilson Sonsini helps clients manage risks related to the enforcement of privacy and data protection laws, along with advising clients on general domestic and international privacy and data security issues. For more information, please contact Cédric Burton, Lydia Parnes, Chris Olsen, Tracy Shapiro or another member of the firm's privacy and cybersecurity practice.
Nikolaos Theodorakis contributed to this alert.