Privacy Shield Invalidated; Standard Contractual Clauses Left in Doubt

Written By Adam Schlosser

Today, in a case known as “Schrems ii” (after the case’s plaintiff), the CJEU ruled that the U.S. – EU Privacy Shield is no longer valid as a data transfer mechanism, but organizations can continue to rely on Standard Contractual Clauses (SCCs), albeit only after undertaking additional analysis.* This case will have a significant impact on any business that either sends data from the EU to the U.S. or receives personal data from the EU. This includes companies that transfer data between subsidiaries or different corporate identities. Key takeaways:

  • SCCs by themselves are unlikely to be sufficient to meet GDPR obligations, regardless of whether the transfer is to the U.S. or a different country outside the European Economic Area. “Supplementary measures” will need to be adopted. Such measures are not yet necessarily defined.

  • Data processors have an affirmative obligation to inform controllers of any changes to relevant domestic laws that impact the validity of SCCs to provide an adequate level of protection. Controllers, in turn, will then have to evaluate whether such changes necessitate suspending those transfers.

  • No adequacy decision should be viewed as permanent. The power of DPAs to examine any adequacy decision is confirmed. While they cannot unilaterally invalidate such a decision, the Court found the DPAs are compelled to refer cases to the Court for review. This could spell trouble for adequacy decisions with countries with strong national security rules, such as Israel. The Commission also will have to reexamine such decisions whenever there is a material change to national security or law enforcement requirements.

  • Be prepared to have SCCs in place once the UK official leaves the EU and the Brexit transition agreement expires as UK adequacy becomes much less likely. Based on the Court’s reasoning it appears very unlikely that the UK government will be able to meet the very precise standards of an essential equivalent regime.

  • Expect to have challenges to the use of SCCs to transfer data to China, Russia, possibly Turkey, and any other governments where “actionable data subject rights” to “limit national security” do not exist. Such rights need to be “binding on intelligence services”, which the U.S. Ombudsman was found to be lacking. Moreover, based on this standard it is unclear how Member States could even meet this requirement, which confirms the trouble ahead for UK adequacy.

  • The U.S. – Switzerland Privacy Shield remains valid for now. But the Swiss Data Protection and Information Commissioner has indicated they took “note” of the decision.

Next steps for businesses from a risk management perspective:

  • Inventory current contractual arrangements and data transfer mechanisms. Even if your organization is not a member of the Privacy Shield, it is likely one of your vendors or partners rely on Privacy Shield for transfers.

  • Identify, catalogue, and review all transfers from the EU to the U.S., including what entity is transferring and receiving the data. Every transfer will need an accompanying transfer mechanism written into an agreement, even transfers between corporate entities.

  • Determine if consent could serve as a basis for transfers and update privacy policies accordingly. However, this may be difficult because it would require giving the data subject an option to reject the transfers.

  • Document, document, document. Above all it is clear that businesses will need to have a detailed compliance program in place, which no includes an assessment of domestic national security requirements and data subject rights in relation to those requirements.

  • Detail what additional safeguards are in place to ensure the SCCs between the U.S. and EU can remain valid. This may include end to end encryption or it could even indicating the data transferred has never been and will likely never be relevant for law enforcement purposes, or updates to privacy policies and notices taking affirmative steps to demonstrate data subjects rights in the event of a law enforcement request.

  • Stay on top of an additional changes and news on this topic. More guidance from the DPAs will certainly be forthcoming.

Please reach out to us at adam@bayregulatorystrategy.com for any questions on the decision or for help in preparing to meet any changes to your GDPR obligations.

* For those interested in details, the full case text does a great job summarizing all the relevant GDPR provisions related to data transfers. For those looking for more details and all the relevant GDPR requirements as well as the current SCC text, pages 6 – 22 have the all the relevant articles.

Adam Schlosser
Previous

CCPA Enforcement is Here
Next

Please check back here for updates soon.