On July 16, 2020, in the case colloquially known as "Schrems II," the Court of Justice of the European Union (CJEU) struck down the EU-US Privacy Shield, finding it an invalid mechanism for transferring data from the EU to the US. The CJEU concluded that the Standard Contractual Clauses (SCCs) are valid for the transfer of personal data outside the EU (which would include transfers to the US), with certain conditions.
The Schrems II case followed closely on the heels of the CJEU's decision in Schrems I (October 2015), which invalidated the EU-US Safe Habor Framework. In Schrems I, a key concern was that EU personal data might be at risk of being accessed and processed by the U.S. government once transferred. Schrems II then challenged the validity of SCCs for similar reasons advanced in Schrems I. The EU-US Privacy Shield was adopted in July 2016.
With regard to the SCCs, the CJEU judgment mainly followed the CJEU's Advocate General's non-binding opinion published on December 19, 2019. The CJEU stated that the SCCs provide sufficient protection for EU personal data, but emphasized the fact that EU organizations relying on them have an obligation to take a proactive role in evaluating, prior to any transfer, whether there is in fact an "adequate level of protection" for personal data in the importing jurisdiction. The CJEU noted that organizations may implement additional safeguards, over and above those contained in the SCCs - although it is unclear what those safeguards might include. The ruling also highlights the role that supervisory authorities should take in assessing and, where necessary, suspending and prohibiting transfers of personal data to an importing jurisdiction. Many anticipate that this decision will result in modifications to the standard contractual clauses, something that had been under discussion prior to the decision (as the SCCs predate GDPR).
While the CJEU AG's view was that the CJEU is not required to rule on the validity of the EU-US Privacy Shield in the context of Schrems II, as it was not specifically requested to consider this question, the CJEU decided to examine and rule on the validity of the framework. In finding the Privacy Shield invalid, the CJEU took the view that "the limitations on the protection of personal data arising from [U.S. domestic law] on the access and use by U.S. public authorities [...] are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary." The CJEU also found that the EU-U.S. Privacy Shield framework does not grant EU individuals actionable rights before the courts against the US authorities.
Putting it Into Practice: Companies who engage in transfers of personal information from the EU to the US will want to look at the basis on which they engage in that transfer. For those US companies who are Privacy Shield participants, keep in mind that although the EU has "invalidated" the program from the EU perspective, the program is a US-run one and still exists. We thus anticipate direction coming soon from the Department of Commerce regarding how to address participation and reference current Shield participation. In the meantime, changes in the basis for transfer will need to be made (such as standard contractual clauses). We also anticipate, however, modifications to the standard contractual clause regime, and will be watching those developments closely. Given the EU's concern around disclosures to the US government, companies may also want to review this aspect of their policies, procedures and data protection agreements. As solutions are fact specific, feel free to contact any one of the authors or your regular Sheppard Mullin contact for more information.
Originally published July 16, 2020.