In the highly anticipated Schrems II decision released today, the highest court in Europe has essentially struck down the Privacy Shield, being a key arrangement to allow the flow of personal data from the EU to a U.S. entity. A press release from the EU Court of Justice states: “The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield.”
This is a very significant decision and results in a great deal of uncertainly for businesses relying on the Privacy Shield. There are essentially 3 legal super tunnels to transfer personal data from Europe to the United States:
- The Privacy Shield is an agreement between the EU Commission and the U.S. Department of Commerce allowing the transfer of personal data if the American organization commits to the framework, which is based on a set of seven principles. The Schrems II decision is a déjà vu of a decision from the same court that struck down Safe Harbor in 2015, resulting in the birth of the Privacy Shield;
- Binding Corporate Rules within a group of companies such as multi-nationals; and
- Standard Contractual Clauses (SCCs) – a standard set of contractual terms and conditions which the sender and the receiver of personal data both sign up to, aimed at protecting personal data leaving the EU in compliance with the GDPR’s requirements in territories that are not considered to offer adequate protection to the rights and freedoms of data subjects. Note that Canada can still rely on the its adequacy standing but could lose this by 2022 when the EU Commission will re-assess Canada’s privacy legal framework. Note that SCCs must be adopted completely and unaltered in order to be relied upon for data transfers from the EU to the U.S.. The Schrems II decision appears to have introduced additional caveats, including assessing whether there should be supplementary protections in place. OneTrust has put together a useful analysis of the interpretations of the decision by various Data Protection Authorities.
Thus, the EU Court of Justice has essentially stepped on the EU Commission’s toes by striking down the one route for data transfers that so many organization rely upon. Note that the Schrems II was not even about the Privacy Shield, it was about SCCs, which were in my view essentially upheld as valid, but the court used the opportunity to also comment on the Privacy Shield.
What are the practical next steps for organizations relying on the Privacy Shield?
- Engage your IT and data governance teams to review data maps and determine where you are relying on the Privacy Shield.
- It is certainly important to engage the right legal experts and the experts of the third parties who you partner with.
- Involve your risk management group and ensure you are having strategic discussions regarding customer expectations.
- Document your work and decisions. I will certainly be advising some of my clients to consider moving to SCCs that offer more certainty and stability with respect to data transfers from the EU to the U.S.
We should hear more from the EU Commission on this important decision soon!
For assistance with understanding the framework you should be relying upon for international personal data transfers, contact PRIVATECH.
UPDATE: European Data Protection Board releases an FAQ with guidance in light of the Schrems II decision.