Schrems Redux: Data Transfers from Europe to the U.S. Just Became More Problematic
On July 16, 2020, the Court of Justice of the European Union (“CJEU”) ruled in the Schrems II case against Facebook that the Privacy Shield arrangement between the U.S. and the European Union did not adequately protect the rights of Europeans, invalidating the program. Privacy Shield was itself the successor to the Safe Harbor program implemented by the U.S. and the E.U., which the CJEU had previously invalidated in 2015, also in a case brought by Austrian privacy advocate Maximilian Schrems.
These programs had permitted subscribing organizations – over 5,000 at last count – to transfer personal data from Europe to the United States. As a consequence of their invalidation, organizations that wish to transfer personal data of individuals in the E.U. will have to justify the transfers by some other method, given the findings that the protections of U.S. law are inadequate. But the basis of the CJEU’s decision calls into question how an organization ever would be able to transfer personal data from the E.U. to the U.S. under European law – the stringent requirements of the General Data Protection Regulation, or GDPR.
The CJEU decision overturned a finding of the European Commission that the Privacy Shield provided adequate protection, notwithstanding that, under U.S. law, adherence to the Privacy Shield principles “may be limited, inter alia, ‘to the extent necessary to meet national security, public interest, or law enforcement requirements’.” (Schrems II ¶ 164.) The CJEU found that this therefore “enables interference, based on national security and public interest requirements or on domestic legislation of the United States, with the fundamental rights of the persons whose personal data is or could be transferred from the European Union to the United States.” (Schrems II ¶ 165.) While the privacy rights of the Charter of Fundamental Rights of the European Union are not absolute, they are required to satisfy a “requirement of proportionality according to which . . . limitations on the protection of personal data must apply only in so far as is strictly necessary” and must be subject to “clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards, so that the persons whose data has been transferred have sufficient guarantees to protect effectively their personal data against the risk of abuse.” (Schrems II ¶ 176.)
The CJEU noted that the European Commission had found that U.S. law, and, in particular, Section 702 of the Foreign Intelligence Surveillance Act, “does not authorise individual surveillance measures; rather, it authorises surveillance programs . . . on the basis of annual certifications prepared by the Attorney General and the Director of National Intelligence (DNI)’ [and] does not indicate any limitations on the power it confers to implement surveillance programmes for the purposes of foreign intelligence or the existence of guarantees for non-U.S. persons potentially targeted by those programmes.” (Schrems II ¶ 179, 180.)
Accordingly, the CJEU held, “the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by U.S. public authorities of such data transferred from the European Union to the United States, which the Commission assessed in the Privacy Shield Decision, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required, under EU law . . ..” (Schrems II ¶ 185.)
With the Privacy Shield no longer available, the two principal methods of permitting data transfers to the U.S. are Standard Contractual Clauses (SCCs) that parties can incorporate into their data-sharing agreements, and Binding Corporate Rules (BCRs) for internal data transfers (which require approval of a national data protection agency). As it happens, Standard Contractual Clauses also were at issue in Schrems II – in fact they were the original reason for the referral to the Court. The CJEU upheld the use of Standard Contractual Clauses, but with a critical qualifier: The use of Standard Contractual Clauses requires the European party transferring the personal data in question – or failing that, the supervising national data protection agency – “to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses” and if they are unable to do so, for example by providing additional safeguards, then they “are required to suspend or end the transfer of personal data to the third country concerned.”
Given the findings as to U.S. law with respect to the Privacy Shield program, organizations that use SCCs may have a difficult time determining that U.S. law provides adequate protection to the rights of those whose data are transferred, or in providing sufficient additional safeguards to accomplish that end. And in fact, Ireland’s Data Protection Commission issued a press release on the day of the CJEU decision stating that “It is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable.” Further, national data protection authorities may be similarly reticent to approve Binding Corporate Rules for data transfers to the U.S.
(As a side note, at a 2016 conference in Paris of the New York State Bar Association International Section, the principal author of this alert, Drew Jaglom, sat at lunch with Maximilian Schrems, the plaintiff in both the current CJEU case and in Schrems I, which invalidated the Safe Harbor regime. Mr. Schrems expressed precisely this point of view: that so long as U.S. law permitted undifferentiated access to personal information without a particularized showing of need, there was no way to provide the necessary assurance of adequate protection of personal data, and no transfer mechanism could be valid. For video of Mr. Schrems’s formal presentation at that conference, click here.)
Consequently, businesses in the U.S. with employees or customers in Europe, or otherwise with access to personal data of individuals in the European Union will need to consider alternatives to transfer such personal data to the U.S. For example, the Schrems II decision does not prohibit European customers from explicitly consenting to provide their personal data to U.S. companies. Indeed, companies with U.S.-only operations can and should inform their European customers that their data servers are located in the U.S., and that by providing their personal data to those companies, such customers are consenting to the transfer of their personal data to the U.S. Such information should be included in the U.S. companies’ privacy notices.
Of course, the GDPR gives individuals in the E.U. the ability to withdraw their consent, in which case U.S. companies may be required to delete the data it holds of such customers. Moreover, consent will be deemed ineffective in the context of an employment relationship, given the imbalance of power between employers and employees.
In light of the Schrems II decision, the currently-available methods for an organization to transfer personal data from the E.U. to the U.S. include the following:
- SCCs (but note the limitations and concerns described above);
- BCRs, so long as the competent European data protection authority approves them (which may be unlikely, given the same concerns);
- Explicit consent by the E.U. individual to the transfer, after such individual has been informed of the possible risks of such transfers because the absence of an adequacy decision and appropriate safeguards;
- Where the data transfer is necessary for the performance of a contract between the E.U. individual and the company, or for the implementation of pre-contractual measures taken at the individual’s request; and
- Where the data transfer is necessary for the conclusion or performance of a contract concluded in the interest of the E.U. individual.
Of course, the ultimate solution to this conflict is to reform U.S. law so that it no longer permits governmental authorities to engage in the general harvesting of personal data.
For more information on the topic discussed, contact:
Cyber & Privacy Alert is a newsletter by Tannenbaum Helpern’s Cybersecurity & Data Privacy practice that covers emerging legal and business developments affecting cyber and privacy risks and regulation, and their impact on businesses.