On July 16, the Court of Justice of the European Union (CJEU) issued its long-awaited decision in Data Protection Commission v. Facebook Ireland, Maximillion Schrems (Case No. C-311/18) (Schrems II), which invalidated the EU-U.S. Privacy Shield Framework (Privacy Shield) but upheld the European Commission’s Standard Contractual Clauses (SCCs)—albeit, with reservations.

Though not wholly unexpected given the ongoing criticism levied against Privacy Shield, the landmark decision will require companies subject to the EU’s General Data Protection Regulation (GDPR) to:

1. Urgently re-examine the legal bases for trans-Atlantic transfers of personal data for those business participating in Privacy Shield; and
2. Closely evaluate whether additional considerations and safeguards are necessary to support SCCs (the European Commission-approved contractual method of providing protection when personal data is transferred from the European Economic Area (EEA) to third countries).

Schrems II Summary
The case concerns an Austrian privacy advocate, Max Schrems, who filed a complaint with the Irish Data Protection Commissioner in 2015 challenging Facebook Ireland’s reliance on SCCs as a legal basis for transferring personal data to Facebook Inc. in the U.S.

Schrems alleged that SCCs fail to ensure an adequate level of protection for EU residents because U.S. legislation does not explicitly limit interference with an individual’s right to protection of personal data in the same way as EU data protection law.  The key consideration was that EU personal data is at risk of being processed by U.S. intelligence agencies in a manner incompatible with rights guaranteed under the EU Charter of Fundamental Rights (EU Charter), and that no viable remedy exists for EU residents.

Following the complaint, the Commissioner brought proceedings against Facebook in the Irish High Court, which ultimately referred the matter to the CJEU.  In response, the CJEU found that the European Commission’s adequacy determination that underpins Privacy Shield is invalid for two main reasons.  First, the court found that U.S. surveillance programs do not limit processing activities to that which is strictly necessary and proportional as required by EU law.  Second, the court determined that EU residents lack actionable judicial redress regarding processing of personal data by U.S. surveillance programs and, therefore, have no right to an effective remedy in the U.S. as required by the EU Charter.

Finally, while the court upheld the validity of SCCs, the decision now requires companies and regulators to conduct a case-by-case analysis to determine whether third country protections concerning government access to data transferred meet EU standards, and whether additional safeguards may be necessary.

How the Ruling Impacts U.S. and EU Businesses
Businesses subject to the EU’s GDPR are now tasked with reassessing global data transfers. Companies need to analyze data flows that involve transfers of personal data outside the EEA and determine the appropriate transfer mechanism. 

As a first priority, companies that currently rely on Privacy Shield should find an alternative transfer mechanism.  These alternatives could include:

• SCCs, which are now subject to additional considerations;
• Binding Corporate Rules, which must be approved on a company-by-company basis by applicable supervisory authorities;
• Consent, which should be implemented based on guidance from applicable Data Protection Authorities; or
• Applicable exceptions outlined in Article 49 of the GDPR, such as transfers necessary for the performance of a contract with the data subject.

In assessing these alternatives, though, businesses that participate in Privacy Shield should be mindful that existing commitments remain enforceable by the U.S. Federal Trade Commission.  See U.S. Secretary of Commerce Wilbur Ross Statement on Schrems II Ruling & the Importance of EU-U.S. Data Flows, available here (July 16, 2020) (U.S. DoC Statement).  Companies should expect increased scrutiny with respect to adherence to the Privacy Shield program as alternatives are rolled out by regulators.

Finally, for businesses using or considering SCCs (as an alternative to Privacy Shield, for example), the decision now requires an assessment of the appropriate safeguards.  In other words, if a business wants to transfer EU personal data to a third country where an adequacy decision (a formal decision by the European Commission that a third country has adequate safeguards, the list of which is available here) is not in place, the GDPR places the responsibility for ensuring appropriate safeguards on that business.  This includes an obligation to “take measures to compensate for the lack of data protection in a third country,” including additional “safeguards” and “enforceable data subject rights and . . . effective remedies.”  Schrems II, at Para. 131.

What Happens Next.

When the CJEU invalidated the U.S.-EU Safe Harbor program—the Privacy Shield’s predecessor—in 2015, supervisory authorities recognized the significant uncertainty the decision created, and provided a grace period for companies to re-evaluate their trans-Atlantic data transfer program.  Supervisory authorities will likely take a similar approach and are already actively considering the impacts of the recent decision.  The UK’s Information Commissioner’s Office, for example, has stated that “it stands ready to support UK organizations and will be working with the UK government and international agencies to ensure that global data flows may continue and that people’s personal data is protected.”  See ICO Statement on the Judgement of the European Court of Justice in the Schrems II Case, available here (July 16, 2020).  A grace period, though, is not guaranteed and would not prevent individuals or groups from bringing private claims for compensation.

Likewise, the U.S. Department of Commerce has already stated that it remains “in close contact with the European Commission and European Data Protection Board . . . and hope[s] . . . to limit the negative consequences” of the decision, which the European Commission echoed.  See U.S. DoC Statement; see also Opening Remarks by Vice-President Jourová and Commissioner Reynders at the Press Point Following the Judgment in Case C-311/18 Facebook Ireland and Schrems, available here (July 16, 2020).  As a result, there will likely be guidance developed and deployed in the coming weeks, as well as political discussions between the EU and the U.S.

In the interim, as businesses assess the full impacts to applicable data transfer mechanisms, the Baker Botts L.L.P. Privacy and Data Security is available to assist and will continue to monitor developments.  For further information and advice, please contact us.

ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.