GDPR update: Why did a European court recently invalidate the EU-US Privacy Shield?

August 25, 2020

How does this impact your organization?

The Court of Justice for the European Union recently invalidated the EU-US Privacy Shield, a mechanism relied upon by many companies to ensure adequate safeguards for the cross-border transfer of EU citizen data. This recent ruling has left many companies—including medical technology and pharmaceutical companies with EU operations, such as sales, marketing, manufacturing, and/or clinical activities—scrambling and confused.

In the wake of this major ruling impacting data flows from the EU to the US, people are asking whether Standard Contractual Clauses are sufficient, and if they are not, what options remain?

Case background and Issue: C-311/18 – Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems.

Mr. Max Schrems is an Austrian activist best known for his campaigns against Facebook, including this case, for violations of the General Data Protection Regulation (GDPR) as well as other privacy laws. You may recall that the Court of Justice for the European Union (CJEU or Court) invalidated the EU-US Safe Harbor in 2015—in a case also brought by Max Schrems. That case is coined as “Schrems I”. In this most recent case, coined as “Schrems II”, Mr. Schrems specifically sought to challenge the EU-US Privacy Shield, as well as the Standard Contractual Clauses (SCCs). Article 46 of the GDPR, which covers transfers subject to appropriate safeguards, states “In the absence of a decision pursuant to Article 45(3) [an adequacy decision], a controller or processer may transfer personal data to a third-country or an international organisation only if the controller or processer has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.” [Emphasis added.] In Schrems I, the CJEU or Court held that the privacy protections in nations receiving data from the EU must be “essentially equivalent” to those afforded within the EU. In the case at hand, the CJEU held that the EU-US Privacy Shield does not provide privacy protections that are “essentially equivalent” to those afforded within the EU. The Court specifically took issue with the fact that US public authorities may access personal data transferred from the EU to the US for US national security purposes. The CJEU noted that this activity essentially limits protection of personal data which cannot be circumscribed in a way that satisfies the “essentially equivalent” requirement and thus interferes with the fundamental rights of persons whose data are transferred from the EU to the US.

The impact of this case is immediate.

There is no “grace period” afforded to companies utilizing EU-US Privacy Shield to establish appropriate safeguards for data transfers. Further, the knee-jerk reaction of “execute SCCs” may not be an adequate solution for some. While the Court did not go so far as to invalidate current SCCs, it did note that their validity is dependent on whether there are effective mechanisms in place to ensure compliance with the level of protection essentially equivalent to those provided under the GDPR.

How can SCCs still be valid given the fact that the CJEU more or less held that the US cannot provide “essentially equivalent” protections?

All is not lost for companies operating under SCCs. The Court noted that companies utilizing SCCs must verify that the level of protection is respected in the third-country. This can be accomplished by adopting “supplementary measures”. Such measures are yet to be defined by the European Data Protection Board (EDPB). According to the Court, if the level of protection in place in the EU cannot be achieved in the receiving country then the data transfer must be suspended. As a reminder, violators of Articles 44-49 of the GDPR, which cover transfers of personal data to a recipient in a third-country, may be fined up to €20 million, or up to 4% of the annual worldwide “turnover”, i.e., revenue, of the preceding financial year, whichever is greater. See Article 83(5).

What can be done to ensure compliance with the ruling?

Companies relying on EU-US Privacy Shield and/or SCCs should conduct an assessment to determine whether SCCs can be implemented. If they can be, then companies should determine whether supplementary measures need to be implemented to ensure “essentially equivalent” protections.

How do I transfer Data from the EU to the US without SCCs?

What is a company to do where the EU-US Privacy Shield is no longer an option and the fate of SCCs is unknown? Here are a few possible options:
  • Article 47 Binding Corporate Rules (BCR): Primarily used by international organizations transferring data between its own entities. BCRs must be approved by a competent supervisory authority. As such, this is an involved process. Note, however, that this mechanism was also called into question by the recent CJEU ruling.
  • Article 49 Derogations for specific situations. For example:
    • Explicit consent: When data transfers are based on consent from the individual whose data is at issue, that consent must be explicit, specific, and informed.
    • Performance of a contract: Typically, this option is only available when the transfer of data is occasional, as established on a case-by-case basis.

Conclusion

The full impact of Schrems II is yet to be seen. It is likely that we will see additional action by the CJEU and the EDPB following the 2020 election. Medical technology and pharmaceutical companies should evaluate their GDPR compliance in light of these recent changes and make plans to reevaluate their programs by 2021 at the latest.

Resources