The Court of Justice of the European Union (CJEU)’s historic decision in Schrems II, in which the EU-U.S. Privacy Shield was invalidated, requires businesses to rethink the mechanism they can rely on to transfer personal data from the EU to the United States and other countries. However, how the decision will be enforced remains uncertain.
Despite the invalidation of Privacy Shield, the U.S. Department of Commerce issued a statement that it “will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List.” And although the CJEU’s decision in principle upheld the validity of Standard Contractual Clauses (SCCs), the judgment drew reactions from various EU data protection supervisory authorities (DPAs), some calling into question the use of SCCs for EU to U.S. transfers.
EDPB Seeks New Agreement With U.S.; Promises Clarification on SCC ‘Additional Measures’
On 17 July, the day after the CJEU’s ruling, the European Data Protection Board (EDPB), an association comprising, inter alia, national DPAs of all EU Member States, published a statement welcoming the ruling and calling it “of great importance.” In its statement, the EDPB points out that consistent with the judgment, the EU and the U.S. should achieve a complete and effective framework guaranteeing that the level of protection granted to personal data in the U.S. is essentially equivalent to that guaranteed within the EU.
The EDPB also promises to further assess additional measures that parties to the transfer could consider undertaking, if after undertaking a “SCC-assessment,” the U.S. (or other destination country) does not provide an essentially equivalent level of protection.
EDPS Notes Data Protection Is a Global Fundamental Right
In its statement following the Schrems II decision, the European Data Protection Supervisor (EDPS) points to the growing number of data protection laws adopted worldwide, including the new Convention 108+ adopted by the Council of Europe, as evidence that data protection is not only a “European” fundamental right, but a fundamental right widely recognised around the globe. Against this background, the EDPS notes that it believes the U.S. will deploy all possible efforts and means to move towards a comprehensive data protection and privacy legal framework, which genuinely meets the requirements for adequate safeguards reaffirmed by the CJEU. The EDPS also reiterates the DPAs’ duty to diligently enforce the applicable data protection legislation and, where appropriate, to suspend or prohibit transfers of data to a third country.
UK’s ICO Advises Companies to Continue Using Privacy Shield
The day after the decision, the UK’s Information Commissioner’s Office (ICO) stated that it was considering the decision and that it “stand[s] ready to support UK organizations and will be working with UK Government and international agencies to ensure that global data flows may continue and that people’s personal data is protected.” The ICO later released the following statement: “If you are currently using Privacy Shield please continue to do so until new guidance becomes available. Please do not start to use Privacy Shield during this period.”
Irish DPC Notes That Use of SCCs for US Transfers Is Questionable
The Irish Data Protection Commission (DPC), which was a party to the proceedings leading to the CJEU judgment, issued a statement welcoming the CJEU’s endorsement of its position. However, the DPC notes that the application of the SCCs to transfers of personal data to the U.S. is now questionable and will require further and careful examination on a case-by-case basis. The DPC acknowledges that going forward the “central role” that it, together with its fellow supervisory authorities across the EU, must play will be developing a position to give meaningful and practical effect to the judgment.
German DPAs Issue Various Opinions
In Germany, where there are several DPAs with differing geographical and material competences, several DPAs shared their opinions on how they believe the Schrems II decision impacts the use of SCCs for transfers to the U.S. and other third countries.
- BfDI Looks to Revised SCCs as a Possible Solution. In response to the decision, the German Federal Commissioner for Data Protection and Freedom of Information (BfDI), responsible for the supervision of telecommunication providers and federal authorities, promises further guidance and mentions the European Commission’s revised SCC as a possible solution.
- DPA Hamburg Asserts SCCs Likely Inadequate for Transfer to U.S. Arguing that the current SCCs are unsuitable for protecting data subjects from the access of intelligence services, the Hamburg Data Protection Commissioner (DPA Hamburg) calls the CJEU’s decision to maintain SCCs inconsistent with its Privacy Shield conclusion (cf. statement, in German). DPA Hamburg notes that at least in this specific case, the court should have come to the same conclusion for Privacy Shield and SCC – that neither is an adequate transfer mechanism. The Hamburg DPA notes that EU DPAs will now have to critically question whether transfers based on SCCs to the United States, China, and in light of Brexit perhaps even the United Kingdom are permissible. Declaring that since data transmissions to countries without adequate protection will no longer be allowed, DPA Hamburg stresses that the DPAs in Germany and in Europe must now reach a rapid agreement on how to deal with the situation.
- DPA Rhineland-Palatinate Notes No Grace Period and Potential Impact on Binding Corporate Rules. The Data Protection Commissioner for Rhineland-Palatinate (DPA RP) issued guidance in the form of FAQs (in German), wherein it recognizes that the GDPR does not permit a grace period in such situations as those resulting from the Schrems II decision. The DPA RP also gives examples in which the SCC may not serve as basis for U.S. transfers, e.g., telecommunication companies, and companies using the services of such companies. The DPA RP notes that absent a legitimate basis for the transfer, the data transfer must be suspended; otherwise, there is a violation of Art. 44 GDPR. While the decision does not touch on Binding Corporate Rules (BCRs), the DPA RP notes the question whether the ruling affects BCRs is also currently being examined by the DPAs.
- DPA Berlin Increases the Pressure. In its press statement (in German) of 17 July 2020, the Berlin Commissioner for Data Protection and Freedom of Information (DPA Berlin) welcomes the clarity of the ruling and goes one step further, directing Berlin companies that are using U.S.-based companies to process EU personal data to retrieve the data and have it processed in Europe. According to the DPA Berlin, those controllers who transfer personal data to the U.S. – especially when using cloud services – are now required to switch immediately to service providers in the EU or in a country with an appropriate level of data protection.
The DPA Berlin stresses that the CJEU has clarified that data transfers cannot be about economy; rather, the fundamental rights of individuals must be paramount. “The times when personal data could be transferred to the USA for convenience or cost savings are over after this verdict. It is now the hour of Europe’s digital independence.” The DPA further notes that:
We accept the challenge that the CJEU explicitly obliges supervisory authorities to prohibit inadmissible data transfers. Of course, this does not only apply to USA transfers, which the CJEU has already itself ruled illegal. It will be necessary as well to check whether similar or even greater problems exist when data are transferred to other countries such as China, Russia or India.
It is uncertain what steps the EU DPAs will take in relation to the use of SCCs for transfer to the U.S., and other countries, and when the EDPB will provide further guidance. However, since the ball is now with the individual DPAs to decide on a case-by-case basis whether the SCCs may still be used, what is certain is that U.S. organizations will again struggle with yet another data protection “grey-area” despite the GDPR’s promise of one law. Even a unified position of the EDPB will clarify individual cases only and, although indicating a certain direction, it will not be generally binding in subsequent cases.