Picking up the Pieces After Schrems II
July 30, 2020
The recent Schrems II decision from the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield—a key mechanism by which companies transferred data from the European Union (EU) to the United States in a manner compliant with the General Data Protection Regulation (GDPR). The decision also raised questions about whether Standard Contract Clauses (SCCs) remain a viable transfer mechanism, casting doubt on a mechanism widely used by companies that were not otherwise using Privacy Shield.
This alert examines the current state of EU data transfer restrictions in light of recent guidance from the European Data Protection Board (EDPB) and statements from the Data Protection Authorities (DPAs) of various member states. Because there is significant uncertainty regarding SCCs and the potential enforcement posture of DPAs, companies engaged in data transfers with the EU should carefully evaluate the legal mechanisms they are using to transfer data, including in mergers and acquisitions and other commercial transactions involving EU personal data, and consider amending current mechanisms or adopting new strategies to limit their GDPR compliance risk.
The Schrems II Decision
The July 16, 2020, judgment in Schrems II (Case C-311/18, Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems) arose from a matter in which privacy activist Maximillian Schrems challenged the validity of SCCs as a mechanism to transfer personal data to the United States. Under the GDPR, controllers and processors are generally prohibited from transferring personal data of EU residents from the EU to third countries unless the receiving country has been deemed to provide data protection that is essentially equivalent to the protection that data subjects enjoy under EU law. The essence of Mr. Schrems’ challenge was that SCCs were not valid mechanism for transfers of data to the U.S. because they did not protect the data from being subject to U.S. surveillance. Mr. Schrems also challenged the validity of the Privacy Shield, arguing that its additional protections, such as an establishment of an ombudsman to address complaints from EU data subjects, were insufficient to overcome the lack of adequate protections in U.S. law.
In a decision that went further than the Advocate General’s advisory opinion (see our prior alert here), the CJEU struck down Privacy Shield and found that while SCCs were valid in principle, whether or not they are valid in a particular circumstance turns on whether it is possible “in practice” to ensure compliance with the level of protection essentially equivalent to EU law. The decision requires DPAs to assess the adequacy of protections by looking at “the relevant aspects of the legal system” of the third country as it relates to safeguards, rights, and judicial remedies. Consequently, the same concerns with U.S. surveillance that doomed the Privacy Shield may arise in individual circumstances where a data recipient using SCCs is or could possibly be subject to U.S. national security or law enforcement orders requiring access to data.
The CJEU held that if GDPR protections cannot be ensured by other means, the EU controller or processor (or, failing that, the relevant DPA) must suspend or prohibit the transfer of personal data. The Court did not elaborate on what “other means” would be sufficient to ensure compliance in instances where the law of the third country does not provide adequate protections.
Ongoing Validity of SCCs
On July 23, 2020, the EDPB released a Frequently Asked Questions (FAQs) document, which provided clarification in some areas and invited additional questions. The EDPB highlighted the CJEU’s conclusion that the validity of SCCs “depends on whether . . . [there are] effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection essentially equivalent to that guaranteed in the EU by the GDPR.” The EDPB emphasized that “[t]he Court found that U.S. law . . . does not ensure an essentially equivalent level of protection [to the GDPR],” but noted that the continued use of SCCs turns on a case-by-case assessment of the circumstances of the transfer and any “supplementary measures” put in place. The EDPB did not provide any examples of supplementary measures and indicated that it was currently analyzing the judgment to determine what “legal, technical, or organisational measures” would be sufficient.
The EDPB also noted that the implications of the case extend to other transfer mechanisms over which “U.S. law will also have primacy,” such as Binding Corporate Rules (BCRs). Similar to SCCs, the EDPB’s guidance for assessing the ongoing validity of BCRs is to take into account “the circumstances of the transfer and possible supplementary measures” in order to determine whether U.S. law would “impinge on the adequate level of protection [the BCRs] guarantee.”
More than just the U.S. in the Cross Hairs
Although the focus of Schrems II was the transfer of data to the U.S., the broad conclusion of the CJEU will have a global impact. By pointing to the inadequacies of a third country’s legal system as the basis for questioning the practical validity of SCCs, the CJEU potentially undermined the validity of SCCs as a transfer mechanism for any country that does not meet EU standards. Most notably, companies relying on SCCs to transfer data to China will come under increased pressure in light of the cybersecurity and national security laws in effect there.
One potential ramification of the ruling is increased pressure for companies to process personal data entirely within the EU. This is a step further than many data localization requirements imposed by countries, where the focus is on retaining a copy of data within the country, not preventing the transfer of data beyond its borders.
Prospect of Enforcement
Underlying all of these issues is the question of how aggressive DPAs will be enforcing compliance post-Schrems II. The opinion did not allow for a wind-down period, and the EDPB FAQs specifically note that there is no grace period and that “[t]ransfers on the basis of [Privacy Shield] are illegal.”
European DPAs have offered different statements on how aggressively they will pursue investigation and enforcement actions. DPAs in parts of Germany and the Netherlands issued statements generally saying that transferring data to the U.S. via SCCs was unlawful. Other DPAs in Denmark, France, and the United Kingdom offered neutral statements or statements highlighting the general validity of SCCs. Most notably, the Irish Data Protection Commission, which has pursued high-profile investigation of major U.S. technology companies, issued a statement that while SCCs remain valid “in principle,” the validity of SCCs as a transfer mechanism of personal data to the U.S. “is now questionable.”
Whether and to what extent enforcement is pursued by individual DPAs remains to be seen. Despite some high-profile matters and statements, to date DPAs have taken a much less aggressive enforcement approach than some privacy advocates have hoped. In light of the sudden and sweeping nature of the opinion, it is unlikely that there will be broad, uniform, and aggressive enforcement by DPAs. But high-profile companies that have been the target of past enforcement actions or who are subject to routine U.S. national security and law enforcement requests for data may nevertheless find themselves being pursued as test cases.
Other Mechanisms for Transfer
So what mechanism are companies left with if they want to transfer data from the EU? The CJEU’s ruling did not impact the derogations of Article 49 of the GDPR, which permit the transfer of data in certain circumstances. But these provisions are limited and are often difficult to implement in practice.
- Consent: When transfers are based upon consent of the data subject, the consent must be explicit, specific for the particular data transfer, and informed, particularly as to the possible risks of the transfer. The EDPB notes that the data subject should be informed of the specific risks resulting from transfer to a country with inadequate protections.
- Necessary for the Performance of a Contract: This avenue is more limited than it would appear on its face. EDPB guidance notes that this derogation only permits “occasional” transfers, and that transfer must be objectively necessary for the performance of the contract.
- Necessary for Important Reasons of Public Interest: The public interest must be recognized by EU or member state law and the data transfers should not take place on a “large scale and in a systematic manner.” It is important to note that a company cannot rely on a public interest recognized by U.S. law for a transfer under this derogation.
- Necessary for the Establishment, Exercise or Defense of Legal Claims: This derogation remains an important basis for transfers in connection with litigation or regulatory proceedings. The EDPB has noted that this could apply to data transfers for the purpose of formal pre-trial discovery procedures in civil litigation but would not justify the transfer of personal data on the grounds of the mere possibility that legal proceedings or formal procedures may be brought in the future.
As a general matter, the EDPB guidance emphasizes that “derogations as set out in Article 49 GDPR should not become ‘the rule’ in practice, but need to be restricted to specific situations and each data exporter needs to ensure that the transfer meets the strict necessity test.”
What Does the Future Hold?
The prospects for swiftly crafting and implementing a replacement for Privacy Shield are slim, particularly when U.S. and European governments are consumed by other matters. And because Article 49 derogations are unlikely to adequately address large-scale data transfer needs, companies will find themselves evaluating the adequacy of their data transfer mechanism in light of the data protection laws of the country to which the data is being transferred and the prospect of that country seeking access to the transferred data. In the U.S., companies with a history of U.S. national security and law enforcement requests for data, particularly telecommunications and social media companies, may find themselves needing to take risk mitigation measures. Likewise, companies with a global presence will need to evaluate quickly the laws of the countries to which they are exporting data from the EU to determine whether adequate protections can be provided.
U.S. companies engaging in mergers and acquisitions or other commercial transactions involving EU entities or EU personal data will need to consider how to evaluate in due diligence information and documents that contain EU personal data, such as information about EU employees or customers. They will need to consider whether SCCs are still a valid basis for such transfer, or if they will need to view and analyze the data in the EU to avoid any data transfer issues.
The dominant feature of the post-Schrems II landscape will be uncertainty. There will likely be subsequent guidance from the EDPB and the European Commission, but the most significant development will be investigations and enforcement actions from individual DPA, particularly the Irish Data Protection Commission. Companies should carefully monitor these issues and consider taking steps to limit their exposure to possible enforcement actions.
This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Lisa Monaco, an O’Melveny partner licensed to practice law in New York, Scott W. Pink, an O’Melveny special counsel licensed to practice law in California and Illinois, Christian Peeters, an O’Melveny of counsel licensed to practice law in Germany and Belgium, and John Dermody, an O’Melveny counsel licensed to practice law in California and the District of Columbia, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.
© 2020 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.