Schrems II and the Possibility of a Privacy Shield Successor: Will History Repeat Itself?

Last week started and ended with big announcements in the privacy world. At the end of the week, on August 14th, the regulations implementing the California Consumer Privacy Act of 2018 (CCPA) were finally declared final - more than 8 months after CCPA became effective and 45 days after the Attorney General was permitted to commence CCPA enforcement.

Now, businesses subject to CCPA at least know with what they must (try to) comply. The other big announcement at the beginning of last week – discussions for a successor to the EU-U.S. Privacy Shield framework - offered no finality but some hope for those U.S. businesses still reeling from the invalidation of the EU-U.S. Privacy Shield framework last month.

On July 16th, 2020, the Court of Justice of the European Union (CJEU) issued its judgment in Case C-311/18, known as “Schrems II.”  Among other holdings, Schrems II invalidated the mechanism - known as the EU-U.S. Privacy Shield Framework - by which more than 5,000 U.S. businesses transfer personal data from the EU to the U.S.  Privacy Shield’s invalidation comes almost four years to the date after a joint EU-U.S. statement issued on July 12, 2016 announced its approval.

In Schrems II, the CJEU ruled that U.S. laws (including FISA Section 702) that enable U.S. government regulators to access for national security and surveillance purposes the personal data of non-U.S. persons do not adequately respect and protect the fundamental privacy rights of those individuals in the EU whose personal data are transferred to the U.S. In particular, the CJEU noted the lack of an effective judicial redress process in U.S. courts for those EU data subjects.

The other key holding in Schrems II related to the use of Standard Contractual Clauses (SCCs) for transfers of personal data out of the EU. (The SCCs are contractual provisions approved by EU regulators that provide a lawful mechanism to transfer personal data out of the EU when the ‘exporter’ of the personal data and the ‘importer’ of the personal data agree to comply with the terms of the SCCs.) The CJEU considered whether use of the SCCs adequately protects the fundamental privacy rights of those individuals in the EU whose personal data are transferred to a “third country” (i.e., a country outside the EEA not deemed “adequate” by EU regulators). The Schrems II judgment, as well as the FAQs published by the European Data Protection Board, indicate that all transfers of personal data out of the EU require case-by-case analysis to determine whether the SCCs by themselves adequately protect personal data or whether additional safeguards are required to ensure an essentially equivalent level of protection as the General Data Protection Regulation (GDPR) requires (see EDPB FAQ 5). Some supervisory authorities in EU Member States have taken an even more aggressive position, such as the Berlin Commissioner for Data Protection which stated in a press release that “Controllers who transfer personal data to the USA, especially when using cloud-based services, are now required to switch immediately to service providers based in the European Union or a country that can ensure an adequate level of data protection.”

Meanwhile, the U.S. Department of Commerce (the U.S. federal agency that administers the EU-U.S. Privacy Shield Framework) announced that enforcement of the EU-U.S. Privacy Shield will continue by stating that the Schrems II judgment “does not relieve participants in the EU-U.S. Privacy Shield Framework of their obligations under the EU-U.S. Privacy Shield Framework.” Note, too, that the Swiss-U.S. Privacy Shield Framework is unchanged by the Schrems II judgment.

After a flurry of statements from various EU regulators (more on that here), on August 10, 2020, officials from the U.S. and EU announced in a joint press release (25 days after the publication of Schrems II) discussions to evaluate the potential for a successor to the EU-U.S. Privacy Shield framework to comply with the Schrems II judgment.

For many, the Schrems II judgment is déjà vu all over again. On October 6, 2015, the CJEU invalidated Safe Harbor, the predecessor to Privacy Shield, in judgment in Case C-362/14, known now as “Schrems I.” In Schrems I, the CJEU invalidated Safe Harbor because U.S. law and practice did not ensure an adequate level of protection within the meaning of EU data protection law. The CJEU noted that U.S. law permitting U.S. public authorities to access on “a generalized basis to the content of electronic communications” which the CJEU viewed as “compromising the essence of the fundamental right to respect for private life” and further did not allow individuals to “pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data.” After ten months of negotiation, the EU-U.S. Privacy Shield became operational on August 1, 2016 to replace Safe Harbor and then ‘passed’ three annual reviews by the European Commission.

Will the timing that marked the end of Safe Harbor and the beginning of Privacy Shield serve as a guide for Privacy Shield’s successor? Will the “Brussels Effect” prevail with changes to U.S. laws that meet EU standards? Or, will EU-U.S. political tensions lead to a de-facto data localization requirement for EU personal data with respect to the U.S.? Time will tell. In the meantime, please check back for our new privacy resource page with FAQs, links, and other materials relating to Schrems II and other hot privacy topics. We welcome your feedback. If you have questions or suggestions, please send us an email.

Continue Reading