On July 16, 2020, the Court of Justice of the European Union (CJEU) issued a highly anticipated ruling in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (Schrems II). The case centers on the validity of two key data transfer mechanisms: Standard Contractual Clauses (SCCs) and the EU-U.S. Privacy Shield (Privacy Shield) – both of which are methods widely used by U.S. businesses to comply with the EU’s laws regarding the transfer of personal data to countries outside the EU. In considering the effectiveness of data protection in cross-border data transfers, the decision dealt a decisive blow to U.S. companies that rely on the Privacy Shield, by invalidating that mechanism. The Court upheld the validity of SCCs, but created new obligations for organizations across the globe that engage in data transfers with the EU.
In the Beginning: Schrems’ Complaint Against Facebook
The EU General Data Protection Regulation (GDPR) prohibits the transfer of personal data to non-EU countries that do not provide an adequate level of protection for personal data under applicable national law. Data exporters, therefore, must identify and use transmission methods that are compliant with GDPR. Two of these methods for U.S. companies are SCCs and Privacy Shield.
Max Schrems, an Austrian privacy advocate, filed a complaint against Facebook, the American social media company, with the Data Protection Commissioner (DPC) in Ireland, where Facebook is incorporated. The complaint challenged Facebook’s use of data transfers from Irish servers to those in the United States. Schrems maintained that U.S. laws do not sufficiently protect the data privacy of EU consumers, arguing that the EU data is at risk of being accessed and processed by the U.S. government once transferred. Schrems also alleged that there is no legal remedy that ensures protection of EU data once it transfers to the U.S.
The DPC brought proceedings against Facebook in the Irish High Court, which, in turn, referred questions to the CJEU for a preliminary ruling, including questions regarding the validity of the EU-U.S. Privacy Shield and SCCs.
While the original complaint was filed against Facebook, the outcome of the Schrems II decision affects businesses throughout the world.
The focus of the CJEU’s decision in Schrems II is whether the data transfer mechanisms used to establish “adequate protection” of personal data transferred from EU data exporters were successful. The decision considered two major mechanisms: the EU-U.S. Privacy Shield, which the CJEU found to be invalid, and SCCs, which were upheld, but face major hurdles.
In October 2015, the CJEU in Schrems v. Data Protection Commissioner (Schrems I) invalidated the agreement between the EU and the U.S. for commercial data transfers, which was known as the “Safe Harbor” arrangement. In Schrems I, the Court found that the Safe Harbor arrangement was inadequate in protecting data privacy for EU consumers. In February 2016, a political agreement known as the EU-U.S. “Privacy Shield” was jointly proposed by the European Commission and the Obama Administration. The Privacy Shield agreement was created to replace Safe Harbor and to serve as the basis for the European Commission’s decision that the U.S. has an adequate system regarding data protection, government surveillance, and consumer privacy. Privacy Shield allows for the transfer of personal data from the EU to U.S. companies who self-certify compliance with certain privacy standards.
The CJEU found that because U.S. national security, public interest, and law enforcement have “primacy” over the data protection principles of the EU-U.S. Privacy Shield, the Court found that the level of protection afforded to EU users does not meet the level of privacy protection guaranteed in the EU by the GDPR.
The Court found that U.S. laws do not account for the principles of proportionality and do not limit data collection to that which is necessary. Furthermore, the Court found, EU users do not have actionable rights before U.S. courts. Although the U.S. initiated an “ombudsperson” program as an additional way for all EU data subjects to address the transfer of their data from the EU, the CJEU rejected the argument that the ombudsperson program satisfies the GDPR right to judicial protection. The court found that the program does not provide EU users with a cause of action substantially equivalent to those offered by European law and that the ombudsperson “cannot be regarded as a tribunal.”
With the invalidation of the Privacy Shield, over 5300 U.S.-based companies who rely on the Privacy Shield for compliance are no longer permitted to transfer personal data from organizations located in the EU.
Standard Contractual Clauses
SCCs are sets of template contract clauses, approved by the European Commission, which are agreed to by the data exporter and data importer. SCCs require certain commitments from the parties, meant to protect the privacy rights of those whose data are transferred.
The CJEU found that the SCCs for the transfer of personal data remain valid. However, the Court added a step, finding that before transmission may occur, there must be an assessment of the context of each transfer. This includes evaluating: the laws of the country where the recipient is based; the nature of the data being transferred; the privacy risks to the data; and any additional safeguards adopted by the parties to ensure that the data will receive adequate protection under EU law.
The Court also found that the data importer must inform the exporter of any inability to comply with the standard data protection clauses.
Implications of the Decision
The effects of the Schrems II decision will be far-reaching and, in the short term, the ruling stands to significantly disrupt EU-U.S. personal data transfers and the businesses that rely on them. Companies that rely on the Privacy Shield need to identify an alternative data transfer mechanism, like SCCs, to continue business as usual. Although a grace period for enforcement may be granted, the need for such organizations to implement alternative mechanisms is urgent. The GDPR allows for fines in the amount of 4% of a company’s global revenue. While these fines have not yet been imposed as a sanction, companies face considerable risk if they fail to address the Schrems II decision.
It is important to remember that SCCs remain valid, although the companies that rely on them face a higher burden of assuring there is an “adequate level of protection” for personal data as required by EU law. These organizations will have to monitor the relevant policies of various countries’ legal systems in order to comply with the ruling regarding SCCs and, if necessary, suspend data transfers.
Although Schrems II struck a blow to one data privacy compliance mechanism, the U.S. and the EU have a proven history of working together to resolve data protection issues. As with the invalidation of the Safe Harbor agreement in 2015, both the U.S. and EU have a strong interest in finding a successor agreement to Privacy Shield. Whether the CJEU objections to Privacy Shield protection for data protection for EU users can be sufficiently addressed remains to be seen.
Clients prize John’s wealth of creative ideas for growing and protecting their businesses. Naturally outgoing, he has developed an extensive network of contacts that benefit clients as he advances their interests. John works ...
- Senior Attorney
Carey Kulp, CIPP/US, helps clients protect one of their most valuable assets: their brands.
Drawing on more than 10 years’ experience in intellectual property law, Carey counsels her clients on strategies to identify and develop ...
- As the Machine Learns- Continuing Artificial Intelligence IP and Privacy Considerations
- How to Assist Clients in Selecting a Trademark
- Improving Medical Device Patents Through Better Communication between USPTO and FDA
- USPTO Pilot Program Evaluates Deferring 101 Rejection Responses to Improve Examination Efficiency
- Sellers Beware: 'Junker' Reminds Businesses to Keep an Eye on Commercial Activity
- Intellectual Property Rights in Russia May Erode Due to Changes to Russian Trademark Rules
- Taking Advantage of the Interface Between Trade Secrets and Patents
- “Game-Changing” Cybersecurity Legislation Signed Into Law
- USPTO Getting Faster: How to Control the Pace of Patent Prosecution in a More Efficient Patent System
- Artificial Intelligence and Patents
- August 2022
- June 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- December 2020
- November 2020
- October 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- November 2019
- October 2019
- September 2019
- June 2019
- April 2019
- February 2019
- January 2019
- October 2018
- July 2018
- June 2018
- May 2018
- April 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- August 2017
- July 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017