International: Privacy earthquake - GDPR compliance for US companies post-Schrems II
The judgment of the Court of Justice of the European Union ('CJEU') in Data Protection Commission v. Facebook Ireland, Maximillian Schrems (Case C-311/18) ('the Schrems II Case') has had an impact of seismic proportions on data transfers worldwide, creating a complex new compliance matrix for businesses in the process. David S. Greber, Principal at Offit Kurman, P.A., breaks down this key decision and how it came to be, before offering some practical steps that US companies can take to adapt to this new reality.
Every US business that uses personal data of European data subjects would do well to immediately revisit its strategy for complying with European privacy law.
On 16 July 2020, the CJEU in Schrems II invalidated one of the primary legal grounds for importing European data into the US, leaving the viability of the other two primary methods in some doubt. Here is what happened and some thoughts on what US businesses should consider doing about it.
Pre-Schrems II basis for transfer of personal data to the US
The EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') is one of several laws, charters, conventions, directives, and regulations that protect the privacy of European data subjects. In Europe, privacy is considered a fundamental human right. In general, Chapter V of the GDPR only allows transfers of European personal data outside the EU to countries determined by the European Commission ('the Commission') to provide adequate legal protection 'to ensure that the level of protection of natural persons guaranteed by . . . [the GDPR] is not undermined.' (GDPR Article 44).
Before Schrems II, one or more of three mechanisms approved by the Commission were usually used by US businesses to meet the requirements of Article V (under appropriate circumstances):
- The EU-US Privacy Shield ('the Privacy Shield'): In 2016, the Commission determined1 that the Privacy Shield, a program established by the U.S. Department of Commerce, would, together with other safeguards present in the American legal system, provide adequate safeguards to guarantee EU data subjects privacy protections, judicial remedies, and access to independent judicial review that were essentially equivalent2 to what was then provided to them under EU law3. US businesses participating in the program would be permitted to import EU personal data into the US.
- Standard Contractual Clauses ('SCC'): US businesses could receive EU personal data under approved contract terms through which the US businesses would agree, among other things and in essence, to handle the EU data in a manner consistent with the rights and protections afforded the data subject under the GDPR. If US legislation is likely to have a substantial adverse effect on the warranties and obligations provided in the SCC, then the SCC and the GDPR require the suspension or termination of data transfer (unless another lawful basis of personal data export can be found).
- Binding Corporate Rules ('BCRs'): US businesses that have affiliated companies, some of which are established in the EU and some of which are not, may transfer data between those companies if the companies transferring and receiving the data adopt these approved internal data protection policies. The BCRs must:
- include all EU general data protection principles and enforceable rights to ensure appropriate safeguards for the EU personal data transfers;
- contain the elements required by GDPR Article 47.2;
- be approved by the appropriate EU supervisory authority;
- be legally binding on the companies;
- expressly confer rights on the data subjects to enforce the BCRs by complaint to the competent supervisory authority and to the courts; and
- include a mechanism for reporting to the competent supervisory authority any legal requirements to which a member of the group of businesses is subject in a third country that are likely to have a substantial adverse effect on the guarantees provided by the BCRs.
If the third country (e.g. the US) has laws that make it impossible to fulfil the privacy protection promises made in the BCRs, then BCRs cannot be used as a basis for transfer of EU personal data to the US.
Background to Schrems II
Schrems II represents the second difficult judicial round in the Commission's efforts to construct a viable adequacy determination that would allow the transfer of EU personal data to the US. The comparatively weak protections of personal data privacy in the US and US government surveillance programs make this a challenge. So has the determined opposition of EU data subject Maximillian Schrems. Schrems has complained twice that the Commission's adequacy determinations concerning transfers of personal data to the US violate European privacy law. The CJEU has agreed with Schrems both times.
Both of the complaints were made initially to the Irish Data Protection Commissioner ('DPC') about the transfer of Schrems' Facebook data from Facebook Ireland Limited to Facebook, Inc. in the US.
In Schrems I4, Facebook had transferred personal data in reliance on the Commission's 15-year-old 'Safe Harbour Decision5,' in which the Commission had determined that US privacy protections under the U.S. Department of Commerce's 'Safe Harbour' program - the predecessor to the Privacy Shield - were adequate for the purpose of allowing EU personal data to be transferred to the US. Following the disclosure in June 2013 by former U.S. National Security Agency contractor Edward Snowden of U.S. surveillance activities, Schrems complained to the DPC that his Facebook data transferred to the US would be exposed to these surveillance activities, which could not be legitimised by the Safe Harbour Decision. Although the DPC refused to investigate, the Irish High Court and the CJEU essentially agreed with Schrems, resulting in the CJEU's invalidation of the Commission's Safe Harbour Decision. Front and centre in the CJEU's Schrems I decision were concerns that US government surveillance activities endangered the privacy rights of EU data subjects whose data were transferred to the US.
After Schrems I, several important events occurred in fairly quick succession, which contribute to the belief that SCC and BCR are not far behind the Privacy Shield in being rendered useless to US businesses (although still technically valid under European law):
- 6 October 2015: Schrems I decided by the CJEU.
- 20 October 2015: Irish High Court quashes the DPC's refusal to investigate the Schrems complaint and remits the complaint to the DPC for investigation. The DPC then immediately opened a Schrems investigation.
- 1 November 2015: Facebook is notified of the DPC investigation. Facebook subsequently justified its continued transfer of data after Schrems I based on the use of SCC in an agreement between Facebook Ireland Limited and Facebook, Inc. .
- 1 December 2015: At the invitation of the DPC, Schrems submits a revised complaint, requesting that the DPC suspend Facebook Ireland's transfer of data to the US.
- 24 May 2016: The DPC issues a draft decision in the Schrems II matter, tentatively finding Facebook's data transfer unlawful based on the threat to EU data privacy posed by US government surveillance activity. The DPC stated that the SCC Decision should arguably be held invalid in light of these considerations. The DPC also announced her immediate referral of the Schrems case to the Irish High Court to determine the validity of SCC as a basis for transfer of EU personal data to the US. The DPC considered the draft Privacy Shield Decision circulated by the Commission in forming her opinion in her draft decision.
- 12 July 2016: The Commission issued its new adequacy determination in its Privacy Shield Decision.
- 16 December 2016: The Commission amended its SCC Decision in light of the holding in Schrems I.
- 3 October 2017: The Irish High Court issued a 153-page decision tending to agree with the positions of the DPC in her draft decision and referring 11 questions to the CJEU for decision, including whether the SCC Decision remains valid.
The arguments of Maximillian Schrems, and the findings of the DPC and the Irish High Court, are at least implicitly founded on their convictions that the dangers posed by US surveillance activity are pervasive and cannot be adequately mitigated to conform to EU privacy standards in the current US legal environment. Not by Privacy Shield, nor by SCC, nor by BCRs. For example, in her draft decision in Schrems II, the DPC said6:
It is also my view that the safeguards purportedly constituted by the standard contract clauses set out in the Annexes to the SCC Decisions do not address the CJEU's objections concerning the absence of an effective remedy compatible with the requirements of Article 47 of the Charter, as outlined in Schrems. Nor could they. On their terms, the standard contract clauses in question do no more than establish a right in contract, in favour of data subjects, to a remedy against either or both of the data exporter and importer. Importantly for current purposes, there is no question but that the SCC Decisions are not binding on any US government agency or other US public body; nor do they purport to be so binding. It follows that they make no provision whatsoever for a right in favour of data subjects to access an effective remedy in the event that their data is (or may be) the subject of interference by a US public authority, whether acting on national security grounds, or otherwise.
It is not obvious how supplemental measures by the data controller and the data processor could cure these problems.
Similarly, in referring the case to the CJEU, Justice Costello of the High Court Commercial of Ireland said7:
[I]t is arguable that the limitations on the exercise of the right to an effective remedy before an independent tribunal, as required by Article 47, for EU citizens whose data privacy rights are infringed by the intelligence agencies are not proportionate or necessary or needed to protect the rights and freedoms of others. Neither the introduction of the Privacy Shield Ombudsperson mechanism nor the provisions of Article 4 of the SCC decisions eliminate the well-founded concerns raised by the DPC in relation to the adequacy of the protection afforded to EU data subjects whose personal data is wrongfully interfered with by the intelligence services of the United States once their personal data has been transferred for processing to the United States.
US federal statutory reform may be required to address these concerns satisfactorily.
The CJEU's decision in Schrems II
Following are the CJEU holdings in Schrems II and some of the implications of the holdings:
The Privacy Shield Decision is invalid8
The implications of this are that, under the GDPR, businesses that relied on the Privacy Shield Decision as the legal basis for transfer of EU personal data into the US must either stop the transfers immediately or find another lawful basis for the transfer. If transfer continues or resumes after suspension, the data controller may have to notify the applicable supervisory authority of the continued transfer. The supervisory authority might conduct an audit to determine whether the proposed transfer should be suspended or prohibited in order to ensure an adequate level of protection9.
Although SCC remain valid10, they are not necessarily sufficient to transfer personal data to a third country
This is particularly the case "where the law of that third country allows its public authorities to interfere with the rights of the data subjects to which that data relates11."
The decision affirms the obligations of the controller and processor to address the problem. The CJEU ruled that, under Article 46(1) of the GDPR, controllers and processors must "compensate for the lack of data protection in a third country" in order to "ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union12." The level of protection must take into account not only the SCC but also "the relevant aspects of the legal system of the third country" set out in a non-exhaustive manner in Article 25(2) of the GDPR13. In this vein, the CJEU highlighted that "controllers and processors should be encouraged to provide additional safeguards via contractual commitments that supplement standard protection clauses14." Whether the supplemental protections will be sufficient to provide the level of protection required by EU law must be assessed on a case-by-case basis15.
The implication of all this is that when it comes to proving adequate protections under the GDPR, controllers and processors who transfer EU personal data to the US face a difficult problem, as they cannot themselves change US surveillance laws or practices that could compromise the rights of EU data subjects to privacy protections. In light of the DPC's past statements, it is not obvious what supplemental measures could be taken by controllers and processors that would convince the DPC that EU personal data transfers to the US comply with the GDPR.
Inadequate protections compel supervisory authorities to suspend or prohibit data transfers
EU supervisory authorities, including the Irish DPC, are obligated to suspend data transfer to a third country pursuant to SCC "if, in the view of that supervisory authority and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law, in particular by Articles 45 and 46 of that regulation [the GDPR] and by the Charter of Fundamental Rights, cannot be ensured by other means . . . .16"
The upshot of this is that the Irish DPC and other competent supervisory authorities in the EU are likely to have reasonable grounds to suspend or prohibit transfers of personal data from the EU to the US, if such transfers are justified based solely on the Privacy Shield Decision, or if they are based on SCC without supplemental measures that address the DPC's concerns. On 28 July 2020, the German Data Protection Conference ('DSK') issued a written statement outlining that all data transfers based on the EU-US Privacy Shield Decision must stop. Although BCRs were not addressed in the Schrems II decision, there is no persuasive reason why the systemic dangers that were referenced in invalidating the Privacy Shield Decision, and that challenge the usefulness of the SCC Decision, will not also make the BCRs of little value in justifying transfers of EU personal data to the US.
Steps US businesses should consider taking
While each US business that is required to comply with the GDPR has a unique set of circumstances and considerations, these potential action items are suggested for discussion:
- Deliberate and plan promptly: Call a meeting of the business' privacy and data protection decision makers to discuss the implications of Schrems II, including obligations to notify under existing SCC and reasonable supplemental measures that can be taken. Include knowledgeable attorneys in your discussion. Involve outside parties after the internal team has decided the game plan.
- Continue to comply with Privacy Shield obligations: Continue to comply with the Privacy Shield. If the business wants to terminate its participation in Privacy Shield, the formal requirements for termination should be considered.
- Consider hosting EU personal data in the EU: The hosting country could be chosen for its data protection and regulatory characteristics. The data might still be processed in the US in the meaning of GDPR Article 4(2), but it is worth evaluating whether the receipt, storage, and processing of EU personal data using EU servers would make the data less accessible to the US government under US law (and therefore better protected from a privacy perspective).
- Consider other grounds for import of EU personal data: Although the business should continue to abide by its SCC and BCRs, it should consider whether the dangers of US government surveillance recognised in Schrems II also represent a lack of legal protection of EU personal data in the US that renders SCC and BCRs legally unsupportable as a basis for EU data transfer. Discuss the possible use of GDPR Article 49 grounds for import of the data into the US. One such ground is 'explicit consent.' GDPR Article 49(1)(a) permits a transfer of EU personal data without an adequacy decision if 'the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards.' The European Data Protection Board ('EDPB') has issued guidelines and requirements for the use of explicit consent, which should be followed carefully.
- Improve GDPR compliance in general: The invalidation of the Privacy Shield Decision may prompt EU supervisory authorities to audit the GDPR compliance of US businesses that import EU personal data into the US, starting with Privacy Shield participants. Improving the business' degree of GDPR compliance would appear to be a good risk mitigation decision. For example, the business should consider taking a hard look at the types of data it gathers from EU data subjects to determine whether it truly needs the data. Under the principle of data minimisation (GDPR Article 25(1)), it may be best for the business not to gather, for example, geolocation data or browser analytics data from EU data subjects if the gathering is not necessary to complete a contract with or fulfil the delivery of goods or services to EU customers.
Schrems II has seriously shaken the ground that supports GDPR compliance by US businesses. This would be a good time for US businesses to take stock of the damage and to attempt to reinforce the structure of their European privacy law compliance strategy.
David S. Greber Principal
Offit Kurman, P.A., Washington D.C.
1. Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 ('the Privacy Shield Decision'), p. 32.
2. At the time the Commission was concerned about the privacy implications of US government interference with the rights of EU data subjects through US surveillance of European personal data under Section 702 of the Foreign Intelligence Surveillance Act ('FISA'), Presidential Policy Directive 28 ('PPD-28'), and Presidential Executive Order 12333. It resolved these concerns in part by allowing a U.S. 'Privacy Shield Ombudsperson' to serve as an intermediary and conduit for EU privacy complaints and by accepting certain assurances from the US government concerning its processing of EU personal data.
3. The decision was issued before the effective date of the GDPR. It continued in force under the GDPR until Schrems II. The EU privacy law that controlled at the time the decision was originally issued was Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 ('the Directive').
4. Judgment of the Court of Justice of the European Union dated October 6, 2015, Data Protection Commission vs. Facebook Ireland, Max Schrems (Case C-362/14) ('the Schrems I Case').
5. Commission Decision of 26 July 2000 (2000/520/EC) ('the Safe Harbour Decision').
6. Draft Decision of the Data Protection Commissioner of Ireland dated May 24, 2016, Mag. Maximillian Schrems v. Facebook Ireland Limited (Ref. 3/15/766), pp. 29-30, para. 61 (emphasis added).
7. Judgment of the High Court Commercial of Ireland dated October 3, 2017, Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (2016 No. 4809 P.) (Ms. Justice Costello), p. 152, para 334.
8. The Schrems II Case p. 44, para. 5
9. Ibid., p. 35, para 145.
10. Ibid., p. 44, para. 4.
11. Ibid., p. 32, para. 126.
12. Ibid., p. 28, para. 95, citing GDPR Article 46(1) and Recital 108.
13. Ibid., p. 29, para. 104, citing GDPR Articles 45(2) and 46.
14. Ibid., p. 33, para. 132, citing GDPR Recital 109.
15. Ibid., p. 33, para. 134.
16. Ibid., p. 44, para. 3, citing GDPR Article 58(2)(f) and (g).