Key takeaways: Schrems II reaction
The Court of Justice of the European Union ('CJEU') published, on 16 July 2020, its highly anticipated judgment ('the Judgment') in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'). In particular, the CJEU declared the European Commission's EU-US Privacy Shield Decision invalid, and, whilst, the CJEU upheld the use of Standard Contractual Clauses ('SCCs'), it provided clarity around the considerations that organisations and authorities should bear in mind if utilised as the transfer mechanism of choice. OneTrust DataGuidance hosted an immediate reaction and analysis with leading industry panelists on this landmark decision to understand its impact on your business and what the future may hold, which you can access here.
William Long - Partner, Leader of the EU Data Protection Practice, Sidley Austin LLP
"I think today is an auspicious day for all of us. I have to say that I feel a bit of a deja-vu, in the sense of 'Have we not been here before?' I do remember back in October 2015 being in a similar position when the CJEU invalidated the Safe Harbor Framework and being on a similar webinar to this with the late Giovanni Buttarelli, the former European Data Protection Supervisor, when we discussed the invalidation of Safe Harbor - and here we are again. I do think, though, things are different, mainly because we live, in a way, in an even more dependant global environment in terms of our dependency on our data and international commerce. But also I think because of what the CJEU has said about SCCs. I think this is an important decision, people do need to take time to review and understand its consequences, but it's important not to panic - we will work through any issues, and I'm sure there will be a lot of discussions with data protection authorities to get their views and considerations."
Caroline Louveaux - Chief Privacy Officer, Mastercard
"I thought never a dull day in the privacy community! Mastercard is obviously a global company and cross-border data transfers are really core to our business model, because if you think about it: every time that you travel and you want to use your Mastercard card, your data is sent back and forth between the merchant, the bank and Mastercard. So we have been exploring a multitude of data transfer mechanisms over the last couple of years. We started with Safe Harbor then we moved on to SCCs back in 2015 like a lot of other companies, but then today we have Binding Corporate Rules ('BCRs') for the majority of our activities as a controller and processor, so I have never been as happy as today that we went for BCRs. We are obviously relying on SCCs for onward transfers to our service providers - we are not relying on the Privacy Shield - but we have an interest in the whole conversation. I only have questions right now as a result of the CJEU judgment. The key questions and concerns that I have in my mind are:
- Firstly, the pragmatic approach: how are we as companies supposed to assess whether a country offers adequate protection? That seems to be an unreasonable request on companies.
- Secondly, I'm not even sure data protection authorities are able to do so, and this brings a risk of fragmentation and legal uncertainty, and the confusion is not going to be good for anyone.
- Another concern that I have is litigation. I think we can expect more litigation from consumers on this topic, so we have to be ready to have documentation in place in order to demonstrate that we have adequate safeguards in place.
- Last and not least, this sounds more like we're getting closer to data localisation. The judgment is very complex and there are a lot of nuances here, and all of us will learn more as time goes on, but I think there is a possibility that some companies will just decide to store all data in Europe, indirectly localising data. This may trigger unintended other consequences in other countries, who may take a similar position."
Lee Parker - Director Data Privacy EU+, Biogen
"My initial reactions were that I had a lot of questions and not necessarily so many answers. One of my first thoughts was that this wasn't a surprise. It's less than 5 years since Safe Harbor was invalidated; I remember reading that judgment and the key points noted were around disproportionate processing by US authorities and a lack of recourse for EU citizens. Looking at the launch of the Privacy Shield, I always felt these points weren't properly addressed, and so I feel the Privacy Shield has been a moving target and only a matter of time before these questions were re-examined. I think the CJEU therefore took this as an opportunity to review and invalidate Privacy Shield in a case where it wasn't directly asked about this, if we consider that the main questions referred to it were actually on SCCs.
As a result, I don't think it's a good look for either the US authorities or the European Commission, the latter of which has carried out three annual reviews of the Privacy Shield, giving it a clean bill of health. To have the highest court in Europe quite openly disagreeing with another EU organ is quite confusing I think for businesses and for citizens.
In addition, I have questions around whether there will be a moratorium similar to the one after invalidation of Safe Harbor? What do we do at the moment in those organisations that do rely on Privacy Shield? I am pleased that at Biogen we don't rely on Privacy Shield for the reasons I outlined. I will be interested to see the statements of the European Data Protection Board and the Irish Data Protection Commission. There are also a lot of questions around when the proposed new SCCs will be released, and will they address these points?"
Lara Liss - Chief Privacy Officer, Walgreens Boots Alliance
"From my perspective, and for those who are visual thinkers, I have pictured the data transfers in Europe as three large bridges; one being BCRs, the second being the Privacy Shield, and the third being SCCs. I think what happened today was the legal equivalent of going in and sending structural engineers to look at two of those bridges and what we heard this morning was that the Privacy Shield bridge is no longer structurally sound, and the piece about the SCCs that is interesting is that the CJEU said the bridge itself is structurally sound but that there is now more of an obligation for the data controllers or 'exporters' who are sending personal data across the SCC 'bridge' to look at those transfers more closely. As an in-house practitioner, I always focus on what are my practical next steps and I have five that I have outlined that I plan to take as I look at this:
- My first step will be to engage the right experts - this is a technical opinion and it requires extensive knowledge of both the courts and the history of how the authorities look at this.
- The second piece I'll look at is assessing and consulting with my business about how we transfer data and we'll seek to leverage the extensive data maps we've created, and bring in experts from IT as well from legal and data governance, to bring our best mind to the table as we look to determine what the risks are and what changes are needed.
- The third step I will do, is take that recommendation to our leadership. This decision is significant enough to advise up the company and make sure that you have alignment throughout the organisation, as there are legal and strategic decisions to be made.
- The fourth key step that I recommend is to really document the basis for your decision. Often as companies, we give a lot of thought and care deeply about these decisions, but we are also working at the speed of light, and when you're in-house with a decision like this I think it's going to be really critical to document well so that the organisation has the benefit of this down the road.
- The fifth and final step is to develop your action plan and depending on the risk profile of your organiasation this may be very different. For example, if you already have BCRs this may be of minimal impact or perhaps if you do not carry out large volumes of transfers. However, if you do determine that this necessitates a different approach, e.g. localised data centres, this means that you need to make sure you have the right budget, resources and cross-functional teams in place."
Monica Tomczak - Chief Privacy Officer, Prosus
"I spent my morning in blissful ignorance with our AI team on a number of other things, and I wanted to expand that meeting for as long as possible, as I sensed trouble! But actually, when I left the meeting and I found out what the ruling was - it wasn't a big surprise. What made me think though, is talking with our AI team, what the impact of the ruling would be on the growth appetite of Europe in the digital world; all the work that is happening at the same time in the European Commission and Parliament related to AI and other spheres, and there seems to be a contradiction in terms of the appetite to develop European growth in the digital space, with these additional burdens on organisations related to data transfers. I'm a big fan of BCRs, but not every organisation is able to get those, and putting that onus on organisations to make those assessments when international data transfers are their lifeblood, is going to have an impact. There's a price tag to that, and the effort to have that assurance and legal certainty for something that should be taken for granted - I think that is going to be impactful.
I can also sympathise with the effort that the Irish Data Protection Commissioner will have to endeavour in terms of assessing and applying the decision. I don't think this is an easy task. And I also sympathise with US companies that have taken the effort and cost to certify with the Privacy Shield. I think it made a real difference and that effort is now gone. Even though, as European DPOs, we're always quite sceptical about using Privacy Shield as the only transfer mechanism, I think we were also positive about the fact that US companies were eager to certify to enhance their programs."
Alan Raul - Partner, Leader of Privacy and Cybersecurity Practice, Sidley Austin LLP
"As William highlighted - we need to keep calm and carry on. The relevant government bodies on both sides of the Atlantic are working together; they've already said in statements that they will work this out; there is just not going to be a stoppage of over $7 trillion of international trade between European and the United States.
The CJEU explains that this decision striking down Privacy Shield will not entail the creation of a legal vacuum because of the other remaining mechanisms available, for example SCCs and BCRs, the latter of which are referenced a number of times without any criticism. There's one additional mechanism to bear in mind and that is consent, which we need to look at further.
My first takeaway in reading the decision is similar to my reaction after Safe Harbor - which was: "Oh my gosh - we have different legal systems in the US and the EU." For example, the briefs that were submitted to the CJEU are secret and not public - that is remarkable and particularly significant. The Privacy Shield was not in the complaint as originally filed, and whilst it did come up in oral argument, I have it on good authority that there was no briefing on the Privacy Shield question. So if that's true, the CJEU struck it down on the basis of no briefing in this case. Another takeaway is that there is a fundamental disconnect between the EU courts and the US on national security surveillance. The CJEU has made a judgment that the US national security safeguards are not 'essentially equivalent', the fact of the matter is, is that there is no attempt to compare the US laws and practices regarding national security surveillance with those of the EU's. It has compared a very high-level understanding of essentially two provisions in US national security, to an idealised version of the EU rights regarding national security; that's not realistic, and not fair. William and I, along with our colleagues, put out a report in 2016 where we specifically addressed what safeguards are in place in the two jurisdictions. We found that, not only were they essentially equivalent, the US has really compelling national security safeguards, and so in conducting these assessments that companies are now obligated to do, I'm certainly sympathetic as to how they are supposed to carry these out."