Key Takeaways: Is the US 'essentially equivalent' with Schrems II? Legal analysis
The Court of Justice of the European Union ('CJEU') published, on 16 July 2020, its highly anticipated judgment ('the Judgment') in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'). In particular, the CJEU declared the European Commission's EU-US Privacy Shield Decision invalid, and, whilst, the CJEU upheld the use of Standard Contractual Clauses ('SCCs'), it also clarified expectations on the appropriate safeguards for personal data that should be maintained where SCC are utilised. In this webinar, which has been produced with Sidley Austin LLP, expert speakers from both Europe and the US consider the business impact of this decision, analyse the legal fallout, and how the decision has been responded to in the weeks following its publication.
Immediate and global impact
There is no grace period following the CJEU decision and any data transfers to the US from the EU made under EU-US Privacy Shield after 16 July 2020 will be considered illegal. It has been emphasised by the European Data Protection Board ('EDPB') that the responsibilities for assessing the laws of the third countries, and whether they apply appropriate safeguards, lie with both exporters and importers of data. Furthermore, these requirements apply across data transfer mechanisms, including, for example, binding corporate rules ('BCR'), and they apply to any cross-border data transfers, not just transfers to the US. An ongoing concern will be increased data localisation, such as through locally based cloud operators; however, it is unclear whether bringing processes 'onshore' will actually provide the adequate protection requires.
Businesses have been expressing disappointment in the decision, particularly those in sectors where requests for personal information from US surveillance have been minimal or non-existent, and raising questions on the applicability of measures such as pseudonymisation and BCR. It is expected that BCR may be less commonly approved - as the CJEU has placed onus for appropriate safeguards on organisations, while the BCR process includes supervisory authority involvement - and that automated solutions for assisting assessments of data transfers may be sought more frequently. BCR, though, may continue to be the most useful mechanism for employee data transfers, particularly due to the restrictions in the EU regarding obtaining consent from employees.
Key recommended organisational steps:
- Actively monitor situation - what jurisdiction data protection authorities are saying in comparison to each other, EU-US negotiations for any successor to Privacy Shield, and potential new SCC;
- Conduct a data transfer analysis - identify GDPR data transfer mechanisms in place, review specifics of SCC that have been agreed to; and
- Essentially equivalent assessment - are additional safeguards required, what surveillance or similar laws are in place, how can the SCC be supplemented if it needs to be.
Assessments and supplementing SCC
Taking into account mechanisms, laws, and any supplementary measures, if an assessment results in a conclusion that safeguards cannot be ensured, then it is required that data transfers are suspended according to the EDPB. If the transfer is not suspended, then the relevant supervisory authority should be notified. It has been suggested that assessments are considered on a case-by-case basis.
The CJEU decision suggests that SCC in and of themselves cannot guarantee adequate protection and that supplementary measures may be requireed in order to provide such appropriate safeguards. However, the specific measures that may be used, or are expected to be used, have yet to be clarified. In general, though, technical and organisational measures could include, among other things, encryption, pseudonymisation, data disclosure documentation, or customer facing materials, in accordance with being appropriate to the risk involved in the transfer.
The central ongoing questions being raised are what supplementary measures should or could be used, the scope of additional safeguards that an organisation can reasonably be expected to implement, and in what contexts exactly these supplementary measures will be required.
What now for US-EU?
The CJEU provided a relatively limited interpretation of US law and did not entirely address all potential oversight mechanisms within US law or all potentially applicable pieces of US privacy legislation. Although a US federal privacy law may be considered beneficial, it would not in and of itself necessarily address the fundamental concern raised by the CJEU regarding US surveillance.
Key questions that shape the road towards a revised version of Privacy Shield:
- Legal - is there legal room for a new version of Privacy Shield following the decision? Will US laws need to change, and if so how?
- Political - is there a political path forwards? What impact will the US election have?
- Business - will businesses take on any new mechanism? Following both the invalidation of Safe Harbor and Privacy Shield, will industries be open to a new mechanism?
In the short term, clarifications are being sought from data protection authorities, with a clear roadmap and collaborative approach that details how data transfers may continue.
How OneTrust DataGuidance helps
OneTrust DataGuidance™ is the industry’s most in-depth and up-to-date source of privacy and security research, powered by a contributor network of over 500 lawyers, 40 in-house legal researchers, and 14 full time in-house translators. OneTrust DataGuidance™ offers solutions for your research, planning, benchmarking, and training.
As part of our Data Transfer Portal, OneTrust DataGuidance provides a detailed information and resources regarding the Schrems II decision. OneTrust DataGuidance's What You Need To Know Resource Page is updated continuously to provide for the latest changes and reactions to the decision.
OneTrust DataGuidance solutions are integrated directly into OneTrust products, enabling organisations to leverage OneTrust to drive compliance with hundreds of global privacy and security laws and frameworks. This approach provides the only solution that gives privacy departments the tools they need to efficiently monitor and manage the complex and changing world of privacy management.