News sources reported this month that the Irish data protection authority (DPA) had sent Facebook a preliminary order that would prohibit the transfer of information about European Union (EU) residents to US Facebook users. Facebook will appeal the order. This may be only the beginning of a cascade of orders that threaten to interrupt social media and other forms of internet-based commerce between Europe and the US. How did this happen?
These events can be traced to May 25, 2018, when the General Data Protection Regulation (GDPR) went into effect in the European Economic Area (EEA), which includes the EU, Iceland, Liechtenstein, and Norway. In addition to regulating data protection and privacy within those areas, it also regulates the export of personal data to any country outside the EEA. The regulation applies, for example, if personal data about someone in the EEA is transferred to a service provider outside the EEA.
Chapter V of the GDPR prohibits such transfers of personal data unless the European Commission has determined that the data protection regulations of the third country are adequate, or unless the transfer falls under a national exception to the rules (a so-called derogation), or unless appropriate measures are in place safeguarding the personal data. Examples of such appropriate measures are Binding Corporate Rules, designed for internal transfers within multinational organizations, and Standard Contractual Clauses (SCCs). SCCs, issued by the European Commission, allow companies to transfer data outside of an organization.
The European Commission has issued adequacy decisions making it easy to transfer personal data to a limited number of countries, but no such decision applies to the United States. The EU-US Privacy Shield was designed to give an alternative mechanism to companies to comply with the GDPR when transferring personal data from the EEA to the US.
The Privacy Shield was instituted in rapid response to the success of Max Schrems, an Austrian, in challenging a predecessor arrangement, the EU-US Safe Harbor Framework. Acting on Mr. Schrems’s complaint filed in Ireland, the Court of Justice of the European Union held the Safe Harbor to be invalid in light of the expansive powers of US intelligence services and the lack of recourse for EU residents in the event of compromises of their personal information in the US.
On July 16, 2020, the Court of Justice of the European Union invalidated the EU-US Privacy Shield in its Schrems II decision. Once again, the Court was concerned about US government access to personal data of Europeans. While the GDPR allows strictly necessary governmental surveillance under its principle of proportionality, the Court could not conclude that the US government follows this principle.
Specifically, the Court found that section 702 of the Foreign Intelligence Surveillance Act (FISA), Presidential Policy Directive 28, and Executive Order 12333 allow the US government to conduct more extensive surveillance than strictly necessary. The Court also criticized US surveillance programs for denying Europeans actionable rights against US authorities. For these reasons, the Court found that the Privacy Shield violated the GDPR and was therefore invalid.
In addition to invalidating the Privacy Shield framework, Schrems II also imposed enhanced requirements on SCCs. While the Court did not go as far as declaring SCCs invalid, it emphasized that the clauses must ensure compliance with a level of data protection essentially equivalent to what is required by EU law. In particular, the SCCs must require suspending or prohibiting the transfer of personal data in the event of a breach of such clause, or of the impossibility of complying with them. The Court pointed out that a data importer is required to inform a data exporter of any inability to comply with the SCCs and, in consequence, to suspend the data transfer or to terminate the contract with the data exporter.
The invalidation poses a serious challenge to Facebook and over 5,000 other US companies and their EU counterparties that were relying on the Privacy Shield to support data exports to the US. The European Data Protection Board (EDPB) has said no grace period applies during which a company could continue to rely on the Privacy Shield.
With the Privacy Shield gone, SCCs now appear to be the only basis left for transfers between unrelated companies. However, EDPB has said that companies now using SCCs instead of the Privacy Shield to support data transfers from the EU to the US must conduct a case-by-case risk assessment of contemplated data transfers, taking into account the circumstances of the transfers and any supplementary measures that a company could put in place. The EDPB is silent on how to achieve that.
On August 24, one of the 17 German DPAs, the DPA for the state of Baden-Wuerttemberg, issued more detailed guidance. With regard to data transfers to the US, the following points from this guidance are noteworthy:
In short, the Privacy Shield is dead, leaving SCCs as the principal basis for transatlantic data flows that include personal information, and even the SCCs are open to question. Thus, US companies receiving personal data from the EU on the basis of SCCs should expect to be asked for further assurances regarding the security of the data that they receive. Here are some steps to consider:
It is time for the European Commission to update the SCCs to ensure compliance with the GDPR, but it is likely that any such update will require more due diligence and ongoing monitoring on the part of EU companies dealing with US counterparties.