The CJEU disrupts International Data Transfers, Again

The Court of Justice of the European Union (“ECJ”) released its much anticipated decision on July 16, 2020 regarding the transfer of personal data from the European Union (“EU”) to the United States (“US”). The full decision can be found here; and the ECJ press release can be located here

The two main holdings of the case related to the EU-US Privacy Shield and the Standard Contractual Clauses (“SCCs”), two primary forms of transferring personal data from the EU to the US under the General Data Protection Regulation (“GDPR”). First, the ECJ held that the EU-US Privacy Shield is an invalid mechanism to transfer personal data from the EU to the US. Second, that SCCs are valid mechanisms for personal data transfer. 

EU-US Privacy Shield Decision

In holding the EU-US Privacy Shield an invalid mechanism for the transfer of personal data, the ECJ relied on  two primary reasons:

  1. U.S. surveillance law does not provide the necessary safeguards required to meet EU data protection principles concerning proportionality (e.g., collection is not limited to what is necessary, no limitations with respect to non-U.S. persons). 
  2. The Privacy Shield did not provide European data subjects with a meaningful remedy before a judicial body that can offer the necessary guarantees for data privacy that are  substantially equivalent to those under EU law.

In essence, the ECJ decision is eerily similar to its prior decision on the US-EU Safe Harbor Framework, which was held invalid in 2015 (Shrems I). The crux of the issue for the ECJ: the ability of US law enforcement to gain access to personal data under the current legal framework. This on-going tension between the US and the EU only appears to continue to grow and cause challenges in the effective management of international data transfers between two very influential regions. 

Standard Contractual Clauses Decision

Relevant to the SCCs, the ECJ held that the controller to processor SCCs (which were at issue in this case) were valid. Mainly, the ECJ relied on the Recital 109 of the GDPR which provides for the use of “other clauses and additional safeguards” in situations where the SCCs cannot ensure protection (i.e., law enforcement access to personal data, etc.). The specific measures that would meet the requirements of the GDPR were not provided. But, controllers do appear to have an affirmative  obligation to ensure that the use of the SCCs meet both the letter and the spirit of EU fundamental rights and data protection principles. 

Even though the SCCs for controller to controller data transfers was not explicitly at issue in Shrems II, we anticipate that the ECJ’s decision will apply to all data transfers conducted by way of the SCCs. 

What do you need to do TODAY?

First, companies can no longer rely on the EU-US Privacy Shield as a mechanism to transfer personal data from the EU to the US. If you were relying on the EU-US Privacy Shield, and only the Privacy Shield, then you should take immediate action to determine: (1) whether you can continue to transfer data from the EU to the US; and (2) what is the best mechanism for continuing such transfers under Chapter V of the GDPR. Basically, it is time to brush off your Plan B for international data transfers. 

Second, communicate with all of your clients and your processors to ensure that each of those entities are prepared to address any changes required by this decision. Does your vendor rely on the EU-US Privacy Shield? If yes, then YOU (presumably as a controller or up-stream data processor) likely have an obligation to ensure that the vendor implements a valid international data transfer mechanism immediately. 

Third, be aware that while the ECJ decision is the last word from the judicial branch on this issue, the legislatures and the Data Protection Authorities will be weighing in on such an influential decision. The European Data Protection Supervisor (“EDPS”) already applauded the ECJ’s decision, recognizing that it affirmed the many criticisms that it has stated over the years regarding the EU-US Privacy Shield. The European Data Protection Board (“EDPB”) also welcomed the ECJ’s decision, but already is pointing to collaboration to develop a

“complete and effective framework guaranteeing that the level of protection granted to personal data in the U.S. is essentially equivalent to that guaranteed within the EU, in line with the judgment.”

In short, if your organization is under the false impression that the ECJ decision will not be upheld and you can wait to address your organization’s data transfer mechanisms, think again. 

In U.S. Secretary of Commerce Wilbur Ross’ Statement on the decision, he stated that the US was “disappointed” in the decision, but reiterated that the US,

“will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments.”

In essence, you should take a step back and ask yourself the following questions:

  • Where does my company store its personal data? 
  • Does that personal data “cross” international lines? 
  • When I’m transferring personal data internationally, how do I comply with the GDPR, and any other impacted data protection regulation? 

International data transfers are challenging: technology, and by extension data, does not operate within boundaries. Data flows through the internet to numerous servers, devices, users, etc, sometimes located all over the world. But, the law does have boundaries, and those boundaries place requirements on that data, and increasingly those requirements flow with the data. 

Now is the time to step back and assess your data flows, and your strategy to mitigate risk. Start with a data mapping and categorization exercise. Work with your team, under the guidance of knowledgeable resources, to understand the legal implications of your data, and where it is flowing. And, remember, luck favors the prepared, so start today!

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.