Do you transfer personal data from the EU to the US? Important Decision due July 16
Does your organization transfer personal data from the European Union to the US? If so, keep an eye out for a key decision on July 16 from the EU’s top court, the Court of Justice of the European Union. The Schrems II case presents a challenge to the validity of the Standard Contractual Clauses, EU Commission-approved contracts that are widely used to satisfy the GDPR’s requirements for exporting personal data from the EU to other countries. The questions raised by the case center around whether the US national intelligence agencies’ ability to require US entities (subject to various conditions) to turn over personal data of people who are in Europe fatally undercuts the Standard Contractual Clauses as a means of ensuring that European personal data is adequately protected when it is transferred to the US. The questions raised in Schrems II are also pertinent to the EU-US Privacy Shield program, which provides a popular alternative approach to data transfers for US organizations.
The Schrems II decision has been a long time coming. The Advocate General’s non-binding opinion (essentially, a detailed analysis and recommendation to the Court) was issued in December 2019. The roughly seven month delay between the Advocate General’s opinion and the Court’s decision is somewhat unusual and may indicate that the Court has found it difficult to reach agreement on the decision. (But given the pandemic, it is also possible that the delay was logistical in nature.)
The Advocate General’s lengthy opinion makes it clear that this is a highly complex case. It is difficult to predict the final outcome. The AG has recommended that the Court confine its decision to the Standard Contractual Clauses and decide that the Standard Contractual Clauses are not invalid on their face – effectively kicking a specific determination back to the Irish data protection authority and Irish courts. However, the Court could go much farther in its decision, and the AG’s detailed analysis of US national security programs and Privacy Shield raises serious questions about virtually all transfers of European personal data to the US. (Recall that it was the Court of Justice of the European Union that invalidated Privacy Shield’s predecessor, Safe Harbor back in 2015, with no grace period for the thousands of companies that relied on Safe Harbor.)
There’s also the added complexity that a handful of cases attacking the surveillance laws and practices of a few EU Member States remain pending before the court. The Advocate General’s opinion in these linked pending cases seeks to rein in Member States’ national security programs, notwithstanding that the European Union treaties at least nominally reserve national security to the Member States’ individual governments. The attack on the Standard Contractual Clauses and Privacy Shield is arguably part of a broader effort to change the balance that a number of Western democracies have struck between privacy rights and national security interests.
What will happen if the Court invalidates the Standard Contractual Clauses as a basis for transferring personal data to the US (or, albeit unlikely, globally)? Some US organizations, of course, can shift over to Privacy Shield if the Standard Contractual Clauses are struck down. However, many organizations, including banks and universities, are not eligible for Privacy Shield because they are not subject to the jurisdiction of the Federal Trade Commission or Department of Transportation. Another mechanism provided under the GDPR, Binding Corporate Rules, work only in limited circumstances and are expensive and time-consuming to put in place. Finally, the GDPR offers some exceptions (known as derogations) to the data transfer restrictions, but the European Data Protection Board has issued guidance that makes it very clear that these derogations will be interpreted very narrowly. Given the very limited slate of data transfer options available to US companies under the GDPR, we can only wait and see what the Court decides – and deal with the fallout from there.
Schrems II: C-311/18, Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems