For those of us who pay attention to and care about these kinds of things, the Court of Justice of the European Union has issued a ruling today stating that the FTC’s Privacy Shield framework governing the transfer of personal data from Europe to the United States is no longer valid. This ruling is very similar to a ruling five years ago that similarly undid the predecessor to the Privacy Shield framework, the Safe Harbor. The thinking in both of these decisions (nicknamed Schrems I and Schrems II after the plaintiff) is that, because surveillance is such a consistent part of American life, and because the government has such easy access to data from large companies and their affiliates, the likelihood that European personal data would be protected and/or only utilized in ways that were understood was fairly low. Privacy Shield and the Safe Harbor before it were all about trying to demonstrate, through a validated and enforceable framework, that American companies would give European personal data the same kind of protections and safeguards that that data would receive in the European Union. Now this system is gone with the bang of a gavel in Luxembourg.
Is this a major decision with implications for data in the United States? Yes. Is it necessarily the end of the world for American companies that relied on Privacy shield? No, not necessarily at all. The same Schrems II decision upheld the right of American companies (and companies anywhere else in the world) to certify that the data they were collecting and transferring outside of the European Union would be subject to the kind of safeguards present in the European Union. This mechanism, the so-called Standard Contractual Clauses or SCCs for short, is effectively a mini Safe Harbor or junior Privacy Shield, in that it allows for the movement of data even to the United States, but only on a case by case basis. So, while a company that was certified under Privacy Shield before would be able to bring data over from the European Union in all cases, under the new regime, that company will have to negotiate (via SCCs) the transfer of data in each individual use case. Very frustrating, of course and certainly time consuming but not at all an end to the right of the free flow of data.
So why would Standard Contractual Clauses be permissible but Privacy Shield not be in the eyes of the Court of Justice of the European Union? That’s a tricky one, but it has much more to do with EU-US relations than it does with what any individual US entity is going to do with data on a European citizen. In reality, intelligence agencies in the European Union do many of the exact same things that American intelligence agencies do, often with the help of those very American intelligence agencies that are the reason why Privacy Shield has been invalidated. Perhaps it’s just that in Europe, they’re a little more discreet about these things. But the distinction with the difference is that courts in the European Union have concluded that the nature of government surveillance in the United States is so pervasive, and that the right to enforce data protections is so limited, that EU personal data is “unsafe” in America. More succinctly, the idea may be that, in order to have any possibility of traction for change in the US, the EU and their courts might have to hit where it hurts. And in this case, that means restriction on data flow.
What do we do now? Well, the first and most important thing to do is, if you were a company previously certified under Privacy Shield, to identify every contract and every relationship that involves the transfer of personal data from the European Union to the United States. If all the data that you’re transferring is transactional, for instance, and doesn’t touch on anything that could be considered personal data, Schrems II isn’t really going to have much of an effect on you. But most businesses do collect some form of personal data, even if it’s only the business address and contact information of their partners. In that case, once you’ve identified which relationships are a source of data from European citizens, you have to review your agreements and determine whether you want to continue to receive that data and, if so, how the SCCs could be implemented. Because many data relationships are bilateral both in benefit and cost, partners may be willing to work with you to rapidly ensure that no interruption in business occurs. But there will always be some instances where this opportunity for leverage to renegotiate a deal won’t be missed.
One important note about the Standard Contractual Clauses: they’re something of a mess. The reality is that the SCCs, drafted before the GDPR even existed, don’t reflect the modern reality of data transfers from Europe to the United States. For instance, there is no way to currently establish a SCC relationship between two processors of data, as opposed to a processor and controller. That kind of anomaly means that businesses around the world have to shoehorn their data agreements into a rubric that doesn’t necessarily match reality. And while that’s problematic, there has been absolutely no indication that the European Commission is going to revise the SCCs, nor, to be fair, that they have any interest in invalidating them. And, given that the Court of Justice of the European Union Had the SCCs squarely in front of them in today’s ruling, the fact that the CJEU allowed them to continue in place is some indication that the Court recognises the importance of continued free flowing data between Europe and the United States. Still, working with the SCCs is complicated, and requires good guidance. Don’t just assume that you’ll be able to staple them on to the back of an existing agreement and that all will be well — it’s crucial to take the time to identify how they can properly be incorporated into your agreements to make sure that data can continue moving.