Whats up? In a landmark decision, on July 16, 2020, the Court of Justice of the European Union (“CJEU”) announced the immediate invalidation of the EU-U.S. Privacy Shield Framework between the EU and the US. The EU-U.S. Privacy Shield Framework was one of the most widely used mechanism that allowed U.S. companies to freely transfer the personal data of European citizens and residents outside of the EU. The CJEU ruled that the Privacy Shield framework did not adequately comply with the General Data Protection Regulation of the EU (“GDPR”) and failed to protect the privacy of EU users’ data.
The CJEU’s decision essentially terminates cross-border data transfers of the more than 5,000 companies that are currently certified under the EU-U.S. Privacy Shield Framework. As a result, these companies are now forced to recalibrate their privacy policies in order to continue complying with the GDPR.
ALTERNATIVES TO THE EU-US PRIVACY SHIELD FRAMEWORK
Although the CJEU invalidated the EU-U.S. Privacy Shield Framework, it held that the European Commission’s Controller-Processor Standard Contractual Clauses (“SCCs”) remain a valid compliance mechanism for the transfer of personal data outside of the EU. However, the CJEU stated that in using the SCCs, the EU exporter, in consultation with the US importer must maintain a level of protection that is “essentially equivalent” to the one guaranteed by the GDPR. The CJEU stated that usage of the SCCs for data transfer will need a case-by-case analysis of:
(i) the terms and conditions of the SCCs as they relate to the specific circumstances of the particular transfer; and
(ii) the relevant aspects of the legal system in the data recipient’s country — The examination of no 2. is to be done in light of the factors set out under Art 45(2) of the GDPR, such as the privacy laws of the data recipient’s country, rights of public authorities to access the transferred personal data, existence of independent supervisory authorities, relevant remedies available to affected individuals, etc.
Thus, post invalidation of the EU-U.S. Privacy Shield Framework, the U.S. companies have the following options to remain GDPR compliant:
1. Cease EU — US data transfers. The company may consider ceasing all EU-US data transfers and re-locate data processing operations to the EU to limit cross-border transfers.
2. Rely on SCCs. The company can rely on the SCCs for any cross-border data transfers between the EU and U.S. However, the company must ensure to perform the case-by-case analysis described above prior to any data transfer outside of the EU. Additionally, according to the European Data Protection Board (“EDPB”), you may be required to implement supplementary measures when using the SCCs. The EDPB is still looking further into what these supplementary measures could consist of and will provide more guidance in the days to come.
3. Obtain individuals’ consent to the transfer. The company may freely transfer data outside of the EU if it has obtained valid consent of the individual whose data is being transferred. Under the Art 4 of the GDPR, for consent to be valid it has to be freely given, specific, informed and unambiguous. The company’s request for consent must also be clearly distinguishable from the other matters and contain information about the proposed transfer. The request should specify all data recipients or categories of recipients, all countries to which the personal data are being transferred to, that the consent is the lawful ground for the transfer, and that the third country to which the data will be transferred does not provide for an adequate level of data protection. It should also contain information about the possible risks for the data subject arising from the absence of adequate protection in the third country and the absence of appropriate safeguards, e.g., that there might not be a supervisory authority and/or data processing principles and/or data subject rights might not be provided for in the third country. This method has limited application because the data subject has the right to withdraw his or her consent at any time which may affect the company’s operations.
4. Implement Binding Corporate Rules. Under the Art 47 of the GDPR, transfers of personal data outside of the EU are allowed if it complies with Binding Corporate Rules (“BCR”). BCRs are data protection policies created and adhered to by companies established in the EU for transfers of personal data outside the EU within a group of enterprises. i.e., it would only be useful for transfers (a) within the company’s group of company; or (b) to other companies with approved BCRs. BCRs must contain: details on all aspects of the data transfer; provide compliance mechanism that apply data protection principles, e.g., transparency, data quality, and security; tools of effectiveness (such as audit, training and complaint handling); and an element proving that the BCRs are binding, both internally and externally. BCRs have to be approved by the competent data protection authorities in the EU and may involve several supervisory authorities. The competent authority is required to communicate its draft decision to the EDPB, which will issue its opinion on the BCR. When the BCR has been finalized in accordance with the EDPB opinion, the competent authority will then approve the BCR. This process is time consuming given the time that would be needed for supervisory authorities to review and approve BCRs.
5. Article 49 derogations. Specific derogations (i.e., exemptions) from the general rule on data transfer protections are provided for in Art 49 of the GDPR. These derogations include where the transfer is necessary for the performance of a contractual obligation between the company and the data subject, for reasons of public interest or to protect an individual’s vital interest, or for potential litigation. Companies can reply on these derogations to prove that their data transfers are GDPR compliant. However, these derogations are only available for nonrecurring transfers. These derogations are narrow and are seen as exceptional and limited in use, and their use is closely scrutinized by courts and data protection authorities.
ONGOING PRIVACY SHIELD OBLIGATIONS
Uninterrupted data flows are essential for companies of all sizes and in the aftermath of the CJEU decision, these companies need to adapt their privacy policies in order to avoid potential violation of the EU data protection laws. Although the EDPB has stated that there is no period of grace before enforcing the CJEU’s decision’s, it is very likely that further guidance from the European Commission and / or the European data protection supervisory authorities would be provided soon. In the meantime, companies once reliant on the EU-U.S. Privacy Shield Framework need to adopt one of the alternative data transfer mechanisms identified above and take proper steps now to ensure your company is ready for future data transfer regulations.