On July 16, 2020, the Court of Justice of the European Union (CJEU) delivered a surprise blow to trans-Atlantic economic relations by invaliding the EU-US Privacy Shield arrangement, again putting data transfers from the EU to the US on shaky footing. In its ruling, the CJEU held that Privacy Shield fails to meet required data protection standards as an adequacy mechanism under the General Data Protection Regulation (GDPR), and is therefore not a valid means for transferring personal data from the EU to the US. The CJEU ruling also upheld the general use of the standard contractual clauses (SCCs) as an approved transfer mechanism, but cautioned that use of the SCCs must be reviewed on a case-by-case basis to ensure their use remains valid in view of the court’s ruling. The immediate impact of this decision is that the more than 5,000 US companies relying on Privacy Shield for data transfers from the European Economic Area (EEA) must find a new legal mechanism to make these transfers, or face potential sanction. As the world awaits official guidance on the practical implications of the Schrems II decision, businesses that transfer data out of, or receive data from the EEA must carefully examine their transfer mechanisms in view of the ruling.
The CJEU’s Ruling
The lawsuit (known as Schrems II) and subsequent invalidation of Privacy Shield is just the latest milestone in the lengthy battle over the compatibility of United States’ surveillance laws with the European Union’s expansive privacy rights legislation. In Schrems I, Privacy Shield’s predecessor, Safe Harbor, was similarly struck down for lacking adequate protections for the privacy rights of EU citizens in view of US government surveillance laws. While privacy advocates have accused Privacy Shield of suffering from the same deficiencies, the European Commission’s third annual review of Privacy Shield in October 2019 confirmed that the US program was working well overall, and provided an adequate level of protection for personal data. Obviously, the CJEU did not agree, and the Commission will presumably assess the consequences of the decision in due time.
The heart of the issue before the court in Schrems II was whether companies exporting EU personal data from the EEA to the United States can ensure the minimum level of protection for individual rights as required by the EU privacy laws. Of particular concern was the alleged lack of actionable rights under Section 702 of the US’s Foreign Intelligence Surveillance Act (FISA) and Executive Order 12,333. FISA provides, among other things, that the Attorney General and Director of National Intelligence may direct an electronic communication service provider to provide the government with available information about foreign citizens. Likewise, Executive Order 12,333 allows the US to access trans-Atlantic data transfers by tapping the underwater cables that connect Europe to North America. In light of these surveillance programs, the CJEU found that Privacy Shield failed to guarantee the broad privacy rights Europeans enjoy under the GDPR and the Charter of Fundamental Rights of the European Union. The court also held that use of the SCCs should be suspended in certain cases where the laws of a third country (for example, the laws of the US) do not guarantee that the SCC’s personal data protections will be enforced. This ruling—which has immediate effect as of July 16, 2020—therefore affects not only all businesses relying on Privacy Shield, but may impact businesses using the SCCs as well.
Looking Ahead: Important Takeaways
What are the important takeaways for businesses relying on Privacy Shield and the SCCs for data transfers?
- Privacy Shield Lives On (For Now): According to the Department of Commerce, Privacy Shield participants must continue to comply with any obligations they have under the Privacy Shield Framework.
- SCCs Still Valid: Because the SCCs were held valid, at least for the time being, businesses relying on Privacy Shield should consider implementing the SCCs as an alternative to Privacy Shield, at least in the short term and absent further guidance. However, the CJEU ruling leaves several open questions about whether a business can possibly comply with the SCCs if the substantive laws of a country are incompatible with the SCCs. Any use of the SCCs should be done on a case-by-case basis and be carefully evaluated in view of the CJEU decision. For example, businesses that may not be subject to the US government surveillance programs in question may be more free to continue to use the SCCs (e.g., FISA only allows warrantless surveillance for “electronic communication service providers”).
- Article 49 Derogations: Although not intended for regularly occurring data transfers, the Article 49 of the GDPR provides derogations for international data transfers that may be another short-term solution for businesses seeking an alternative transfer mechanism. For example, under Art. 49(1)(a), a business may legalize a transfer from the EEA with the explicit consent of a data subject. Similarly, Art. 49(1)(b) enables legal data transfers that are necessary for the performance of a contract with the data subject. Each of these alternatives should be carefully reviewed depending on the laws of the importing country, content of the transfer, and safeguards for the personal data.
- Review Data Processors: Businesses must evaluate all data flows that may be impacted by the Schrems II decision, not just data transfers where a business is a data exporter or importer. For example, if a business engages a processor that relies upon Privacy Shield, the business should reach out to the processor to ensure it has implemented a viable alternative transfer mechanism.
- More Guidance to Come: Be vigilant as further guidance is sure to be released by regulatory authorities in the coming days and weeks. Changes may come sooner rather than later. For an IAPP roundup of DPA and government guidance released to date in view of Schrems II, visit https://iapp.org/resources/article/dpa-and-government-guidance-on-schrems-ii-2/.
Businesses, governments, and data privacy experts around the world are scrambling to understand the full impact of this ruling, and to chart a course for how best to proceed. In the meantime, businesses should begin contemplating alternative methods of data processing in the absence of legislative change to the United States’ surveillance laws.
 Case C-311/18, Data Protection Comm’r v. Facebook Ir., http://curia.europa.eu/juris/document/document.jsf;jsessionid=B54649075388509099AD7991A75D20DF?text=&docid=228677&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=10056740 (Jul. 16, 2020).
 Exec. Order No. 12,333, 46 Fed. Reg. 59,941 (Dec. 4, 1981).
 50 U.S.C. § 1881(a)(i)(1).
 Case C-311/18, Data Protection Comm’r v. Facebook Ir., available at http://curia.europa.eu/juris/document/document.jsf;jsessionid=B54649075388509099AD7991A75D20DF?text=&docid=228677&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=10056740 (Jul. 16, 2020).
 See 50 U.S.C. § 1881(b) (defining “electronic communications service provider).