Schrems II – It’s Not Just Travel That’s Now Restricted between Europe and the US

On July 16, 2020, the European Union’s Court of Justice (“CJEU”) ruled that an important provision of the EU-U.S. Privacy Shield (“Privacy Shield”) allowing companies to lawfully transfer personal data from the EU to the US is invalid. Companies must now reevaluate their data privacy protocols to ensure they are in compliance with  GDPR.

In delivering their ruling, the CJEU states that the Privacy Shield, in place since 2016, could potentially expose customers’ data to US government surveillance. As the court put it in a press release:

The limitations on the protection of personal data arising from the domestic law of the United States, on the access and use by US public authorities of such data transferred from the European Union… are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law.

The brass tacks here is that US companies doing business in Europe or receiving data from European clients will either have to negotiate new individual data-handling arrangements, called Standard Contract Clauses (“SCC”), with the EU or stop transferring data from European operations into the US. One nuance here is that the ruling applies to data that companies such as Google transfer to US servers for their own purposes, but it does not affect “necessary” data transfers, such as when a European citizen books a travel on a US website.

Not the First Rodeo with EU – US Data Transfers

Back in 2000 (remember the flip phone days?), an agreement governing the sharing of EU customer data between Europe and the United States was called Safe Harbor. However, following revelations from Edward Snowden and a legal challenge from Maximillian Schrems, the CJEU invalidated Safe Harbor in 2015. Schrems alleged the Safe Harbor agreement (which permitted NSA access to EU citizens’ personal data, a fact brought to light by Snowden) stood in conflict with EU law.

Privacy Shield was quickly drafted in the wake of the Safe Harbor invalidation, and the European Commission adopted it in 2016. Even prior to its adoption, EU regulators warned that “Privacy Shield, as it stands, is not robust enough to withstand future legal scrutiny before the court.” Regulators also warned at the time that Privacy Shield might be in conflict with Europe’s sweeping privacy law, the  General Data Protection Regulation (“GDPR”).

Schrems, the plaintiff who helped invalidate Safe Harbor, was also the intervening party in this case to invalidate Privacy Shield. Afterwards, Schrems stated “It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market. This judgment is not the cause of a limit to data transfers, but the consequence of US surveillance laws.”

How are US Companies Responding?

Major US tech companies quickly tried to perform damage control, with many stating that the ruling will not materially affect their European operations. Companies like  Microsoft and Facebook posted messages assuring customers that they would not see a significant change in their usage, and that they plan to “work proactively with the European Commission and the US government to address the issues raised by the ruling.”

Will the Third Time be the Charm?

While it is too early to tell what will come next, there will likely be pressure put on US and EU regulators to quickly develop a firm regulatory framework for companies to follow. Some commentators have argued for a  strong response that would send a message to the EU, and the US Department of Commerce has stated that it is studying the decision to fully understand its practical impacts. In the meantime, SCCs remain valid, and organizations relying on them must consider whether they are providing an adequate level of protection for personal data processed and transferred to the US (or any country outside the EU. Organizations currently relying on Privacy Shield will need to identify an alternative data transfer mechanism to continue transfers of personal data to the US.

As this matter continues to develop, Clym will update its customers and partners accordingly. If you’d like to find out how Clym can help you better manage your data privacy, please book a demo with us today!