During the past few years, more than 5,000 US companies have conducted trans-Atlantic commerce in compliance with the European Union Data Protection Directive (“Directive”). Under the Directive, the default rule prohibits data transfer; personal data transfer is permitted based only on specific criteria. Per the Directive, the transfer of personal data to another country is possible only if the country affords adequate equivalent data protection. The Directive also provides the European Commission the authority to verify whether a country affords the required level of protection to the transferred data. The transfer of personal data to another country may take place after the Commission’s determination on the issue.
The safe harbor provision:
Since 2000, international data transfer across the European Union and the US followed a decision adopted by the European Commission that required the US to provide adequate safeguards for its citizens’ data by structuring a Safe Harbor provision. The provision was equipped with data protection principles that US companies could voluntarily endorse for cross-border data transfer. This process relied on a self-evaluation and certification method.
Previously, the Irish High Court had found that the US carried out group surveillance of personal data on Irish servers. In 2013, the case, Maximilian Schrems v Data Protection Commissioner Case C-362/14 (Schrems I), became a major international conflict on data transfer between the two continents.
Schrems I questioned the veracity of international data flows and the mechanism of data transfers mainly based on the EU privacy laws and the laws related to US surveillance. The dispute stemmed from Facebook’s transfer of data on Europeans to US intelligence services. Max Schrems, an Austrian privacy advocate, filed a complaint before the Irish Data Protection Commissioner (DPC) against Facebook, Inc. in Ireland, challenging the Safe Harbor provision and the transfer of his data, and that of other EU citizens, to the United States. Specifically, Schrems argued that the Safe Harbor violated EU data protection laws because it prevented Ireland from prohibiting Facebook’s data transfer to the US. The DPC dismissed the complaint relying on a prior decision of the Commission (Commission’s Decision 2010/87/EU) that the Safe Harbor framework ensured adequate protection by the US on the personal data transferred.
On appeal to the Court of Justice of the European Union (CJEU), the CJEU relied on the Advocate General Yves Bot’s opinion dated September 23, 2015, that the Safe Harbor failed to provide the requisite legal protection under EU laws. Therefore, on October 6, 2015, the CJEU invalidated the Safe Harbor framework finding that the provision failed to provide adequate protection to transferred personal data under the EU Data Protection Directive 95/46/EC and that the “mass processing” of data violated the EU’s fundamental rights.
The Privacy Shield Framework:
Soon after the 2015 decision, new negotiations began to develop an alternate structure to facilitate data transfer between the continents. The discussions lead to the development of the EU-US Privacy Shield which was approved by the European Commission on July 12, 2016. The Privacy Shield was intended to overcome the shortfalls of the Safe Harbor and to ensure compliance with applicable privacy laws. It also provided an Ombudsperson mechanism consistent with the Presidential Policy Directive 28 (PPD 28) to address concerns about intelligence activities by the US. The data transmitted from the EU or Switzerland to the US, under the EU-US Privacy Shield, EU-Swiss Privacy Shield, the standard contractual clauses (SCCs), binding corporate rules (BCRs), and Derogations or Possible Future Derogations were all covered under the mechanism.
Challenge to the Privacy Shield:
Like the Safe Harbor, the Privacy Shield also allowed companies to self-certify and endorse the transfer of data to the US causing similar issues leading to swift action before the European Court challenging the Privacy Shield. At the same time, Schrems initiated judicial recourse before the Ireland DPC, questioning the SCC used by Facebook and similar companies. This occurred after the invalidation of the Safe Harbor, but before the approval of the Privacy Shield. Although the DPC agreed to investigate, it referred the case to CJEU. Thus, the case came before the CJEU to determine whether the SCC used by these companies was valid considering the surveillance laws in the US (C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (Schrems II). Under Schrems II, the CJEU also had to evaluate the validity of the Privacy Shield because many companies began using trade policies based on either the SCC or the Privacy Shield for data transfers, allegedly violating Articles 7, 8, and 47 of the EU Charter of Fundamental Rights (Charter).
CJEU Decision to Invalidate the Privacy Shield:
The main issue the CJEU considered in this case was whether those individuals whose personal data was transferred to the US under the Privacy Shield, and accessed by the National Security Agency, had redressal rights to the US courts. The CJEU observed that the surveillance procedures under Section 702 of the Foreign Intelligence Surveillance Act to be approved by the Foreign Intelligence Surveillance Court, did not result in the judicial review of these individual cases. The CJEU also found that there were no actionable rights available to a foreign citizen against any surveillance done outside the US, based on the Executive Order 12333, even after considering the added protections available to them under the PPD 28.
The CJEU followed the Advocate General’s stance on December 19, 2019, to confirm the Commission’s Decision 2010/87/EU as valid, and found that the SCCs provided adequate safeguards for international personal data transfer. The CJEU’s decision refers to Clauses 5 and 12 of SCCs, which state that when a data receiver in another country gets personal data from the EU and cannot provide the required equivalent protection, the data must be returned or destroyed. Also, the decision provides a right of compensation for damages to data subjects in case of a breach. The CJEU’s decision is consistent with the Charter as authorities are required to suspend data transfer- when there is a conflict between the responsibilities under the SCCs and the law of another country. However, the CJEU found the Privacy Shield invalid because it did not have a satisfactory mechanism to ensure the required protection of personal data from use and access by the US authorities under the US surveillance law. Furthermore, the CJEU did not find the Ombudsperson to provide any equivalent protection that is guaranteed under the EU law. The Court expressly questioned the Ombudsperson’s independent existence noticing the lack of ability to make decisions that could bind the US intelligence services. The CJEU decision has now invalidated the Privacy Shield relied by many companies engaged in trans-Atlantic commerce for international data transfers. According to the CJEU, the international data transfer under the EU’s comprehensive data protection program (GDPR) can be continued based on the EU SCC by proper supervision.
The Need to Adhere to Ongoing Obligations:
The Schrems II decision pronounced on July 16, 2020, is the binding authority at present that controls the activities of companies and privacy professionals engaged in assessing global data transfers. While exploring alternate legal methods to transfer data under the GDPR, companies must also ensure their current obligations under the Privacy Shield that are still in force under the US Federal Trade Commission (FTC) as per the DOC statement. Per the statement on July 21st, 2020, the FTC alerts companies to abide by the ongoing obligations on data transfer under the Privacy Shield and to keep following strict privacy principles within the framework. The FTC at present has called on companies to review their respective privacy policies ensuring accurate description of their privacy practices, including cross-border data transfer.