Schrems II: What Do Privacy Shield Businesses Need to Know?
May 25, 2021 by BBB National Programs
This post, originally published July 23, is updated as of September 15, 2020 with new information.
To set the stage, here are the initial takeaways from the Schrems II case that U.S businesses receiving data from Europe should be thinking about right now:
The Court of Justice of the European Union (CJEU) found that U.S. surveillance practices are incompatible with EU data protection rights due to disproportionate government data collection and a lack of judicial redress for EU individuals subject to government surveillance.
This decision calls into question the sufficiency of all current EU-U.S. data transfer mechanisms.
Standard Contractual Clauses (SCCs), when combined with substantial due diligence requirements and the establishment of “additional safeguards” sufficient to remedy U.S. surveillance concerns, were upheld as a valid transfer mechanism. If these new requirements cannot be met, businesses must suspend transfers under SCCs or risk enforcement action.
Due to the same surveillance concerns, Privacy Shield is no longer recognized as a valid transfer mechanism as a matter of EU law, but the U.S. Department of Commerce is still operating the program in the United States and continues to accept certifications and recertifications. All of Privacy Shield’s substantive requirements remain in place in the U.S. pending negotiation of a new framework. The Department of Commerce has posted updated FAQs for Privacy Shield businesses in light of the Schrems II decision.
The U.S. Department of Commerce and the European Commission are already working to negotiate a new framework for data transfers that will meet the EU’s adequacy standards, while the European Data Protection Board (EDPB) has stated its intention to play a constructive part in this process.
In the meantime, both the CJEU and the EDPB have indicated that businesses should consider using GDPR Art. 49 derogations as a means for completing certain data transfers.
As the situation continues to develop, and before making changes to their practices around international data transfers, businesses should pause to review their data flows, contracts, and substantive commitments, and their current chain of compliance and accountability for data received from the EU.
BBB National Programs will update this post regularly as more information becomes available.
More about the Court’s Decision
The July 16 decision from the CJEU, known as Schrems II, addressed two mechanisms for transferring EU individuals’ personal data outside the EU. The first, SCCs, are uniform and non-negotiable contract terms between businesses. The second is the EU-U.S. Privacy Shield Framework, which is used by U.S. businesses when they process EU personal data in the U.S., whether receiving it directly from the EU or not.
The case was based on a complaint to the Irish Data Protection Commission (DPC) claiming that SCCs insufficiently protect personal information transferred to the U.S. The DPC referred the case to the Irish High Court, which passed it to the CJEU with additional questions about Privacy Shield. Although SCCs were not invalidated directly in the case, their use was called into question for transfers to the U.S. by the CJEU’s findings regarding mass surveillance activities in the U.S., which were applied to both Privacy Shield and SCCs.
The primary question in Schrems II was whether SCC protections were sufficient to protect EU fundamental data protection rights outside of the EU. The CJEU clarified the standard that the protections provided by SCCs—or any other transfer mechanism—must be “essentially equivalent” to the level of data protection that is guaranteed within the EU. Specifically, the CJEU found that U.S. surveillance programs do not have adequate limitations and U.S. law does not offer comparable redress for potentially targeted EU persons.
The CJEU’s analysis makes clear that “additional safeguards” will always be required for transfers to the U.S. to meet this standard when relying on SCCs. Relying on the same analysis about U.S. surveillance and judicial redress, the CJEU also invalidated the European Commission’s Privacy Shield adequacy decision.
Answering Common Questions
This decision has raised many questions for organizations engaged in EU-U.S., U.K.-U.S., and Swiss-U.S. data transfers. Here we provide answers to some of the most common questions we have received so far.
What is the status of Privacy Shield today?
Following Schrems II, as a matter of EU law, Privacy Shield is no longer an adequate means for continuing to transfer personal data to the U.S.
However, Privacy Shield is fully operational in the United States, where the U.S. Department of Commerce (DOC) has stated that it “will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List.”
The DOC also has reminded Privacy Shield participants that the CJEU decision “does not relieve participating organizations of their Privacy Shield obligations,” a statement that the U.S. Federal Trade Commission (FTC) echoed in posted guidance. In a routine Senate oversight hearing, FTC Chairman Joseph Simons testified that the FTC “will continue to hold companies accountable for their privacy commitments, including promises made under the Privacy Shield.” In updated guidance posted to its FAQs page on July 30, the DOC made clear that the requirements for re-certification and withdrawal remain unchanged, including the ongoing requirements for any data received under Privacy Shield.
Privacy Shield businesses make affirmative commitments to adopt certain data practices about personal data received under Privacy Shield. These commitments go beyond the initial receipt of the data in the U.S., including maintaining a current certification and privacy notice, entering into contracts with their partners, responding to complaints and maintaining a free and independent dispute resolution mechanism for EU consumers, and continuing to handle all data already received under Privacy Shield in accordance with the Privacy Shield Principles, including data transferred to third parties.
During this period when all EU-U.S. data transfers are in flux, many businesses already self-certified under Privacy Shield are choosing to stay the course, and some companies are choosing to join the program, pending further developments. Privacy Shield remains an achievable but robust mechanism for businesses to demonstrate a mindset of compliance and accountability in line with EU rules. As the Department of Commerce states in its FAQs on the Schrems II decision, “organizations’ continued participation in the EU-U.S. Privacy Shield demonstrates a serious commitment to protect personal information in accordance with a set of privacy principles that offer meaningful privacy protections and recourse for EU individuals.”
In concert with other tools, such as Art. 49 derogations (discussed more below), Privacy Shield can still help businesses bridge the current gap between the EU and U.S. regimes.
What is next for Privacy Shield?
There remains a clear incentive for regulators on all sides to re-establish a fully approved mechanism for transatlantic data flows. Already, officials in the EU and U.S. are actively working with their counterparts to develop a new framework for data transfers.
Immediately after the decision, U.S. Secretary of Commerce Wilbur Ross issued this statement: “We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments.” That same day, European Commission Justice Commissioner Didier Reynders described his ongoing dialogue with U.S. authorities, tweeting that he is “committed to having strong and protective data transfer systems.” On August 10, Secretary Ross and Commissioner Reynders followed up with a joint statement reporting that their respective agencies “have initiated discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework to comply with the July 16 judgment.”
Meanwhile, the EDPB released a statement with answers to FAQs about Schrems II, noting that there will be no grace period for data transfers and that businesses should begin to re-assess their legal basis for transfers immediately. The EDPB notes that the assessment of the CJEU that the U.S. does not provide an essentially equivalent level of protection to the EU “has to be taken into account for any transfer to the U.S.” That said, the EDPB has also stated that it intends to “continue playing a constructive part in securing a transatlantic transfer of personal data that benefits EEA citizens and organisations and stands ready to provide the European Commission with assistance and guidance to help it build, together with the U.S., a new framework that fully complies with EU data protection law.”
Individual DPAs continue to review the case and are making their own statements. For example, following the decision, the United Kingdom Information Commissioner’s Office (ICO) updated its guidance page on Privacy Shield to note: “If you are currently using Privacy Shield please continue to do so until new guidance becomes available.” After the EDPB released its FAQs, the ICO removed this notice and replaced it with a link to a statement in line with the EDPB FAQs. This new statement does not provide guidance on Privacy Shield.
In 2015, a similar situation unfolded when the CJEU invalidated the prior EU-U.S. agreement (known as Safe Harbor). Immediately thereafter, regulators on both sides of the Atlantic similarly expressed their interest in working together to reach a new agreement. The many businesses affiliated with Safe Harbor during that period were able to easily transition into the Privacy Shield framework when it was established a few months later.
What can businesses do until there is a replacement framework for the Privacy Shield?
For processing data that has already been received in the U.S.
Business are opting to remain self-certified to Privacy Shield for three reasons: compliance, continuity, and consumer recourse.
- Demonstrable compliance. As always, responsible businesses should consider the actions they can take to demonstrate to business partners, consumers, and regulators that their data handling practices are still aligned with EU data protection standards. Ongoing efforts may include reviewing contracts, updating privacy policies, strengthening notices, re-examining data flows, and establishing additional safeguards—actions consistent with a company’s existing Privacy Shield commitments.
- Business continuity. For data already received in the U.S., Privacy Shield businesses must continue to uphold their substantive commitments regarding the processing and commercial sharing of data and recertify to that effect annually to the DOC, even if they choose to withdraw from the framework. These obligations already reflect the high standard of data protection in the EU, so they are likely to be mirrored in future EU-U.S. (and potentially U.K.-U.S.) frameworks. Remaining in Privacy Shield, and abiding by its requirements, helps businesses to maintain an unbroken chain of responsible data practices.
- Consumer recourse. Businesses that wish to do right by consumers appreciate the value added by a commitment to provide consumers with free, independent recourse for privacy complaints. Maintaining this mechanism demonstrates to European partners and EU individuals that the business takes seriously the values underlying EU data protection law, even in a time of regulatory uncertainty for data transfers.
For receiving additional data from the EU.
No EU-U.S. transfer mechanism is unaffected by the Schrems II decision. In the decision, the CJEU provides a roadmap for analyzing transfers—citing GDPR’s Article 49, “Derogations for specific situations”—when no other mechanisms are available. The EDPB in its statement on July 17 also steered business toward the use of derogations. Most relevant here are two derogations:
Consent. Individuals can explicitly consent to the transfer, “after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards.”
Contract. Transfers can be completed if they are necessary to perform a contract between the business and the EU individual (such as a sale) or to implement “pre-contractual measures taken at the data subject's request.”
Additional guidance on derogations is provided in the EDPB’s guidance on article 49 derogations for data transfers.
What about transfers from Switzerland?
In keeping with the conclusions of the Shrems II ruling, the Swiss Federal Data Protection and Information Commissioner (FDPIC) has revised its assessment of transfers of personal data to the U.S., with the release on September 8 of a position paper. Although the CJEU decision does not carry the effect of binding law in Switzerland, the FPDIC explained that its paper was part of its ongoing commitment to coordinating with the EU on data protection issues, including international transfers. Specifically, the FDPIC wrote, “in view of the fact that Switzerland and the EU mutually recognise their data protection legislation as equivalent, the FDPIC agrees with most of the EDPB’s criticisms regarding access by US authorities, insofar as these can also be derived from Swiss data protection law the Schrems II decision.” Therefore, the FDPIC revised its assessment of Swiss-U.S. transfers under the Privacy Shield, removing the U.S. from its list of countries that have an “adequate level of protection under certain circumstances.”
The FDPIC stresses in its position paper that it does not alone have the authority to revoke the Swiss-U.S. Privacy Shield regime, writing that “The regime can be invoked by persons concerned in Switzerland as long as it is not revoked by the USA.” Instead, the updated FDPIC guidance on Swiss-U.S. transfers reads as follows: “Data processors who are on the list of the US Department of Commerce and sign up to the Privacy Shield regime between the US and Switzerland in relation to personal data obtained in Switzerland shall grant special protection rights to persons in Switzerland. However, these rights do not meet the requirements of adequate data protection as defined by the FADP.”
The practical impact for Swiss data exporters is that the FDPIC will no longer consider Privacy Shield as providing adequate protections for U.S. transfers. The same analysis for documenting these transfers should be conducted as under GDPR. The FDPIC concludes its position paper with recommendations for businesses to adopt additional safeguards for ongoing transfers to inadequate countries, including contractual and technical measures.
What about transfers from the U.K. after Brexit?
Until Brexit is completed on December 31, the United Kingdom must follow decisions of the CJEU. It is likely that the U.K. will wish to enter into its own agreement with the U.S. to ensure adequate protection for international transfers under its version of GDPR. A statement from the U.K. Information Commissioner’s Office (ICO) in the wake of Schrems II highlighted its commitment to ensuring the continuation of “global data flows.”
Are SCCs a viable alternative?
There are many data transfers where SCCs are not an available mechanism, notably where data is collected in the U.S. directly from an EU individual. Even in cases where SCCs are available, the CJEU cast serious doubt on their use for U.S. transfers. The decision imposes strict duties on data controllers and recipients, before using SCCs to transfer personal data outside the EU, to engage in substantial due diligence to determine whether they can rely on the terms of their SCCs alone, or whether additional safeguards are required to overcome insufficiencies in national law. Where businesses fail to do this, DPAs are now obligated to step in and review these transfers. On this basis, SCCs alone clearly are insufficient for transfers to the U.S.
The CJEU’s analysis states that U.S. law does not ensure adequate protection, as defined under EU law, of personal data transferred pursuant to SCCs. For such transfers, organizations must provide “additional safeguards to those offered by those clauses.” All current SCCs for EU data transfers to the U.S. are subject to scrutiny following the court’s findings on U.S. surveillance activities, unless and until they incorporate these additional safeguards.
All of these limitations also apply to Binding Corporate Rules (BCRs).
As of this writing, at least three European Data Protection Authorities (DPAs) have interpreted Schrems II to mean that SCCs are insufficient for U.S. transfers. For example, the German DPA in Hamburg highlighted the fact that U.S. surveillance activities apply as much to SCCs as to Privacy Shield, rendering SCCs insufficient. For similar reasons, the Irish DPC stated that“in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable.” Individual DPAs are still analyzing the decision and issuing their own guidance.
How can BBB National Programs help?
In alignment with the DOC, BBB National Programs will continue to operate BBB EU Privacy Shield, our independent recourse mechanism, working to assist our participating businesses in meeting their obligations while continuing to provide independent and free redress for EU data subjects with privacy complaints. We will continue to keep our participants informed of ongoing developments and we stand ready to assist, whenever possible.