On July 16, 2020, the Court of Justice of the European Union (“CJEU”) issued its judgment in the “Schrems II” case, cautiously upholding Standard Contractual Clauses (SCCs) and invalidating the popular EU-U.S. Privacy Shield. The judgment is the second major triumph affecting transatlantic commerce for Austrian privacy activist, Max Schrems.
Under the EU’s General Data Protection Regulation (“GDPR”), an organization may only transfer individuals’ personal data to non-EU countries for processing if the European Commission determines the third country “ensures an adequate level of protection”. Previously, the European Commission had recognized three methods for lawful transfer of EU personal data to the U.S.: (1) a voluntary arrangement by which U.S. organizations self-certify compliance with certain privacy principles (Privacy Shield); (2) standard contractual clauses between the data controller and data processor, based on approved model clauses (SCCs); and (3) similar commitments adopted in binding non-contractual rules applicable solely within the corporate group (Binding Corporate Rules).
Schrems’ first major victory affecting EU-U.S. data transfers, “Schrems I”, was in 2015 when the CJEU invalidated the EU-U.S. Safe Harbor, Privacy Shield’s predecessor, based on concerns about U.S. surveillance practices. In his second complaint, Schrems argued that SCCs should be invalidated for similar concerns regarding U.S. law.
Fortunately for the thousands of businesses that rely on SCCs for data transfer outside the EU, the high court rejected Schrems’ argument with regards to SCCs, with a caveat. Although SCCs remain a valid framework for data transfers, the CJEU announced the data controller or processor must perform a case-by-case analysis to ensure the third country’s laws sufficiently ensure an adequate level of protection essentially equivalent to that guaranteed within the EU by the GDPR. If the third country’s laws fall short, the data controller or processor must provide additional safeguards to ensure adequacy or immediately cease the transfer.
The CJEU also took the opportunity to assess the sufficiency of the EU-U.S. Privacy Shield, a collaborative tool created in 2016 by the U.S. Department of Commerce and the European Commission, in light of the GDPR. The Privacy Shield has been relied upon by over 5,000 companies since its adoption in 2016, including more than 1,000 companies who signed up in the last year, to transfer data across the Atlantic. In its decision, the CJEU found that, similar to the EU-U.S. Safe Harbor, the Privacy Shield failed to (1) prevent U.S. government surveillance programs and other third parties from accessing transferred data, and (2) provide EU citizens with an adequate means to challenge the transfers.
Although EU regulators provided a grace period before enforcing the Schrems I decision, clear guidance has not been given regarding any grace period applicable after Schrems II. Since the ruling, both U.S. and EU officials have said they are in talks to determine what’s next, and Vera Jourova, the European Commission’s Vice President for Values and Transparency, emphasized last Thursday that they “will not be starting from scratch,” but instead using the “further valuable guidance” of the Schrems II decision to create an updated tool and modernize SCCs. For now, businesses’ contractual and U.S. regulatory obligations to adhere to the Privacy Shield have not diminished, and businesses can continue to rely on SCCs in order to transfer personal data. Hopefully, EU and U.S. officials will respond to the ruling as quickly as they addressed the invalidation of the EU-U.S. Safe Harbor and provide a thoughtful mechanism for transferring personal data from the EU that will withstand future legal challenges.
 Wilbur Ross, U.S. Secretary of Commerce Wilbur Ross Statement on Schrems II Ruling and the Importance of EU-U.S. Data Flows, https://www.commerce.gov/news/press-releases/2020/07/us-secretary-commerce-wilbur-ross-statement-schrems-ii-ruling-and (last visited Jul. 19, 2020); Vera Jourova, Press Conference: Data Protection at International Level, https://twitter.com/EU_Commission/status/1283706783941505025 (Jul. 16, 2020).