By Francoise Gilbert, CEO, DataMinding, Inc.
For months, the global digital trade community has been awaiting the decision of the European Court of Justice (CJEU) in the "Schrems 2" case, a case that focused on conditions for the transfer of personal data from the European Union to the United States. The details of the original complaint that was filed initially against Facebook by Maximillian Schrems have become almost irrelevant because the decision affects countless organizations located throughout the world. The major question was whether standard contractual clauses (SCC) used as a means of establishing "adequate protection" of personal data transferred from data exporters located in the European Union or European Economic Area did in fact result in that expected "adequate protection". The CJEU decision is comprised of two elements:
In its decision published on July 16, the Court of Justice of the European Union looked at both the EU-US Privacy Shield and the SCCs. It invalidated the Privacy Shield, thereby destroying the virtual bridge that allowed 5,378 US based organizations that have certified to Privacy Shield to conduct business with entities located in the European Union and European Economic Area. It preserved, but created significant challenges to the SCC (Controller to Processor) ecosystem by creating new constraints and obstacles, to the countless organizations located both in the US and abroad, in their global digital trade with their European Partners.
The premise of the decision is that currently the US national security, public interest and law enforcement laws, have primacy over the fundamental rights of persons whose personal data are transferred to the US. They do not take into account the principles of proportionality and are not limited to collecting only that data which is necessary. In addition, according to the EUCJ decision, US law does not grant data subjects actionable rights before the courts against US authorities.
The EUCJ determined that the protection provided to personal data in the United States is inadequate to meet the level of protection of privacy and privacy rights guaranteed in the EU by the GDPR and the EU Charter of Fundamental rights.
According to the decision, the US surveillance programs are not limited to what is strictly necessary, and the United States does not grant data subject actionable rights against the US authorities. Further, the Ombudsperson program does not provide data subjects with any cause of action before a body that offers guarantees substantially equivalent to those required by EU law. Therefore, the EU-US Privacy Shield is no longer a legal instrument for the transfer of personal data from the EU to the US.
The immediate consequence of the invalidation of the EU-US Privacy Shield is that more than 5,000 US organizations, and their trading partners throughout the European Union and the European Economic Area are left stranded with no way out. The invalidation declared by the EUCJ take immediate effect. These transfers must cease. This is likely to prove a catastrophic hurdle for many companies already weakened by the Covid pandemic.
The Standard Contractual Clauses for the transfer of personal data to processors established in third countries remain valid. However, the Court found that, before a transfer of data may occur, there must be a prior assessment of the context of each individual transfer, that evaluates the laws of the country where the recipient is based, the nature of the data to be transferred, the privacy risks to such data, and any additional safeguards adopted by the parties to ensure that the data will receive adequate protection, as defined under EU Law. Further, the data importer is required to inform the data exporter of any inability to comply with the standard data protection clauses. If such protection is lacking the parties are obligated to suspend the transfer, or terminate the contract. Thus, while the SCC (controller-to-processor) remain valid, their continued validity is subject to an additional step: the obligation to conduct the equivalent of a data protection impact assessment to ensure that the adequate protection is and will be provided.
Françoise Gilbert has extensive, in depth experience with data privacy and security issues, Internet, eBusiness, and information technology law. Her clients include numerous Fortune 500 and other global corporations, as well as selected emerging technology start-ups. She advises companies on how to strategically manage their privacy, security, electronic workplace, and e-business risks, develop and implement information privacy and security strategies and compliance programs, and integrate privacy and security in mergers & acquisitions, outsourcing, cloud computing, marketing, and other relations.
Françoise is also the author and editor of Global Privacy and Security Law published by Aspen, a two-volume law treatise. Global Privacy and Security Law provides a detailed and practical explanation of the major drivers that dictate or influence data protection laws worldwide. The treatise also contains a thorough analysis of the privacy and data protection laws of over 60 countries on six continents.