In Data Protection Commissioner v. Schrems (Schrems II), the Court of Justice of the European Union (CJEU) invalidated Decision 2016/1250 on the EU-U.S. Privacy Shield, finding on July 16, 2020, that the Privacy Shield program did not offer an adequate level of data protection for the cross-border transfer of personal data from the European Union to the United States. The Privacy Shield has now gone the way of its predecessor, the U.S.-EU Safe Harbor Framework, which was invalidated by the Schrems I decision in 2015.
Companies that certified to the EU-U.S. Privacy Shield should note that the Privacy Shield website has been updated to clarify that the EU-U.S. companies may no longer rely on the Privacy Shield as a valid mechanism to comply with EU data protection requirements, but that participants in the EU-U.S. Privacy Shield program are not relieved of their obligations. The U.S. government also published a white paper in September 2020 with information on U.S. privacy safeguards relevant to standard contractual clauses (SCCs) and other cross-border data transfers, providing observations on U.S. law, although it specifically does not address compliance with EU law.
Update on the Swiss-U.S. Privacy Shield
Following the CJEU's decision, the fate of the Swiss-U.S. Privacy Shield was not clear. Switzerland was not bound by the CJEU's ruling because it is not a member of the European Union. However, although the CJEU did not invalidate the Swiss-U.S. Privacy Shield agreement, the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland released a position statement on September 8, 2020, stating that the Swiss-U.S. Privacy Shield did not provide an adequate level of protection for the transfer of personal data from Switzerland to the United States under the Federal Act on Data Protection.
The Privacy Shield website recommends that organizations seek guidance from the FDPIC or their legal counsel if they wish to continue relying on the Swiss-U.S. Privacy Shield Framework to transfer personal data from Switzerland to the United States. As with the EU-U.S. Privacy Shield Framework, participants have not been relieved of their obligations under the Swiss-U.S. Privacy Shield Framework.
Standard Contractual Clauses: Proceed With Caution
Without Privacy Shield, what cross-border transfer mechanisms should companies rely on to transfer information outside the borders of the European Union or European Economic Area? As previously described, SCCs remain valid. However, this does not mean that companies should take the adequacy of SCCs for granted.
The CJEU cautioned that entering into SCCs is not a rote exercise and that controllers or processors engaging in cross-border transfers must evaluate the laws of the jurisdiction of the data importer and determine whether those laws are sufficient to adequately protect the data. Another option for intra-company transfers (e.g., to affiliates in other jurisdictions) are Binding Corporate Rules (BCRs).
In Switzerland, the FDPIC's position statement cautioned that contractual safeguards such as the SCCs or BCRs would not prevent foreign authorities from accessing personal data in the event of foreign law to the contrary. The FDPIC noted that as a result, in many cases, SCCs or similar contractual agreements would not meet the requirements for contractual safeguards pursuant to the cross-border transfer provisions of the Swiss Federal Data Protection Act.
What Should Companies Do While We Wait?
It is difficult to recommend a particular course of action at this stage because we lack authoritative guidance and anticipate an update to the SCCs in the near-term. However, it is clear that companies will need to be prepared to respond quickly to new guidance.
Companies should consider whether their international data flows are sufficiently documented in their data maps. If not, they should consider creating those data maps that will enable them to confidently compare new requirements to their existing data flows and respond accordingly.