EU-U.S. Privacy Shield Invalidated, SCCs in Doubt

In a new judgement, the Court of Justice of the European Union has invalidated the EU-U.S. Privacy Shield and thrown the reliability of Standard Contractual Clauses into doubt

The EU-U.S. Privacy Shield is a framework that – until recently – was relied upon by more than 5,000 organizations to transfer data from the EU to the U.S. without running afoul of EU privacy protections.  On July 16, 2020, the Court of Justice of the European Union (“CJEU”) issued a judgement (in Case C‑311/18) invalidating the Privacy Shield framework and casting doubt on whether Standard Contractual Clauses (“SCCs”) can be used for EU-to-U.S. transfers instead.

The Rise of SCCs and the Privacy Shield

In October 2015, the CJEU issued a ruling invalidating the Safe Harbor program on which organizations had relied for transfers of data from the European Union to the United States.  Subsequently, representatives of the EU member states’ data protection authorities issued guidance on adapting to the loss of Safe Harbor protections, including pointing organizations towards the use of Model Contracts employing SCCs approved by the European Commission.

SCCs had been in use, in one form or another, since 2002, and they became used by many more organizations during this period between the Safe Harbor program’s invalidation and the implementation of a replacement program.  Eventually, in July 2016, the EU-U.S. Privacy Shield was approved by the European Commission as a replacement for the invalidated Safe Harbor program.

Background of the Case

As we discussed in 2018, European privacy activist Max Schrems (whose prior lawsuit resulted in the invalidation of the Safe Harbor program) filed a suit challenging the sufficiency of SCCs, arguing that they too provide inadequate protection for the personal data of EU citizens transferred to the U.S.  In 2017, the Irish Court hearing the case issued an order finding the concerns and objections raised about data transfers to the U.S. under SCCs “well-founded” and referring the matter to the CJEU for the resolution of several legal questions.

The specific questions referred explored several aspects of the sufficiency of SCCs, the correct law to use to assess the protections, the relationship between the Privacy Shield and the SCCs, and what qualifies as an adequate remedy under applicable law.  Arguments were heard by the CJEU in 2019, and U.S. representatives participated in the arguments.

The CJEU on the Privacy Shield

In a press release summarizing their July 16th judgement, the CJEU explained that the European Commission adequacy decision underpinning the EU-U.S. Privacy Shield was invalid because the data protections provided in the U.S. are not equivalent to the protections provided in the EU:

. . . the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country, which the Commission assessed in Decision 2016/1250, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality . . . .

In particular, the CJEU emphasized that the Ombudsperson mechanism in the Privacy Shield program does not meet “the requirement of judicial protection” because it “does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law ,” particularly with regards to independence and the ability to issue decisions binding on U.S. intelligence services.

The CJEU on Standard Contractual Clauses

In the press release summarizing their July 16th judgement, the CJEU also explained that the Commission decision underpinning SCCs remains valid, but it clarified the requirements for the use of SCCs and the role of member states’ data protection authorities in assessing them:

  • With regard to the requirements for their use under the General Data Protection Regulation (“GDPR”), the requirement is that “data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses must be afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR, read in the light of the Charter.”
  • With regard to the role of member states’ data protection authorities, they are required to assess the use of SCCs, including both the terms of the SCCs and “as regards any access by the public authorities of that third country to the data transferred, the relevant aspects of the legal system of that third country,” and they are “required to suspend or prohibit a transfer of personal data to a third country where they take the view, in the light of all the circumstances of that transfer, that the standard data protection clauses are not or cannot be complied with in that country . . . .”

Given that this same judgment invalidates the EU-U.S. Privacy Shield precisely because equivalent protections are not currently provided in the U.S., this casts doubt on whether SCCs can still be used for data transfers to the U.S., even though the mechanism is found to be valid for transfers in general.  Moreover, this seems intended to spur a new level of oversight and enforcement activity from member states’ data protection authorities.

Initial Responses

In the U.S., initial responses to the judgement have focused on immediate adaptation to alternative transfer mechanisms, including SCCs (at least for now).  Microsoft, for example, issued a statement emphasizing their preexisting dual coverage by both the Privacy Shield and SCCs and assuring customers there will be no service disruptions.  The U.S. Secretary of Commerce issued a statement expressing disappointment and announcing an intention to continue operation and enforcement of the Privacy Shield program for now:

The Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. Today’s decision does not relieve participating organizations of their Privacy Shield obligations.

In the EU, some member states’ data protection authorities have already issued statements on the judgement, including some that express doubt about continuing to allow transfer to the U.S. via SCCs, at least in some circumstances.

For Assistance or More Information

Xact Data Discovery (XDD) is a leading international provider of eDiscovery, data management and managed review services for law firms and corporations.  XDD helps clients optimize their eDiscovery matters by orchestrating precision communication between people, processes, technology and data.  XDD services include forensicseDiscovery processingRelativity hosting and managed review.

XDD offers exceptional customer service with a commitment to responsive, transparent and timely communication to ensure clients remain informed throughout the entire discovery life cycle.  At XDD, communication is everything – because you need to know.  Engage with XDD, we’re ready to listen.

About the Author

Matthew Verga

Director of Education

Matthew Verga is an electronic discovery expert proficient at leveraging his legal experience as an attorney, his technical knowledge as a practitioner, and his skills as a communicator to make complex eDiscovery topics accessible to diverse audiences. A fourteen-year industry veteran, Matthew has worked across every phase of the EDRM and at every level from the project trenches to enterprise program design. He leverages this background to produce engaging educational content to empower practitioners at all levels with knowledge they can use to improve their projects, their careers, and their organizations.

Whether you prefer email, text or carrier pigeons, we’re always available.

Discovery starts with listening.

(877) 545-XACT / or / Email Us