Privacy Shield Struck Down (Schrems II Decision): First Thoughts on What It Means to Your Business
Having worked on Privacy Shield, and reading the Schrems II decision today, I thought it would be helpful to share some initial reactions:
Who Does This Effect?
Any company collecting information from EU data subjects (does NOT need to be a citizen of the EU).
Why Does Schrems II Matter?
Bottom line: if you are collecting data from European data subjects, and you probably have some very tough problems to solve today.
If you are collecting data from European data subjects (from folks present in Europe), this is an important decision. To move, process, review or look at that data in the United States, EU law requires that you have legal foundation (called a “Means of Transfer” or a “derogation” under Article 49 of the EU General Data Protection Regulation).
One of the major Means of Transfer (used by more than 5,000 companies) – Privacy Shield – cannot be used anymore.
Another Means of Transfer used by many companies – Standard Contractual Clauses – can only be under the conditions below, and the conditions look very difficult, if not impossible, to meet in a practical way. The Irish DPA has already said that “the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable.”
The remaining options as Means of Transfer each have some real problems, outlined below.
When Does Schrems II Go Into Effect?
Today. Because this is a matter of fundamental human rights, there is no delay to the effect of the decision.
What Does That Mean I Have to Do Today?
- If you have standard contractual clauses in place, you can at least take the time to consider whether it provides enough protection for transfers to the US.
- If you don’t have standard contractual clauses in place, the full decision, which is posted here, says that companies can look to Article 49 of GDPR to see if there are other ways to transfer data for now. Those other options include:
- Explicit consent by the data subject (person), if that consent follows warnings of the risks;
- A transfer to the US “necessary” for the performance of a specific contract
- A transfer to the US “necessary” to conclude performance of a contract that is in the interest of the data subject (person);
- A transfer to the US “necessary for important reasons of public interest.”
- A transfer to the US “necessary” for defense or exercise of legal claims;
- A transfer to the US “necessary” to “protect the vital interests” of the data subject (person);
- Another very narrow exception applies.
- Hope for a delay in enforcement. When Safe Harbor was struck down, the Article 29 Working Party delayed enforcement while a new deal was worked out. We hope that something similar can be put in place now.
Is There a Path for a New Adequacy Decision?
This is really not clear.
The center of the Schrems II decision is a finding that the rights of EU data subjects to challenge collection by US intelligence agencies is not “essentially equivalent” to the rights in Europe. The court found that the Ombudsperson did not serve that function because of independence issues, and found that there was no ability for an EU person to bring an individual claim to an independent tribunal challenging national security collection.
Each of these issues run into statutory, and possibly US constitutional issues in the US. I’ll share deeper analysis on this later, but I think it is fair to say there is not a clear path to solve these issues legally.