On July 16th, 2020 the Court of Justice of the EU (or the CJEU), in a case known as Scherms II, invalidated the EU-U.S. Privacy Shield as a the leading framework for transfer of personal data from the EU to the U.S. The main reason for this ruling is the US authorities' surveillance programs for purposes of US homeland security, being regarded as breaching the EU citizens' privacy rights.
Standard Contractual Clauses
According to the European GDPR, cross border transfer of data outside the EU must be only to a country that ensures an adequate level of data protection. In the absence of an adequacy decision, such transfer may take place only if the personal data exporter established in the EU has provided appropriate safeguards, which basically require the parties to a data transfer (a) to execute the Standard Contractual Clauses (according to the set issued by the European Commission) or otherwise, (b) to adopt Binding Corporate Rules (data protection policies approved by a competent data protection authority in the EU). The Standard Contractual Clauses remain the main default alternative for EU-US data transfers. However, due to uncertainties that been raised before and by the CJEU, we may expect to receive additional guidance from EU privacy regulators in this regard.
EU-US Privacy Shield
The EU-US Privacy Shield is a framework that provides companies on both sides of the Atlantic to comply with data protection requirements, replacing an adequacy decision to the US, allowing eligible companies to use a data processing agreement without the Standard Contractual Clauses when transferring personal data from the EU to the U.S. An eligible organization must adopt a conforming privacy policy, set internal mechanisms and self-certify. There are 5,300 companies with such self-certification.
Who is Max Schrems?
Max Schrems, an Austrian citizen, and a serial claimant and activist against Facebook, claims that as a Facebook user, his personal data is transferred Facebook Ireland to servers belonging to Facebook Inc located in the U.S. Mr. Schrems argues that the U.S. does not offer sufficient protection of data transferred to that country. Mr. Schrems seeks the suspension or prohibition of future transfers of his personal data from the EU to the United States, which Facebook Ireland now carries out pursuant to the standard data protection clauses.
The CJEU Ruling
The Schrems compliant, brought before Ireland's High Court, referred to the CJEU for preliminary ruling, questioning the validity of the adequacy of the protection provided by the EU-U.S. Privacy Shield. On July 16, 2020 the CJEU ruled that the EU Commission's decision from July 2016 regarding the Privacy Shield is invalidated. Meaning that the Privacy Shield is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the EU to the US.
The US authorities, namely the Department of Commerce declared that they are "disappointed, but will continue to administer the program", and that this decision does not relieve participants in the Privacy Shield from their obligations.
So, what is the meaning of all this?
The meaning is quite dramatic. All entities exporting data from the EU to the US are forced to replace their current mechanism for cross-border transfers of personal data. Many will probably choose to use the Standard Contractual Clauses and related terms and conditions as required under the GDPR. These may include a heavy burden on the data importer and the data exporter. If a company will not comply with the clauses, it must immediately cease to transfer data.
It would be naive to think that data flow from both sides of the Atlantic will be suspended; but we may see ex-post implications, such as imposing new guidelines and enforcement measures by EU states' supervisory authorities.
Some initial recommendations:
(a) Relevant companies will be at risk and must consider renegotiating their services agreements to adopt the Standard Contractual Clauses and related terms.
(b) It is recommended to review and analyze current engagement terms with customers and service providers (such as hosting services, SAAS, other data processors, etc.), in order to make sure if they are subject to the Privacy Shield. If so, you need to produce a valid legal arrangement.
(c) From a practical point of view and in order to reduce risk, consider storing personal data of EU persons in servers located in Europe and limiting the access of U.S. users to such data, where it is feasible, commercially and technically.
(d) It is recommended to review your privacy policies (public and internal), as well as forms of data processing agreements, in order to adapt them into the new legal condition.
Moreover, this will require additional thinking of how to accommodate to the new regime and may pressure on US authorities to move forward towards a comprehensive data protection and privacy legal framework, which genuinely meets the GDPR requirements for adequate safeguards.
Implications on Israeli market
Israel's adequacy status, as obtained in 2011 (and one of the first to enjoy this status), is not directly affected from this CJEU decision. However, this may have influence on the current assessment of Israel's adequacy, being conducted by the European Commission during these days. In light of the CJEU decision, Israel may also be at risk to lose its adequacy in the future, given the proximity surveillance made by the Shin Bet in the struggle against the Corona and perhaps, for other reasons as well, such as missing legislation and poor enforcement.
In addition, due to the language of the Israeli regulations governing cross-border data transfers, the CJEU decision may also undermine the adequacy of the U.S. as a data importer from Israel, under certain circumstances. Therefore, we would expect to receive guidance from the Israeli privacy regulator in this regard.
Given and regulatory uncertainties, companies will have to make sure that they are taking their privacy programs seriously and that their data protection risks are mitigated properly.
*
Press release of the Court of Justice of the European Union - here
Ongoing report and analysis at the IAPP webpage - here
