The once-and-future privacy shield

Jenny Holmes, BridgeTower Media Newswires

The European Court of Justice’s July 2020 invalidation of the Privacy Shield threw much of the international business world into panic and confusion, given that over 5,300 companies — and trillions of dollars of U.S.-EU trade — had been relying on the Privacy Shield to validate data flows between the U.S. and the European Union. Unfortunately, the last few months have done little to set things right again. This alert provides a summary of where things stand now, and potential ways forward for the future.

But first, a quick review:

The European Commission determines whether a country outside the EU offers an adequate level of data protection. The effect of such a decision is that personal data can flow from the EU to a third country without any further safeguard being necessary. According to the Commission, the U.S. does not offer an adequate level of protection and, therefore, the U.S. has always had to rely on an additional mechanism to transfer the data. The Privacy Shield is the second framework in place for regulating the transfers of personal data between the EU and the U.S., with the goal to enable U.S. companies to more easily receive personal data from EU entities while also protecting EU citizens.

The Privacy Shield requires U.S. companies to self-certify that they are in compliance with certain privacy principles. In doing so, the Privacy Shield requires U.S. companies to submit to the jurisdiction of the U.S. Federal Trade Commission (the FTC).

In lieu of certification to the Privacy Shield, U.S. companies may rely on the “Standard Contractual Clauses” (“SCC”) or binding corporate rules. The SCC are a contract between the data exporter and the data importer, aimed to protect the personal data through contractual obligations. The binding corporate rules allow multinational corporations to make intra-organizational transfers of personal data across borders.

On July 16, 2020, the ECJ issued an opinion in a lawsuit brought by former law student Maximillian Schrems against Facebook. In its July ruling, now referred to as the “Schrems II” opinion, the ECJ determined that the Privacy Shield was invalid. According to the ECJ, the Privacy Shield — the mechanism negotiated by the U.S. and EU, by which companies could self-certify that their data protection protocols provided sufficient protection to EU data — could not stand due to the fact that, no matter what the self-certifying companies said, the U.S. government’s national security surveillance practices were too intrusive and provided no effective means of redress for affected EU data subjects. While the Schrems II opinion left the Standard Contractual Clauses’ data transfer mechanism intact, it did say that companies relying on them must be ready to justify, on a case-by-case basis, how the particular data flow covered by the SCC offers EU data subjects sufficient protection against the surveillance concerns.

So how do things stand currently? Unfortunately, mostly unsettled:

No enforcement “grace period,” nor any “new-and-improved” Privacy Shield on the horizon: As some may recall, back in 2015 the Schrems-Facebook case yielded an earlier blockbuster ruling — the invalidation of the “Safe Harbor,” which was the U.S.-EU data transfer method that preceded the Privacy Shield. Shortly after the Safe Harbor was invalidated, the EU authorities announced a moratorium on enforcement actions while the EU and U.S. authorities negotiated a Safe Harbor replacement, which took over a year. After the Schrems II ruling, however, no similar enforcement moratorium has been announced, nor has any EU guidance been issued to assist companies trying to negotiate the new legal landscape. Thus far there have been no clear indications of progress on any replacement or “improved” Privacy Shield that would address the ECJ’s Schrems II concerns.

Israel and Switzerland follow the EU’s lead: The Israeli Privacy Protection Authority also announced that, for the same reasons articulated in the Schrems II opinion, the Israel-U.S. Privacy Shield is no longer valid to protect data transfers between the two countries. In September, the Swiss Federal Data Protection and Information Commissioner reached essentially the same decision with respect to Switzerland-U.S. data transfers.

The U.S. response Part I — keep following the Privacy Shield: In the days following the Schrems II decision, the FTC, which administers the Privacy Shield, issued a statement saying that, despite the Schrems II decision, “[w]e continue to expect companies to comply with their ongoing obligations with respect to transfers made under the Privacy Shield Framework.” In other words, the U.S. government (including via FTC enforcement) expects certified companies to continue to adhere to Privacy Shield standards, even if the EU no longer considers the standards a valid transfer mechanism.
The U.S. response Part II — supporting SCCs: The United States government issued a “white paper” in which it addressed the ECJ’s criticisms of the SCC and offered several points for companies to consider when attempting to justify particular SCC data transfers. In brief, the white paper discusses the fact that, in the U.S. government’s view at least, the Schrems II decision focused on aspects of U.S. surveillance that have long ago been superseded. The white paper claims that currently there are several practical limits on U.S. surveillance, including the fact that many U.S. businesses are not often subject to it; that there are numerous procedural safeguards now in place that are designed to prevent surveillance abuse; and that certain U.S. statutes in fact provide legal redress available to EU citizens affected by U.S. government surveillance. The white paper thus, in essence, helps provide practical “cover” to businesses looking for ways to justify that their use of SCC is “safe” under the Schrems II standards.

What’s next? It is difficult to reliably predict what will happen, and when, with the Privacy Shield. It is clearly the case that many businesses would like clarity and resolution as soon as possible, as would the U.S. government, which, in conjunction with the issuance of the white paper, published an article on Lawfare beseeching the EU to work with the U.S. “to provide the legal clarity and certainty essential to transatlantic commerce and cooperation.” While the European Commission has stated that revised SCC may be issued by the end of 2020, these revisions were in the works even before the Schrems II decision, and it is unclear at this point whether the new SCC would be able to (or are even intended to) provide the case-by-case data flow security justifications the Schrems II decision appears to contemplate.

Given all the uncertainty, there is no risk-free easy answer on what businesses should do at this point. Many Privacy Shield-certified companies, post Schrems II, have opted to implement SCC as, essentially, the only remaining practical means of validating EU-U.S. data flows. Companies using SCC should consider the white paper’s points and justifications, as well as other facts specific to the company’s particular data flows — including whether they are of the type typically subject to government surveillance, and whether the company has ever received any requests for information from the U.S. government — when analyzing the security issue. Even with SCC in place, however, companies should consider maintaining their Privacy Shield status given that, if a new and improved Privacy Shield is eventually issued, having the current Privacy Shield in place may make the transition easier. Additionally, companies that are already certified with the Privacy Shield must continue to comply with the obligations thereunder. Regardless, with luck and continued pressure from the international business community, additional clarity and guidance hopefully will be coming soon.

—————

Jenny Holmes is deputy leader of Nixon Peabody LLP’s data privacy & cybersecurity team and an associate in the firm’s corporate department. She developed this article with Nixon Peabody attorneys Jason Gonzalez and Troy Lieberman.