This past July, a decision by the European Court of Justice (ECJ) struck down the European Union-United States Privacy Shield framework (EU-U.S. Privacy Shield), one mechanism through which companies could transfer personal information or data to the United States in compliance with the European Union’s General Data Protection Regulation (GDPR). The ECJ overturned an earlier European Commission decision that the framework — administered by the U.S. Department of Commerce and enforced by the Federal Trade Commission (FTC) — adequately protects European individuals’ personal data in compliance with the GDPR. The court based its ruling on a finding that U.S. government foreign surveillance is not limited to surveillance that is strictly necessary, and that neither U.S. national security laws nor the Privacy Shield framework provides enforceable privacy rights and effective legal remedies for European data subjects.

ECJ upholds validity of standard data protection clauses, binding corporate rules

With the invalidation of the Privacy Shield adequacy determination, companies seeking to transfer personal data from the European Economic Area (EEA) to the United States — or transfer EEA-originated personal data onward within the United States — must now use other mechanisms recognized by the GDPR to appropriately safeguard personal data, such as standard contractual clauses (SCCs) in data transfer or protection agreements or binding corporate rules (BCRs). The ECJ also noted that parties on both sides of data transfers governed by SCCs have a responsibility to ensure that data is adequately protected from unnecessary interference, or transfers should not occur.

Switzerland regulator finds Swiss-US Privacy Shield regime inadequate

Shortly after the ECJ ruling, Switzerland’s Federal Data Protection and Information Commissioner (FDPIC) also found the Swiss-U.S. Privacy Shield does not provide an adequate level of data protection under Swiss law. Although the FDPIC is not bound by the ECJ decision, it cited the decision as persuasive and based its conclusion partly on the ECJ’s findings. According to the FDPIC, the “lack of transparency and the resulting absence of guarantees concerning the interference of U.S. authorities” were irreconcilable with Swiss law.

The FDPIC was also skeptical of the use of SCCs and BCRs as appropriate or long-term replacements for the Privacy Shield regime. It found that, much like the Privacy Shield regime itself, these contractual provisions “cannot prevent foreign authorities from accessing personal data if the public law of the importing country takes precedence and allows official access to the transferred personal data without sufficient transparency and legal protection of the persons concerned.” In practical terms, the FDPIC conclusion means the Swiss-U.S. Privacy Shield should be replaced with a regime that is compliant with Swiss law.

Despite these findings, the FDPIC does not have the authority to strike down the Swiss-U.S. Privacy Shield regime because it is not a court. Because of this, the regime remains in force, is still binding and can still be relied upon by persons in Switzerland. However, this is an area to follow as the Privacy Shield regime might be struck down in Swiss court, where the FDPIC policy findings would hold significant weight.

EU Commission looks to update SCCs

The EU Commission is in the process of modernizing the SCCs to account for GDPR requirements. This work had been paused pending the ECJ decision, but companies can expect new clauses to be drafted and released in the near term. Although the timing is unclear, once the updated SCCs are issued, they should be added to new contracts governing personal data cross-border transfer and use.

Department of Commerce white paper

In September, the U.S. Department of Commerce, which oversees the EU-U.S. Privacy Shield program, along with the U.S. Department of Justice (DOJ) and the Office of the Director of National Intelligence, released a white paper addressing the Schrems II decision. Key points include the following:

  • Most U.S. companies do not deal with data that would be of interest to U.S. intelligence agencies and do not engage in data transfers of the type that concerned the ECJ in Schrems II.
  • S. intelligence agencies frequently share information with EU intelligence agencies to combat terrorism, weapons proliferation and hostile foreign cyber activity, which serves important EU public interests.
  • Since 2016, amendments to U.S. laws and regulations have afforded increasing protections that mitigate or obviate many of the concerns raised in Schrems II.
  • A lack of ECJ review or assessment of EU surveillance laws and intelligence gathering tools for compliance with the privacy requirements found in the GDPR makes it difficult to assess whether U.S. surveillance laws — and more recent protections of individuals subject to them — comply with the GDPR.

The white paper encouraged the continued use of SCCs and BCRs in the cross-border transfer of personal data, including, where necessary, with the implementation of additional safeguards including those available under the Foreign Intelligence Surveillance Act (FISA) 702, which allows individual redress for violations or abuses of surveillance and subpoenas under the FISA 702 program.

What should you do?

If your company is certified under the Swiss-U.S. or the EU-U.S. Privacy Shield program, you should continue to comply with your obligations to avoid enforcement actions by the FTC or breach-of-contract claims arising from agreements for which it served as the basis for past or ongoing cross-border transfers. As mentioned by the DOJ, the European decision “does not relieve participants in the EU-U.S. Privacy Shield of their obligations.” You should also determine whether you’re transferring EU personal data to other companies that are Privacy Shield certified (whether from the EU or outside the EU). If necessary, determine what appropriate safeguards to employ — such as SCCs — or what derogations, as discussed below, to rely on to permit continued transfers.

There are “derogations for specific situations” under GDPR, namely for the performance of contractual obligations and for the establishment, exercise or defense of legal claims. The European Data Protection Board’s extensive guidance on the application of the derogations can be viewed here. It’s also a good idea to look for any additional guidance from the EU Commission on updated contractual clauses, which are anticipated to come later this year.