By Lucia Minnucci, LLM’21
Many countries around the world are approving privacy regulations protecting personal data and the rights of data subjects. However, controversies arise when data is transferred between countries with different regulations, such as the United States and the European Union. On July 16, 2020, in Data Protection Commissioner v Facebook Ireland, Maximilian Schrems (Schrems II), the Court of Justice of the European Union (CJEU) found the EU-US Privacy Shield, the legal framework regulating the transfer of data from the EU to the U.S., to be invalid.
Schrems filed his complaint after the disclosure, in 2013, of the existence of surveillance operations carried out by the U.S. National Security Agency (NSA). Schrems requested that Facebook be prohibited from transferring personal data to the U.S, claiming that the U.S. lacked adequate protection of personal data against such surveillance. The court held that the Safe Harbor, the legal framework in force at the time, was invalid (Schrems I). As a consequence, the EU Commission issued a new adequacy decision on the framework negotiated after Schrems I, the EU-US Privacy Shield, declaring that, under this framework, the U.S. met the necessary level of data protection to European data subjects. However, in Schrems II the CJEU rejected the EU Commission’s reasoning and declared the Privacy Shield invalid.
In explanation, the CJEU argued that the EU and U.S. had different frameworks for allowing interference with European data subject’s private information. In the U.S., the Privacy Shield generally enabled interference with European data subjects’ privacy rights either for U.S. national security and public interest or based on U.S. domestic legislation. However, by EU law, interferences are allowed only if explicitly provided by law and strictly necessary. Moreover, under EU law, anyone who felt their privacy violated had the right to an effective remedy before a tribunal, while, under the Privacy Shield, European individuals could not enforce their privacy rights in court against U.S. authorities. Because of these discrepancies, the CJEU found the Privacy Shield invalid.
This decision has serious implications for cross-border data processing. It is now unclear on what grounds personal data can be transferred from the EU to the U.S. In the absence of an adequacy decision, transfers to a non-EU country may be justified if appropriate safeguards are in place in that country, including the use of Standard Contractual Clauses (SCCs), (model contracts that legitimize international data transfers) or the application of specific derogations (such as consent) provided by art. 49 of the EU General Data Protection Regulation.
It should be noted that in Schrems II, the CJEU found that SCCs are not inadequate a priori but must be verified on a case-by-case basis. If a company in the EU wants to send a European’s private data to another country, the transferer must determine whether the law of the other country guarantees adequate protection of data transferred according to an SCC. If not, it should provide adequate additional safeguards to ensure protection or, if that is not possible, suspend that transfer.
Exactly how companies and other entities should go about transferring data to the U.S. based on SCCs or art. 49 derogations is complex and not entirely clear. Privacy professionals are looking at the newly issued guidelines from the European Data Protection Board and are on the lookout for further guidance from the Data Protection Authorities to determine the best way to go about it.