Generally, personal data may not be transferred to countries outside of the European Economic Area (“EEA”) under the EU General Data Protection Regulation (“GDPR”) unless the European Commission has deemed the third country adequate to receive personal data. To date, the following countries are considered adequate to receive personal data from the EEA: Andorra, Argentina, Canada (except if recipient is a public body), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay. If a data exporter plans on transferring personal data to a recipient in a country that has not received an adequacy decision, it must rely on specific data transfer mechanisms approved under the GDPR, such as Binding Corporate Rules, European Commission Standard Contractual Clauses (“SCCs”), and previously, in the case of the United States, the EU-U.S. Privacy Shield (“the Privacy Shield”).
On July 16, 2020, the Court of Justice of the European Union (“CJEU”) rendered a decision in Case C-311/18 Data Protection Commissioner v. Facebook Ireland Ltd. and Maximillian Schrems (“Schrems II”) that limits the ability of data exporters to transfer personal data to the United States. In Schrems II, privacy advocate Maximillian Schrems challenged Facebook Ireland Ltd.’s ability to transfer information about users in Europe to Facebook, Inc. in the United States. Mr. Schrems previously raised a similar challenge in Schrems I, which ultimately invalidated the EU-U.S. Safe Harbor Framework—the Privacy Shield’s predecessor.
The CJEU held in Schrems II that transfers of personal data from the EEA to the United States through the Privacy Shield is invalid. The CJEU invalidated the Privacy Shield because it expressed concern about U.S. public authorities having access to the personal data of EU residents through surveillance programs under Section 702 of the Foreign Intelligence Surveillance Act (“FISA”) and Executive Order 12333 (“E.O. 12333”), without EU residents having adequate protection and redress against U.S. government intrusion.
Moreover, while the CJEU also held that SCCs remain a valid mechanism for transferring personal data from the EEA to third countries, it added caveats that create uncertainty regarding how to utilize SCCs. Specifically, the CJEU indicated that before transferring personal data using SCCs, the data exporter and importer need to determine if the legislation of the third country enables the data importer to comply with the SCCs. Following that assessment, the parties may need to include other clauses or safeguards in addition to the SCCs if necessary to protect EU personal data. Critically, the CJEU did not indicate what additional clauses should be included with the SCCs to protect against U.S. government surveillance under FISA and E.O. 12333. Additional guidance on this issue is necessary from the European Data Protection Board (“EDPB”), who recently announced that it is working on providing advice regarding this issue.
Further, the CJEU held that data protection authorities in the EEA may suspend or prohibit transfers of personal data from the EEA to third countries using SCCs if those clauses cannot be complied with and the personal data that is transferred cannot be protected by other means. This further creates uncertainty because different data protection authorities may reach different conclusions regarding whether personal data may be transferred from the EEA to the United States in light of government surveillance under FISA and E.O. 12333. Tellingly, the CJEU noted this issue in its ruling: “transfers of personal data to such a third country may result in the supervising authorities in the various Member States adopting divergent decisions. . . .” In fact, following Schrems II, we already see mixed reactions from the data protection authorities. For example, the Berlin data protection authority issued a statement indicating that personal data cannot be transferred to the United States following Schrems II, while other data protection authorities reiterate that SCCs remain valid, but the circumstances under which personal data may be transferred to the United States need further assessment.
In sum, more guidance is necessary to determine how personal data may be transferred from the EEA to the United States using SCCs following Schrems II. For now, however, companies that relied on the Privacy Shield to transfer personal data to the United States need to either localize the data in Europe or explore other mechanisms for cross-border data transfers under the GDPR, such as SCCs, Binding Corporate Rules, or, for specific one-off transfers, the derogations available under GDPR Article 49. Indeed, it is uncertain what the future holds for transfers of personal data from the EEA to the United States because Mr. Schrems has already announced a mid-August challenge to Facebook’s ability to transfer personal data from Europe to the United States using any legal mechanism under the GDPR.