Today, the Court of Justice of the EU has handed down its judgment in the highly-anticipated Facebook Ireland case (aka Schrems II) and invalidated the Privacy Shield Decision. For those of you who have followed this case, the CJEU took a “left turn at Albuquerque” in its decision since the primary contention of Mr. Schrems was that the Commission Decision around Standard Contractual Clauses (“SCCs”) was invalid.
While the Court did opine on the SCC issue, it didn’t stop there. The Court actually took up a broader scope and addressed the validity of the Privacy Shield decision. In a mentally acrobatic exercise, we ended up with a judgment that preserved the SCCs decision (kind of), but invalidated the Privacy Shield Decision – even after there had been multiple renewals of the adequacy finding of Privacy Shield in the past. Additionally, along with the logical gymnastics around Privacy Shield, the SCCs aren’t quite out of the woods yet.
Since a number of companies actually do rely on Privacy Shield as an adequacy mechanism, it is worth starting with this part of the judgment. Privacy Shield has always been a somewhat rickety bridge for transfers since its very inception involved a rushed negotiation after the collapse of its predecessor, the Safe Harbor Framework in 2018.
Oddly enough, the usual laundry list of complaints about Privacy Shield wasn’t really the death-knell for the framework. While the FTC, to their credit, had begun enforcement activity associated with Privacy Shield, (but only against companies who fraudulently misrepresented their self-certifications were valid or up to date) a number of privacy advocates still complained about it not being actively monitored; that it relied on self-certification and self-policing; and that the designated enforcement mechanisms were not as practical to EU residents.
The “Real” Privacy Shield Problem
Max Schrems has been on a crusade against the US intelligence apparatus for some time. Regardless of your position on this politically, the genesis of all of these court challenges is the simple fact that US intelligence is hoovering up data about people – just like the EU Member State intelligence agencies do. So, while many look at this decision as a “win” for the individual’s rights against government snooping, it really isn’t. The EU Intel community still gets to spy on you.
What ended up sinking Privacy Shield (to mix a metaphor) wasn’t the fact that the data transferred to the US was potentially subject to intelligence and law enforcement snooping – it was that EU citizens don’t have a private right of action in the US courts to enforce the privacy rights enshrined in the Privacy Shield Framework against the government. If you look at the EU countries, they all have significantly more aggressive domestic intelligence communities than the US has. The difference is that they have tribunals in which an individual can make a claim against the government. The judgment recognized that American citizens have this right under the 4th and 5th Amendments. It is just that non-US persons don’t (primarily because they don’t have standing as non-citizens.)
It would then seem to be that there could be an avenue to revive Privacy Shield – give EU residents standing to make a claim against the US government. While this sounds a bit off-the-wall, there is actually precedence for such a thing. The Alien Tort Claims Act does exactly this sort of thing.
Unfortunately, this solution requires an “Act of Congress”. And in this day and age, the colloquialism has never been more true. So, for the time being, Privacy Shield is dead.
Standard Contractual Clauses (the whole reason for this in the first place)
Considering far more companies use SCCs for their data transfer mechanism, a lot of folks are breathing a quiet sigh of relief that the SCCs didn’t get invalidated. Appropriate legitimized transfers have been taking place for years using for the old tried and true Controller to Controller and Controller to Processor SCCs. While the SCCs have not been updated since Avatar was in theaters, those transfer mechanisms had continued to live on – so far.
Kind of. We hope.
The CJEU did not invalidate the SCCs decision, but they did do two other things which leave one very nervous about the viability of the SCCs for the future.
First (and this is how we ended up with the Privacy Shield part of the Judgment) the Court looked as the capacity for any adequacy mechanism to impose limits on the US Government. The Court then spent some time running across the three rings of this circus bouncing between the SCCs decision needing to be evaluated in light of all the other countries besides the US, and the fact that the Irish High Court put forth a number of facts about the US which made it sound like no adequacy mechanism would ever work with the US laws.
It was this part of the Judgment where the discussion around how to “save” SCCs appeared. The Court found that the SCCs were permissible because each Member State’s data protection authority (“DPA”) has an independent capacity to review the implementation of the SCCs and make its own determination as to whether or not the SCCs are sufficiently enforceable to protect the fundamental rights and freedoms of the GDPR. Apparently, because the individual DPAs can decide that the US can’t use SCCs, the SCC decision stands.
Make sense? Me neither.
The second component of the SCC part of the Judgment is a bit more concerning. The Court’s discussion around the independence and capacity of the Member State DPAs to make their own determination as to the effectiveness of the SCCs came with a rather stark condition. In point of fact, DPAs are “required to suspend or prohibit a transfer of personal data to a third country where… the standard data protection clauses are not and cannot be complied with in that country and that the protection of the data transferred… cannot be ensured by other means….” This essentially means that the Member State DPAs do not have the discretion whether or not to investigate and stop data flows under SCCs which the DPA determines cannot be complied with. If they find the SCCs cannot be adhered to, they are required to prohibit such transfers.
Considering the dicta around why the US legal system can’t support the Privacy Shield Decision, it is easy to anticipate at least some of the DPAs making a blanket determination that, based on similar grounds, no SCCs executed with US data importers are viable. If this happens, we will have some DPAs prohibiting transfers based on SCC’s in their jurisdictions, while others let them stand. That means the old GDPR concept of “harmonization” is out the window, and we are back to a Europe with inconsistent enforcement, and DPA-shopping by some businesses.
But – SCCs aren’t dead… yet.
Fortunately, the EU Commission is already on track to update the SCCs to conform with the requirements of the GDPR. Hopefully, the next decision will take the findings in the Schrems II Judgment into account and find a way to inject a bit more certainty into the SCCs. If not, the only two adequacy mechanisms available to businesses in the US may be gone.