International: What Privacy Shield organizations should do in the wake of 'Schrems II'

In brief

This is the first in a series of guidance notes on what the “Schrems II” decision means for companies that rely on EU-U.S. Privacy Shield, controller-to-processor standard contractual clauses, SCCs for transfers to controllers, derogations/exceptions to transfer restrictions, and binding corporate rules, as well as what “Schrems II” means for Brexit and what companies can expect with the road ahead on these issues.


Key takeaways

The Court of Justice of the European Union issued its decision in "Schrems II" Thursday, a landmark decision that invalidates the EU-U.S. Privacy Shield arrangement. Until July 16, Privacy Shield had served as an approved “adequacy” mechanism to protect cross-border transfers of personal data from the European Union to the United States under the EU General Data Protection Regulation. More than 5,000 organizations participate in Privacy Shield. Many thousands more EU companies rely on Privacy Shield when transferring data to these organizations. Overnight, it seems the certainty of the conditions for the lawful transfer of this data has been removed.

Fortunately, the CJEU did not invalidate the European Commission's standard contractual clauses for transfers to data processors. However, the rationale behind the court’s ruling on Privacy Shield (which focused on concerns about U.S. law and practice on government surveillance) would suggest that companies will need to evaluate their use of SCCs. In particular, companies will need to evaluate whether the SCCs provide sufficient protection in light of any access by the public authorities of the third country to the personal data transferred and the relevant aspects of the legal system of such third country.

Historically, when the CJEU invalidated the EU-U.S. Safe Harbor (the predecessor to Privacy Shield) in 2015, the EU data protection authorities collectively advised that they would observe a grace period on enforcement so that companies would have an opportunity to respond. As of the date of this writing, we haven't received such welcome guidance from the European Data Protection Board, although individual DPAs, such as the U.K. Information Commissioner, have indicated that if companies are using Privacy Shield, they should continue to do so. Moreover, it is not clear what the timeline would be for the European Commission and U.S. government to remediate the infirmities in the Privacy Shield as found by the CJEU, although public statements from both sides suggest that they are in communication on these issues.    

So, what now? For U.S. organizations participating in Privacy Shield, next steps can include the following.

Understand what personal data is covered 

The first step is to understand what personal data transfers have been covered under the organization's self-certification to Privacy Shield. Privacy Shield organizations can be data controllers with respect to personal data about internal human resources data (e.g., employees, job applicants, contractors and others of EU subsidiaries or operations), as well as customers (e.g., corporate customer contacts, individual consumers, patients or the like) and other third parties (e.g., contacts for distributors, business partners, suppliers and the like). Privacy Shield organizations also can be data processors that act as vendors to process data related to the consumers, patients and end-users of the organization's corporate customers. 

Develop a plan for each category of data transfer

The organization should develop a plan for how it will address each big picture category of data transfer under Privacy Shield. There is no one-size-fits-all plan, but having a plan will help the organization focus its efforts and also in the event the organization needs to have a discussion with DPAs, customers, business partners, company data protection officers, works councils or others.

Evaluate whether implementation of SCCs can help

Where the organization participates in Privacy Shield as a controller, implementation of the SCCs for such controller to controller data transfers can help strengthen the position that the transfers are permissible. Given the reasoning of the CJEU in "Schrems II," the organization will still need to undertake due diligence to evaluate and document the risks associated with the transfers, but the organization would be in a better position from a GDPR perspective because the SCCs are still a valid tool for data transfers. Where the organization acts as a data processor on behalf of customers in the EU, the organization should consider preparing and presenting to customers updated terms that include the SCCs for controller-to-processor transfers. The organization should also be prepared to answer due diligence questions from customers regarding disclosures to public authorities and related issues raised in the CJEU opinion. It will be important to have a clear understanding of whether, in practice, the organization has needed to respond to such intelligence gathering by public authorities in the past, as well as what it's policies and practices are for responding going forward.

Evaluate whether derogations or other legal justifications can help

Depending on the context, some organizations may be able to adopt other strategies. For example, if the organization engages in direct to consumer online transactions, it might be able to narrow the data collections to that which is necessary to perform the transaction with the consumers. Such an approach might require the company to trim out data collections that are unnecessary (e.g., to disable advertising cookies for EU IP addresses) but could be a logical way to proceed.

Remember Privacy Shield obligations still apply 

Even though the legal value of Privacy Shield participation has been invalidated from a GDPR perspective, the U.S. obligations to adhere to Privacy Shield promises still apply. If an organization were to decide to disregard its Privacy Shield commitments, it could still be subject to action by the U.S. Federal Trade Commission. The organization might also have obligations in agreements with customers or others to adhere to the Privacy Shield, and those commitments may not be terminated merely because of the CJEU ruling. As such, organizations need to be mindful to continue to adhere to Privacy Shield obligations even in this interim period following "Schrems II."

Continue monitoring developments 

The interpretation and application of "Schrems II" is rapidly changing and developing. We are expecting more guidance from authorities and other developments in the coming days and weeks. Privacy professionals should stay closely aligned with these developments and adjust their plans accordingly. 

At the end of the day, no one realistically expects that EU DPAs will immediately launch investigations against thousands of companies that have built and deployed strong privacy programs in reliance on Privacy Shield. Such an approach would be counter to how the EU DPAs have approached their responsibilities over many years. What is to be expected, however, is that organizations participating in Privacy Shield should have a plan for how they are going to address the issues, start implementing that plan as soon as reasonably possible, and be ready to discuss with authorities, business partners, customers and others as needed.

In the coming days, we will issue a series of guidance notes on what to do in the wake of "Schrems II," including on what "Schrems II" means for companies that rely on Privacy Shield, C2P SCCs, C2C SCCs, derogations, binding corporate rules and what it means for Brexit. 

*****

*Reproduced with permission. Published July 2020. Copyright © 2020 International Association of Privacy Professionals. 800.266.6501. For further use, please visit: https://iapp.org.    

Contact Information

© 2021 Baker & McKenzie. Ownership: This site (Site) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms, including Baker & McKenzie LLP). Use of this site does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All information on this Site is of general comment and for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulation and practice are subject to change. The information on this Site is not offered as legal or any other advice on any particular matter, whether it be legal, procedural or otherwise. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any information provided in this Site. Baker McKenzie, the editors and the contributing authors do not guarantee the accuracy of the contents and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the contents of this Site. Attorney Advertising: This Site may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Site may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. All rights reserved. The content of the this Site is protected under international copyright conventions. Reproduction of the content of this Site without express written authorization is strictly prohibited.