The CJEU referral arose from objections raised against Facebook before the Irish data protection commission, because of concerns over covert surveillance of trans-Atlantic communications by US intelligence agencies. (Facebook, in common with several other large IT companies, bases its European operations in Ireland.)  The European Commission had investigated those practices and accepted US assurances concerning oversight under the US Foreign Intelligence Surveillance Act (“FISA”) and executive orders establishing an Ombudsman to handle complaints from EEA residents, who do not enjoy the same protections as US citizens under FISA.  The Court rejected the Commission’s decision that the Privacy Shield program provided an “adequate” level of protection under General Data Protection Regulation (“GDPR”) Article 45, because the Court found that these safeguards did not rise to the standard of the EU Charter on Fundamental Rights.  This requires a state to limit its surveillance activities to what is “strictly necessary and proportional” and provide for judicial recourse.  The Court deemed FISA deficient in this respect and the Ombudsman provisions not equivalent to judicial recourse.

There is no appeal from the CJEU, and while the European Commission has proclaimed its willingness to discuss revisions to the Privacy Shield and associated measures with its US counterparts, this is not likely to be resolved in the final months of an unusually fevered general election in the US.

The Court did not invalidate the Commission’s SCC decision, which did not entail an adequacy finding about US law and procedure. Instead, the Court made it clear that companies using SCCs are responsible in the first instance to determine if they can assure the confidentiality of the data in the receiving country, given local law and government practices, and the Court stated that the data protection supervisory authorities in Europe should examine that issue when challenged.  The court referred the SCC complaint back to the Irish data protection commission to do so in the case of Facebook.  Given what the Court concluded about deficiencies in the US legal protection of non-US persons affected by US surveillance, it would seem that the Irish commission is in a difficult position to bless SCCs that currently cover, or that would replace Privacy Shield, for the trans-Atlantic data flows of giants with EMEA bases in Ireland, such as Google, Microsoft, AWS, Hewlett Packard, Accenture, Pfizer, Experian, Seagate, Medtronic, Johnson & Johnson, etc. Instead, the Court made it clear that companies using SCCs are responsible in the first instance to determine if they can assure the confidentiality of the data in the receiving country, given local law and government practices, and the Court stated that the data protection supervisory authorities in Europe should examine that issue when challenged.  The court referred the SCC complaint back to the Irish data protection commission to do so in the case of Facebook.  Given what the Court concluded about deficiencies in the US legal protection of non-US persons affected by US surveillance, it would seem that the Irish commission is in a difficult position to bless SCCs that currently cover, or that would replace Privacy Shield, for the trans-Atlantic data flows of giants with EMEA bases in Ireland, such as Google, Microsoft, AWS, Hewlett Packard, Accenture, Pfizer, Experian, Seagate, Medtronic, Johnson & Johnson, etc.

Again, any legislative or executive revisions on the US side will not be simple and cannot be expected before 2021.

Notice, however, that the Court’s decision also puts pressure on contracting parties and data protection regulators to meet a high standard, and not just for data transfers to the US. When a company in Germany shares data with a contractor or affiliate in China, Russia, Turkey, or Vietnam, for example, can it be reasonably satisfied that there is no “disproportionate” government surveillance, and that German citizens would have judicial recourse in those countries if that occurred.

The EU General Data Protection Regulation (GDPR) includes in Article 44 a broad statement that personal data may be transferred to a “third country” (i.e., outside the EEA) only if the “level of protection” guaranteed by the GDPR would not be “undermined.”

This can be accomplished through an “adequacy determination” by the Commission under Article 45, like the now-invalidated Privacy Shield decision or the adequacy decisions in favor of Switzerland, Canada, and Japan. It can also be achieved through a Commission decision under Article 46 finding “adequate safeguards” in approved SCCs or an approved code of conduct, or under Article 47 for adequate safeguards provided by binding corporate rules (“BCRs”) within a corporate group, approved by one or several of the European data protection supervisory authorities (which takes time).

But there are other possibilities for lawful transfers that are not founded on adequate safeguards. Article 49 lists several such derogations.  It allows transfers based on the informed, “explicit consent” of the individual data subject, “having been informed of the possible risks of such transfers.”  It also allows transfers “necessary for the performance of a contract” with the data subject, or to enter into a contract with the data subject, or to perform a contract in the interest of the data subject.  Transfers are also possible to establish or exercise legal claims, or for “important reasons of public interest” (in the relevant EEA country, not the third country).  These derogations are interpreted narrowly, however, and they must be well justified and supported – “explicit” and “informed” consent, and “necessary” processing for contract.  Importantly, the Article 49 derogations do not rely on “adequacy” of protection, but it is not clear whether they would entirely avoid a challenge based on the argument that the CJEU raised against Privacy Shield, founded on the protections against unwarranted surveillance in the EU Charter on Fundamental Rights.

Privacy Shield companies must act immediately, most likely by executing data transfer agreements with SCCs and changing the wording of the privacy policies on their websites and in their European employee privacy notices. We must watch attentively for the next steps in Ireland and in other data protection authorities for decisions about SCCs.  Other important questions arise:  What will the UK do with Privacy Shield and SCCs – will it have to choose between the US and Europe?  What will Switzerland do, as it has its own Privacy Shield program with the US and also accepts the SCCs?

Companies facing the aftershocks of Schrems II should be looking at all available options at this point: limiting unnecessary data transfers, switching to SCCs from Privacy Shield, changing their privacy disclosures to warrant transfers based on consent or contract performance, and adjusting vendor and customer contracts where necessary.  FLI advisors on both sides of the Atlantic are prepared to work together help with these cross-border issues. limiting unnecessary data transfers, switching to SCCs from Privacy Shield, changing their privacy disclosures to warrant transfers based on consent or contract performance, and adjusting vendor and customer contracts where necessary.