On July 16, 2020, the Court docket of Justice of the European Union (CJEU) introduced its judgment within the so-called Schrems II case (Case C-311/18), declaring that the EU-U.S. Privateness Defend is invalid as a result of it doesn’t present an sufficient degree of safety for the switch of non-public knowledge from the European Union (EU) to america. Nonetheless, it held that customary contractual clauses (SCCs) for the switch of non-public knowledge from the EU to international locations outdoors the EU stay legitimate however said that firms counting on SCCs have a number of obligations to make sure compliance with EU knowledge safety necessities.
Background
The origins of the case hint again to a criticism lodged by Maximillian Schrems, an Austrian citizen, with the Irish Information Safety Commissioner. Schrems sought to stop the switch of non-public knowledge from the EU to america below the Protected Harbor Framework. After additional authorized motion, on October 6, 2015, the CJEU determined in his favor and held that the European Fee resolution that Protected Harbor Framework supplied sufficient protections for private knowledge transferred from the E.U. to america was invalid.
The Privateness Defend changed the Protected Harbor Framework and have become operational in August 2016. Along with SCCs, it’s a continuously used mechanism for employers to switch private knowledge outdoors of the EU.
What occurred on this case?
Regardless of progress having been made within the functioning of the Privateness Defend program, as reported by the European Fee in its third annual evaluation printed on October 23, 2019, for causes much like the choice to declare the Protected Harbor Framework invalid, the CJEU has dominated that the Privateness Defend just isn’t legally legitimate. That is primarily as a consequence of issues over the entry that U.S. intelligence businesses need to EU knowledge.
A few of the courtroom’s key findings have been that (i) U.S. nationwide safety, public curiosity, and regulation enforcement takes priority over and subsequently condones interference with the elemental rights of individuals whose knowledge is transferred to america (ii) U.S. surveillance applications will not be restricted to what’s strictly obligatory, and (iii) there’s inadequate judicial safety for people in that the mechanisms obtainable to them will not be binding on U.S. intelligence businesses and will not be equal to the usual that exists within the EU.
In higher information for employers, and in step with the non-binding advice of the Advocate Basic of the CJEU, printed on December 19, 2019, the CJEU confirmed that SCCs proceed to be a sound software for the switch of knowledge. Nonetheless, it highlighted that the duty stays on knowledge controllers to evaluate the extent of knowledge safety afforded by the nation to which the info is being transferred. Particularly, knowledge controllers should take the next actions:
In collaboration with knowledge processors and knowledge topics, the place attainable, knowledge controllers should decide whether or not the info safety legal guidelines of the recipient nation fail to offer sufficient safety for knowledge topics and take measures to compensate for such failings which are along with the protections afforded by the SCCs. These measures embrace making certain that knowledge topics have enforceable knowledge topic rights and entry to efficient authorized treatments.
Information controllers should droop or finish the switch of knowledge from the EU to america the place the info controller or knowledge processor can’t take such further measures to ensure sufficient protections.
U.S. Response to the Ruling
Secretary of the U.S. Division of Commerce Wilbur L. Ross, Jr. issued a assertion on the Schrems II ruling stating that, “the Division of Commerce is deeply disenchanted that the courtroom seems to have invalidated the European Fee’s adequacy resolution underlying the EU-U.S. Privateness Defend” however that the Division is “nonetheless finding out the choice to totally perceive its sensible impacts.” Additional, Secretary Ross said:
The Division of Commerce will proceed to manage the Privateness Defend program, together with processing submissions for self-certification and re-certification to the Privateness Defend Frameworks and sustaining the Privateness Defend Checklist. At this time’s resolution doesn’t relieve collaborating organizations of their Privateness Defend obligations.
Influence on Different Worldwide Information Transfers
Though the Schrems II resolution solely applies to the EU-U.S. Privateness Defend Program, it’s anticipated that the Swiss knowledge safety commissioner will quickly discontinue the Swiss-U.S. Privateness Defend program, which relies on the EU-U.S. Privateness Defend program. Certainly, the Swiss commissioner discontinued the Swiss Protected Harbor Framework quickly after the European Court docket of Justice invalidated the EU Protected Harbor Framework in 2015.
Additional, a number of international locations outdoors of the EU have both acknowledged the EU SCCs or adopted mannequin contract clauses much like the EU SCCs as authorized mechanisms for transferring knowledge to different international locations. These international locations could now require knowledge controllers to conduct country-specific knowledge safety regulation assessments and supply further safeguards for any deficiencies as outlined within the Schrems II resolution.
What does this imply for employers?
The fast consequence of the choice is that firms that depend on the Privateness Defend can now not achieve this on the presumption that it offers sufficient protections. It additionally implies that a switch of non-public knowledge below the Privateness Defend could also be topic to complaints by workers and clients, investigations by particular person knowledge safety authorities, and attainable enforcement actions and penalties.
Given the U.S. authorities’s place, firms already licensed below the Privateness Defend could wish to fastidiously consider their place earlier than discontinuing their participation in this system. Whereas the courtroom’s resolution has fast impact, it’s anticipated that the EU will present some form of grace interval, because it did when the Protected Harbor Framework was invalidated in 2015, to allow Privateness Defend-certified firms to transform to a different authorized switch mechanism or to permit america and EU to barter a alternative for the Privateness Defend.
Corporations that rely solely on the Privateness Defend could wish to evaluation different authorized means to switch private knowledge and will now have to put contractual clauses in place with entities within the EU based mostly on an evaluation of the related international locations’ knowledge safety legal guidelines and provision of further safeguards. Though these steps are doubtlessly extra burdensome than present practices, they’re achievable for many employers in relation to transfers inside the company construction. These steps, nonetheless, will possible show tougher to realize in relation to transfers of knowledge from third social gathering entities. Different choices embrace binding company guidelines that allow intracompany transfers or utilizing the derogations supplied by the Basic Information Safety Regulation (GDPR), together with transferring data in reference to getting into into or administering a contract or acquiring consent from people. Nonetheless, these choices could also be tough and dear to realize and the EU supervisory authorities have indicated that employers can’t rely on the consent of workers as a result of the unequal bargaining energy between employers and workers implies that workers can’t present voluntary consent.
Moreover, employers that depend on SCCs to switch knowledge from the EU could wish to develop an evaluation course of to find out the adequacy of the info safety legal guidelines of the international locations to which EU knowledge is transferred and implement further safeguards to treatment any deficiencies within the knowledge protections afforded by the recipient international locations.
Subsequent Steps
It’s hoped that additional steering from the European Fee or U.S. Division of Commerce could quickly be supplied and finally this resolution could result in a change in U.S. surveillance legal guidelines or the monitoring practices of U.S. intelligence businesses. Nonetheless, that’s maybe unlikely to happen within the brief time period.
Within the meantime, firms are required to proceed to make sure that their privateness practices and procedures adjust to the necessities of EU knowledge safety legal guidelines once they implement alternate switch strategies.
© 2020, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.Nationwide Regulation Evaluation, Quantity X, Quantity 199