In July 2020, the European Court of Justice released Schrems II, an opinion finding the EU/US Privacy Shield insufficient to guarantee compliance with EU data protection laws. The decision marked the second time the ECJ would invalidate a data privacy adequacy decision between the EU and US, sabotaging once more an enterprise meant to safeguard trans-Atlantic data transfers without compromising US national security activities. Consequently, US companies who house or process EU data outside of the EU are now exposed to serious liability when they send data across the Atlantic, something many companies do in the regular course of business. Schrems II left open a potential means of escaping liability through Standard Contractual Clauses (SCCs), but the ECJ seemed poised to invalidate that mechanism the next time it comes under their scrutiny.
The decision arises out of the acutely conservative approach the EU takes to data privacy. In the EU, “[p]rivacy rights are given the status of a fundamental right,” enshrined in the EU Charter of Fundamental Rights and formally guaranteed to all EU citizens under the 2009 Lisbon Treaty. In addition to general privacy protections provided under the Charter, the Charter specifically establishes a “right to the protection of personal data concerning him or her.” That right includes a guarantee that an EU citizen’s data will be processed fairly and only for “specified purposes.” According to the EU supervisory data authority, the right to be “in control of information about yourself…plays a pivotal role” within the notion of dignity enshrined in the Charter.
With this historical context, the European Commission passed the GDPR, which came into effect in 2017. The regulation provides three mechanisms that allow for personal data to be transferred from the EU to a third state, such as the US: (1) transfers based on an adequacy decision released by the Commission which confirms a third country ensures an adequate level of protection; (2) transfers taken accompanied by ‘appropriate safeguards’ (such as ‘Standard Contractual Clauses’ (SCCs), which enable data transfers where contractual arrangements could provide the “essentially equivalent” protection to that under the EU legal order); and (3) in the absence of such safeguards, on the basis of certain derogations in narrowly tailored circumstances.
In pursuit of increased market efficiency, the US has chosen to negotiate adequacy decisions to keep data flowing smoothly between America and the EU. Safe Harbour was the first of these decisions, coming into effect in 2000; under that scheme, US companies would register their compliance with Safe Harbour principles that had been jointly negotiated by the EU and US. On that basis, the Commission certified the US data protection regime as adequate to avoid infringement of EU law. The Safe Harbour stood for 15 years until Schrems I, in which the ECJ prohibited data transfers to third countries unless the third country’s protection of fundamental rights and freedoms were ‘essentially equivalent’ to that of the EU. While the Safe Harbour claimed to provide adequate protection to EU data, the Court held that it could not meet the ‘essentially equivalent’ standard, rendering it invalid.
Data transfers between the US and EU were able to continue through SCCs created by the Commission in 2010. The understanding was that the SCCs could provide adequate safeguards regardless of the adequacy of the country’s offered level of protection. The Court in Schrems I made no judgment as to the validity of the SCC Decision, and they were consequently considered by the relevant players to be a sufficient remedy to continue the transfer of data between the EU and the US during the interim period in which a new adequacy decision could be negotiated.
Schrems II is a continuation of the underlying case in Schrems I and reviewed the validity of the Privacy Shield, the EU/US adequacy decision created to replace the Safe Harbour. The Privacy Shield was meant to address the concerns outlined in the Schrems I decision, namely that the US government enjoyed unreasonably broad access to transferred EU data and that EU citizens lacked proper judicial redress mechanisms within the US should their privacy be infringed. To that end, the US government made a series of certifications and undertook specific commitments (including some formalized in a Presidential Policy Directive) to ensure surveillance over EU nationals was more strictly limited. Additionally, the US created a dedicated Ombudsperson in the State Department to provide EU nationals with additional means for redress.
The Court made two findings, one regarding the validity of the Privacy Shield and one regarding the validity of the SCCs. As in Schrems I, the ECJ found that the US data protection framework was not ‘essentially equivalent’ to that guaranteed by the fundamental rights enshrined in the Charter, invalidating the Privacy Shield on the very same grounds as the ECJ invalidated the Safe Harbour. Unlike the first decision, however, Schrems II meticulously considered potential reasons for the US’s continued inadequacy, attributing the problems to America’s surveillance programs. While the ECJ was not explicit, the decision implied that the US could not provide an adequate level of protection of fundamental rights and freedoms essentially equivalent to that guaranteed in the EU while it continued to give primacy to domestic law that permitted the surveillance of EU data upon its entry into the US, namely Section 702 of FISA and Executive Order 12333.
As to the adequacy of SCCs, the ECJ confirmed their validity but significantly weakened their power. The Court found that SCCs may be incapable of sufficiently supplementing the deficiencies of a third country’s inadequate data framework, making data transfer to that jurisdiction impossible. Nevertheless, the SCC Decision was found valid with the understanding that, “depending on the prevailing position in a particular third country, the adoption of supplementary measures by the controller in order to ensure compliance with [the adequate] level of protection” may be necessary.
* Rachel Tuteur is an Associate Editor on the Michigan Technology Law Review.