In a landmark decision in what is popularly known as the “Schrems II” case, the Court of Justice of the European Union invalidated the EU-U.S. Privacy Shield, the framework that facilitated the transfers of personal data from the European Union to the United States for thousands of companies. The court cited the breadth of National Security Agency surveillance programs (in connection with FISA Section 702 and Executive Order 12333) and the lack of redress for European individuals in connection with such surveillance of their personal data.

The court also said Standard Contractual Clauses (SCCs), the key mechanism used for cross-border transfers of data from the EU are still alive, “BUT.”

The “BUT” is that the court said that each transferor (exporter of data from the EU ― i.e. you) needs to consider the legal regime in the transferee’s country and determine whether in view of the circumstances of the transfer of each case, it allows the transferor to abide by the requirements of the SCCs to provide adequate protection to EU individuals. This may need to be addressed using supplemental protections which were not listed.

What does this mean for you, a U.S.-based company?

View Ten Things Your Company Should Do or Think About Doing Now. 

After a number of data protection authorities issued statements demonstrating differing approaches to cross-border transfers to the U.S. in the wake of the Court of Justice of the European Union’s decision in Schrems II (e.g. several of the German DPAs), the Spanish data protection authority Agencia Española Proteción Datos (AEPD) stressed the importance of a consistent approach across the EU.

“The Spanish Agency for Data Protection, within the plenary meeting of the European Committee for Data Protection, has participated in the adoption of the statement issued, which indicates the importance of the Judgment regarding the fundamental right of data protection. data in the framework of international transfers to third countries.”

“The Agency will continue to work together with the rest of the European Authorities on a harmonized response at European level and will participate in the work carried out to adopt a common approach, thus guaranteeing a consistent application of the judgment in all the countries of the EU.”

Details from Spain’s AEPD.

“The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.”

“On July 16, 2020, the Court of Justice of the European Union issued a judgment declaring as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield.”

“This decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework.”

“The U.S. Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List.”

Details on the Privacy Shield homepage.

 

“The United States shares the values of rule of law and protection of our democracies with our partners in the European Union (EU). Therefore, we are deeply disappointed that the Court of Justice of the European Union (ECJ) has invalidated the EU-U.S. Privacy Shield framework,” said U.S. Secretary of State Mike Pompeo.

“The United States and the EU have a shared interest in protecting individual privacy and ensuring the continuity of commercial data transfers. Uninterrupted data flows are essential to economic growth and innovation, for companies of all sizes and in every sector, which is particularly crucial now as both our economies recover from the effects of the COVID-19 pandemic.”

“This decision directly impacts both European companies doing business in the United States as well as American companies, of which over 70 percent are small and medium enterprises.”

“The United States will continue to work closely with the EU to find a mechanism to enable the essential unimpeded commercial transfer of data from the EU to the United States”

Read the full statement from the State Department.

The European Court of Justice’s ruling in Schrems II, invalidating the EU-U.S. Privacy Shield framework as a means of transmitting personal data from the EU to the U.S., has drawn swift reaction from data protection authorities and other entities across Europe. Here are a few of the responses:

Vera Jourova, Vice President, European Commission

“I know citizens and businesses are seeking reassurance today on both sides of the Atlantic. So let me be clear: we will continue our work to ensure the continuity of safe data flows.

We will do this:

  • in line with today’s judgment
  • in full respect of EU law
  • and in line with the fundamental rights of citizens.”

” The Commission has already been working intensively to ensure that the toolbox [for cross border transfer tools] is fit for purpose, including the modernization of the Standard Contractual Clauses … We will now swiftly finalize it. Today’s ruling provides further valuable guidance for us and we will make sure that the updated tool will be fully in line with it.”

Continue Reading Governments, Data Protection Authorities React to EU-US Privacy Shield Ruling

The Court of Justice of the European Union (CJEU), in its decision in the Schrems II case, has invalidated the EU-U.S. Privacy Shield method for cross-border transfer of personal data from the European Union to the United States, citing surveillance practices by U.S. public authorities and inadequate legal recourse to EU individuals.

Standard Contractual Clauses remain alive, but an obligation is imposed on those who control/transfer data to ensure that the legal regime in the relevant destination is such that it allows the transferee to comply with the contractually obligations imposed by the clauses.

View 10 Steps U.S. Companies Can Take Now

The U.S. Department of Commerce responded:

“We have been contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments. Data flows are essential not just to tech companies—but to businesses of all sizes in every sector,” said U.S. Secretary of Commerce Wilbur Ross about the CJEU decision in the Schrems II case invalidating the EU-U.S. Privacy Shield transfer mechanism.

“The Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. Today’s decision does not relieve participating organizations of their Privacy Shield obligations.”

Read the press release from the Court of Justice.

Read the full Department of Commerce statement.

Commentors on the final California Consumer Privacy Act regulation queried: “Are session cookies a “unique personal identifier?”

The California Attorney General replied: Maybe, depending on the context.

  • A “unique personal identifier” is a persistent identifier that can be used to recognize a consumer.
  • If a session cookie cannot be used to recognize a consumer, family or device that is linked to a consumer or family, over time and across services, it would not fall within this definition.
  • This is fact-specific and contextual and you should consult with an attorney.

This echoes the approach under GDPR.

CCPA Final Regs Session Cookies Odia Kagan

The Spanish data protection authority AEPD has published helpful guidelines around the design and use of apps to control access to public places and social distancing.

  • Collect only what you need
  • Use only for the social distancing purpose
  • Be mindful of third party providers in the app
  • Delete when no longer necessary
  • Beware of children’s data

Details in this client alert.

Commenters to the final California Consumer Privacy Act (CCPA) regulations asked if it is possible to provide information about, and access to the “Do not Sell” link and/or opt out opportunity in the privacy notice?

The California Attorney General’s answer: No.

  • The notice of right to opt out is a separate obligation from the CCPA’s requirements for a privacy notice.
  • The requirement to provide a clear and conspicuous link to “Do Not Sell My Personal Information” is a separate obligation from what a business must disclose in the privacy notice.

CCPA Final Regs Opt out LInk Odia Kagan