European Union Archives

Client Alert: EU Court of Justice Invalidates the EU-US Privacy Shield

An important and unexpected ruling was handed down by the Court of Justice of the European Union (CJEU) on July 16, 2020, in Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (“Schrems II”) that invalidates the EU-U.S. Privacy Shield (“Privacy Shield”) arrangement. Since 2016, the Privacy Shield provided U.S. companies with a mechanism to comply with the General Data Protection Regulation (GDPR) requirements when transferring personal data from the European Union to the U.S.

What this means

Now companies that subscribed to the Privacy Shield must find another GDPR-compliant solution for the transfer of data. The European Data Protection Board indicated in its July 23, 2020 FAQs that it will not be providing a grace period as the authorities had done for the EU-U.S. Safe Harbor (“Safe Harbor”) framework following the “Schrems I” decision.

Notably, the CJEU’s decision expressly stated that the standard contractual clauses (SCCs) previously promulgated by the European Commission (EC) are still a valid tool for data transfers from the EU to the United States. The SCCs are sets of contractual terms and conditions that the controller and the processor of the data both execute to comply with GDPR’s requirements. However, the CJEU’s decision does not give blanket approval to the SCCs–the decision acknowledged that future challenges to SCCs are permissible by the local data enforcement agency for any EU-member state. For example, an EU-member state might prohibit or suspend exports of personal data from its country under SCCs, if the member state concludes that the SCCs are not or cannot be complied with in the recipient third country (such as the U.S.) because of the member state’s local legal requirements.

The CJEU did not directly reference binding corporate rules (‘BCRs’) which are used for intragroup data transfers and require prior approval of the competent data protection authority. For now, this means that BCRs remain a valid transfer mechanism under the GDPR as BCRs are of a similar nature to SCCs (both are considered an “appropriate safeguard” pursuant to Article 46 GDPR).

For some situations, an alternative is to look to the narrow derogations under Article 49 of the GDPR, such as to perform a contract or base the transfer on the subject’s explicit consent.

What happens next

When the adequacy of the Safe Harbor was invalidated by the CJEU in 2015, the U.S. Department of Commerce (DOC) and the EC had already been negotiating for an updated trans-Atlantic program for many months. With Schrems II, and although the DOC and EC have indicated that lines of communication are open, the discussions are not nearly as advanced. And the issues cited by the CJEU in Schrems II may require some form of legislative and not merely an administrative action to address. As such, the process to revamp the Privacy Shield is unlikely to be concluded any time soon.

The DOC, in a press release in response to the CJEU’s decision, and later in its updated Privacy Shield FAQs, stated that it will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification and maintaining the participants’ list. The DOC emphasized that the CJEU’s decision “does not relieve participating organizations of their Privacy Shield obligations.”

The UK’s Data Enforcement Agency also issued a statement advising companies to continue using the Privacy Shield until new guidance becomes available but added that companies “do not start using the Privacy Shield during this period.”

Stay tuned for more regulatory guidance and other developments in the next few weeks.

Disclaimer: This is not legal advice. The resources and information provided here are for educational purposes only. Consult your own counsel if you have legal questions related to your specific practices and compliance with applicable laws.

July 30th, 2020|Categories: Commercial Transactions Due Diligence|Tags: CJEU, European Union, GDPR, Schrems II|

New Draft Guidelines Attempt to Clarify Territorial Scope of the GDPR

Since the adoption of the General Data Protection Regulation (GDPR) by the European Union (EU) in May 2018, businesses established outside of the EU have grappled with the question of whether the GDPR’s strict rules apply to them. Many commentators have noted that the GDPR provisions and recitals do not have an easy answer. The European Data Protection Board (EDPB) recently attempted to provide some clarification by publishing draft guidelines that include a commentary on the territorial scope of the GDPR. The EDPB’s guidelines also address the related issue of whether a non-EU company subject to the GDPR must have an EU-based representative.

GDPR’s Targeting Criteria

Arguably the most significant change to the regulatory landscape affecting an individual’s data privacy is the territorial scope of the GDPR’s Article 3 (2). Generally described as the GDPR’s “targeting criteria,” your business must be GDPR compliant if it engages in processing activities of an EU individual’s data (data subject) related to (1) offering goods or services to data subjects, or (2) monitoring data subjects’ behavior. Although the EDPB’s guidelines state that the targeting criteria is applied on a case-by-case basis, the guidelines provide several examples showing how the targeting criteria can be applied that clarify some basic points, such as:

The data subject’s nationality or citizenship is irrelevant. The GDPR protects data subjects geographically located within the EU, without regard to the data subject’s nationality or citizenship. Conversely, data subjects outside of the EU, including EU citizens, are not protected by the GDPR.
Geographic allocation and timing are critical. For purposes of applying the GDPR, thedata subject’s geographic location is assessed atthe moment when your activity occurs; e.g., when your goods or services are offered, or your monitoring of the datasubject’s behavior begins.
Charging for services is irrelevant. The GDPR protects data subjects regardless of whether your services are free.
Cookies are considered monitoring. TheGDPR protects data subjects that your business profiles or undertakes someanalysis by using cookies or similar technologies.

GDPR Compliance and an EU-based Representative

A significant point clarified by the EDPB’s guidelines is that a non-EU company subject to the GDPR must appoint an EU-based representative, even though the not have a physical location within the EU. A company’s Data Protection Officer, who can be an existing employee of the company under the GDPR, cannot fulfill the requirements for an EU-based representative. The purpose of the requirement is to ensure that a qualified individual or entity is located within the EU to whom regulatory authorities can address compliance issues. The guidelines also make clear that the EU-based representative can even be held liable for any non-compliance, including being fined or otherwise sanctioned.

Consultation Period

The territorial scope and appointment of an EU-based representative poses two of the most critical issues that a non-EU based company faces regarding GDPR compliance. The EDPB’s draft guidelines address several other GDPR issues in addition to these, and a full version of the guidelines can be found here. The EDPB is taking public comments on the draft guidelines until January 18, 2019. Comments should be sent to the EDPB at EDPB@edpb.europa.eu.

December 12th, 2018|Categories: International, Legislation|Tags: European Union, GDPR, Privacy, Social Media|

European Commission Adopts EU-US Privacy Shield as Replacement for EU-US Safe Harbor Framework

What this is about	On July 12, 2016, the European Commission formally adopted the EU-US Privacy Shield (the “Privacy Shield”) which will provide organizations a mechanism to comply with EU data protection requirements when transferring personal data from the EU to the US. This new privacy framework reflects the requirements set out by the European Court of Justice in its October 2015 landmark decision in Maximillian Schrems vs. Data Protection Commissioner, which declared the EU-US Safe Harbor privacy regime invalid.
Privacy Shield overview:	The framework provides a set of robust and enforceable protections for the personal data of EU individuals, as well as transparency regarding the use of such data by participating companies, strong US government oversight, and increased cooperation with EU data protection authorities. For more information, see US Department of Commerce (“DOC”) factsheet and FAQs.
Joining the program:	The DOC will start accepting self-certifications beginning August 1, 2016. Organizations must identify and register with an independent dispute resolution provider prior to submitting their self-certification.
About self-certification:	The decision to participate in the program is voluntary; however, once an organization publicly commits to comply with the framework’s principles through self-certification, that commitment is enforceable under US law by the relevant authority–either the US Federal Trade Commission or the Department of Transportation. To receive the Privacy Shield’s benefits, an organization must self-certify annually to the DOC that it agrees to adhere to the framework’s requirements, based on the privacy principles that include notice, choice, access, and transfer accountability. See the DOC’s guide for more information about participation and compliance requirements.

Disclaimer: This communication is for general informational purposes only, and does not constitute legal advice. No recipient should act, or refrain from acting, on the basis of any information provided here without advice from a qualified attorney licensed in the applicable jurisdiction.

For further information, please contact us at 1-866-723-2287.

July 14th, 2016|Categories: Commercial Transactions Due Diligence, International|Tags: European Union, Privacy Shield|

The EU-US Privacy Shield Framework text is now available

U.S. Secretary of Commerce Penny Pritzker released a statement regarding the historic agreement, noting that the “EU-US Privacy Shield is a tremendous victory for privacy, individuals, and businesses on both sides of the Atlantic.”

The EU-US Privacy Shield Framework (the “Framework”) was designed by the U.S. Department of Commerce (the “DOC”) and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.

The Framework provides robust and enforceable protections for the personal data of EU individuals, mandating transparency for participating companies, strong U.S. government oversight, and increased cooperation with EU data protection authorities. Offering EU individuals access to multiple avenues to address concerns regarding participants’ compliance and a free dispute resolution, the Framework makes it easier for EU individuals to understand and exercise their rights.

The European Commission proposed that the Framework be deemed adequate to enable data transfers under EU law, which is now in the approval process. Once an adequacy determination is made, the DOC will begin accepting certifications under the Framework. Similar to the certification process of the now invalid Safe Harbor, if a U.S. based-company wishes to join the Framework, it will be required to self-certify to the DOC and publicly commit to comply with the Framework’s requirements. While joining the Framework will be voluntary, once an eligible company certifies compliance, the commitment will become enforceable under U.S. law.

Read the fact-sheet about the EU-US Privacy Shield Framework here.

Read the full text of the EU-US Privacy Shield Framework here.

February 29th, 2016|Categories: International|Tags: European Union, Privacy Shield|

Judicial Redress Act of 2015 signed into law

On February 24, 2016, President Obama signed the Judicial Redress Act of 2015 (“the Act”) into law, a major step toward formalizing the recently announced privacy framework, the EU-U.S. Privacy Shield, which will replace the Safe Harbor program that was declared invalid by the European Court of Justice in October 2015. The Act’s intent, as explained by House Judiciary Committee Chairman Bob Goodlatte (R-VA), is to reestablish the United States’ credibility with the European Union following the highly-publicized leaks of classified information in the recent years.

The Act extends to the citizens of EU countries that permit commercial transfers of personal data

[to the United States] similar rights to those enjoyed by US citizens under the Privacy Act of 1974, which established a code of fair information practices that govern the federal government’s collection, maintenance, use, and dissemination of information about individuals. The citizens of these EU countries will now be allowed to sue the United States for unlawful disclosure of their personal information obtained in connection with international law enforcement efforts. Under current law, only US citizens and legal residents can bring such claims against the federal government.

Read the text of the Act here.

February 28th, 2016|Categories: International, Legislation|Tags: European Union|

The EU-US Privacy Shield for transatlantic data transfers makes its debut

Announced on February 2, 2016 by the European Commission, the new political agreement called the Privacy Shield, reflects the requirements set out by the European Court of Justice in its ruling on October 6, 2015, which declared the old Safe Harbor privacy framework invalid.

The new arrangement calls for strong data privacy and security measures and robust enforcement of U.S. companies handling Europeans’ personal data, clear safeguards and transparency for U.S. government access, and effective protection of EU citizens’ rights with several redress possibilities.

The College of Commissioners is now preparing an adequacy decision regarding the Privacy Shield–the Article 29 Working Party (the “Working Party”), a data protection authority, is requesting that all documents be provided by the end of February 2016 so that it can complete its assessment of the new framework at a special plenary meeting shortly thereafter. In a statement issued February 3, 2016, the Working Party provided some assurances that during this period of transition, transfer mechanisms, such as standard contractual clauses (which are data transfer agreements approved by the Commission) and binding corporate rules (generally described as internal data processing rules binding on all members of a global corporate group) to permit intragroup transfers of personal data) can still be used as transfer tools to the U.S.

Organizations that certified compliance under the Safe Harbor regime must continue to meet their obligations in connection with previously transferred personal data to avoid enforcement actions by the Commerce Department or the Federal Trade Commission, which consider the Safe Harbor as still binding. In the interim, implementing the above-mentioned clauses should also be considered to the extent they supplement the Safe Harbor platform. It appears that the Privacy Shield, at least initially, will rely significantly on the Safe Harbor framework, and it is likely that the Department of Commerce will offer a means for Safe Harbor certified organizations to transition to the Privacy Shield.

Read Scherzer International’s first bulletin about the invalidation of the Safe Harbor privacy framework
Read the European Commission’s guidance about data transfers issued in November 2015
Read the European Commission’s press release about the Privacy Shield
Read the Working Party’s statement issued on February 3, 2016 about the Privacy Shield
Read the U.S. Department of Commerce fact-sheet about the Privacy Shield

February 24th, 2016|Categories: International|Tags: European Union, Privacy, Privacy Shield|

New US-EU Safe Harbor agreement may be around the corner

Various sources report that US and EU representatives met on December 17, 2015 to hash out an agreement that would replace the recently invalidated Safe Harbor privacy framework. The two governments aim to have a replacement framework in place by January, says EU Justice Commissioner Vera Jourová. One of the main goals of the new program is to allow EU citizens’ grievances to be filed directly with their national privacy regulator.

As reported in our client alert and blogs, in October 2015, judges from the European Court of Justice issued a judgment striking down a 15-year old agreement, known as the Safe Harbor framework, which allowed US and European organizations to freely move personal data between the two regions as long as the US ensured an adequate level of data protection at the company and certified that it would abide by the seven EU data privacy principles regarding notice, choice, onward transfer, security, data integrity, access, and enforcement. The invalidation ruling impacted nearly 4,000 businesses that relied on the Safe Harbor framework to transfer data between the US and Europe and requires all businesses to revaluate their compliance with European data privacy and security standards.

December 22nd, 2015|Categories: Commercial Transactions Due Diligence|Tags: European Union, Safe Harbor|