Schrems II calls into question all transfers of personal information out of the EU that involve export to a country without an adequacy finding.  While this affects countries in every region of the world, it does have particular ramifications for the US.

US companies are likely to bear the brunt of this decision.  First, because the underlying complaint concerns how Facebook transferred personal data to the US, Schrems II takes particular umbrage with US “mass” surveillance laws, which are unlikely to change in the short term.  Second, the US is still the largest economy in the world and information is intrinsic to that economy.  Third, the technology industry that handles so much of the world’s personal information is concentrated in the US.

So long as the US government retains the ability to conduct mass surveillance of incoming electronic communications, it is likely that the CJEU, as well as the EU Supervising Authorities and the European Data Protection Board, will consider transfers of data to the United States that are within the scope of that surveillance as insufficiently protected.

Next steps:

  • If you are currently negotiating a deal involving data moving from the EU to the US or other countries, consider drafting for contingencies, including the possibility of having the data remain in the EU in the event the local data protection authority later suspends your data transfers. In other words, the DPAs may force some companies into data localization.
  • Per the EDPB, Model Clauses/Standard Contractual Clauses (“SCCs”) remain valid, albeit with some new obligations and potentially new restrictions. Per its statement “data importers and DPAs are required to verify, prior to transfer, whether the level of protection in the third country is adequate.”
  • The EDPB has not made any specific statements on how the decision affects the use of Model Clauses for transfers of data to the US.  However, two regional DPAs in Germany have released statements that transfers from the EU to the US may not be based on SCCs because the same issues at play in the Schrems II decision undermine the effectiveness of Model Clauses.  We will continue to track the effect of these statements.
  • The decision affects transfers to all countries that have not achieved “adequacy” status including, potentially, a post-Brexit UK.
  • US organizations that certified to Privacy Shield are still subject to Privacy Shield. Per the US Department of Commerce, the Department “will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. Today’s decision does not relieve participating organizations of their Privacy Shield obligations.”
  • Where a country’s laws are deemed insufficient and therefore, undermine the ability of the importer to comply with the fundamental rights of the data subject, it is unclear whether any transfer mechanism will provide sufficient protection for the transfer. That means if some US laws are deemed to undermine the transfer mechanism, it is unclear whether Models Clauses of BCRs can cure the deficiency.
  • The opinion is not limited to transfers of personal information to the US.  It also covers transfers from the EU to all countries without an adequacy finding.  Unfortunately, the opinion provides no guidance on how to judge what laws may render compliance with the SCCs not reasonably possible.  More importantly, it provides no guidance as to how to evaluate this issue in jurisdictions that are less transparent than the US (which is effectively all of them) or if the scope and extent of surveillance is unknowable to the data importer.

How does this affect EU data already in the US?

Data that has already been transferred to the US under Privacy Shield or another mechanism can remain in the US.  The decision will affect post July 2020 transfers. In fact, with respect to SCCs, the decision only questions the ability of a data importer to comply with its obligations about protecting the personal information as the data comes under surveillance as it enters the US through the Internet.  The opinion does call into question a data importers ability to comply once the data is actually within the US.

Our take:

There is a lot of concern that the Schrems II decision has or will completely invalidate the use of Model Clauses for transferring data to the United States because: (1) the mass surveillance problem exists regardless of the transfer mechanism; and (2) US surveillance programs are not changing any time soon.  But, the decision does not say this.  Although local DPAs are releasing public statements to this effect, until the EDPB weighs in, SCCs remain valid.

Yes, the Schrems II decision stands for the broad proposition that the SCCs are not a cure-all.  Merely signing SCCs does not sanctify any transfer of personal information.  Schrems II requires both the data importer and exporter to be reasonably certain that they can comply with their obligations in the SCCs.  And where they cannot comply, importers and exporters must stop transferring data.

Also, the defect at issue in Schrems II – US mass surveillance – may be narrower than portrayed.  Put another way, for transfers that avoid the surveillance, the data importer and exporter can likely reasonably believe they can comply with their obligations under the SCCs.

Companies that use Model Clauses have new burdens to overcome and new questions to ask before transferring data to the United States.  Most important, data importers need to consider whether they will be able to comply with the obligations imposed by the Model Clauses.  And, if the importer cannot adequately protect the information, there is an obligation to inform the data exporter.  Companies should consider analyzing their data transfers and evaluating technical, administrative and contractual safeguards that can be used to protect the personal information from mass surveillance.

For the time being US importers should be prepared to evaluate transfers as well as the safeguards that protect those transfers on a case-by-case basis.