It’s difficult to believe that it has only been a short time since the Court of Justice of the European Union invalidated the European Commission adequacy finding for the EU-U.S. Privacy Shield on July 16, 2020. So much has changed.
In this final note in the series, we provide seven predictions for the road ahead with “Schrems II” and global data transfers. Some of these may be more controversial than others, but here goes:
1. More Privacy Shield companies will implement alternatives. The CJEU opinion is complex, but one unmistakable point is that “Schrems II” invalidated the European Commission finding that Privacy Shield provides adequate protection for personal data transfers under the EU General Data Protection Regulation. As such, Privacy Shield companies will need to implement alternative solutions. SCCs will be a logical option to consider where the U.S. company receives personal data from EU companies, using the C2P SCCs if the U.S. company is a processor or the C2C SCCs if the U.S. company is a controller. Fortunately, the CJEU confirmed the validity of the C2P SCCs, so this should be a viable alternative, although subject to conditions (discussed below). For online consumer companies dealing directly with EU consumers, another alternative will be to look to derogations for specific situations under Article 49 of the EU General Data Protection Regulation, such as necessary to perform a contract with the data subject or the like.
2. An updated version of Privacy Shield will likely not emerge until after the U.S. elections in November. When the adequacy decision for the EU-U.S. Safe Harbor (the predecessor to Privacy Shield) was invalidated by the CJEU in 2015, the U.S. Department of Commerce and European Commission had already been negotiating for an updated trans-Atlantic program for many months. With “Schrems II,” although the Commerce Department and EC have indicated that lines of communication are open, the discussions are not nearly as advanced. Moreover, although it will require further evaluation, it may be that the issues cited by the CJEU in “Schrems II” may require some form of legislative and not merely administrative action to address. As such, the process to update Privacy Shield is unlikely to be concluded in the next few months before the U.S. elections in November, particularly during the time of the pandemic and the associated economic challenges. Companies, therefore, must anticipate that the alternatives they implement will need to remain in place for the short to medium term.
Click here to read the remaining predictions.
Note: This is the last in a series of guidance notes on what the “Schrems II” decision means for companies that rely on EU-U.S. Privacy Shield, controller-to-processor standard contractual clauses, SCCs for transfers to controllers, derogations/exceptions to transfer restrictions, and binding corporate rules, as well as what “Schrems II” means for Brexit and what companies can expect with the road ahead on these issues.