*Article originally posted on IAPP.org*
The European Commission recently issued its decision approving revised standard contractual clauses for data transfers to third countries in the official journal. The new SCCs arrive at a critical juncture in the regulation of cross-border data transfers, as there is significant uncertainty in the market around how to address cross-border data transfer restrictions.
What is the legal context for the introduction of the new SCCs?
The new SCCs are a mechanism companies can use to address the restriction under Article 44 in the EU General Data Protection Regulation on the cross-border transfer of personal data to third countries. The new SCCs replace earlier versions of standard clauses for data transfers to third countries, which were issued by the European Commission under the GDPR’s predecessor, the 1995 EC Data Protection Directive.
The new SCCs come at a time of uncertainty regarding restrictions on cross-border data transfers, in large part because another key mechanism for cross-border data transfers was invalidated by the Court of Justice of the European Union July 16, 2020. In Case C-311/18, the CJEU invalidated the European Commission’s adequacy finding for the EU-U.S. Privacy Shield arrangement. The CJEU’s decision focused on perceived inadequacies of U.S. intelligence surveillance policy, particularly under Section 702 of the Foreign Intelligence Surveillance Act. The CJEU decided U.S. policy and Privacy Shield protections did not provide “essentially equivalent” protection for EU personal data related to data subject rights and redress, as guaranteed under GDPR and the Charter of Fundamental Rights of the European Union. The U.S. government and EC are now aggressively negotiating for the development and adoption of an updated version of Privacy Shield to address this invalidation, dubbed “Schrems II.”
Although “Schrems II” did not invalidate the earlier EC decisions on standard contractual clauses, it did find that parties to the clauses need to supplement the guarantees in the EC standard data protection clauses in order to assure the requisite level of data protection. The “supplementary measures” focus on various means to assure the US and other third country intelligence agencies are limited in their ability to access personal data. The European Data Protection Board subsequently issued for companies to approach establishing the supplementary measures as required under “Schrems II.” For further discussion on how to proceed in a post-“Schrems II” world, click here.
Does the adoption of the new SCCs alleviate the need for the EC and US to reach agreement on Privacy Shield 2.0?
No. The new SCCs are an important tool for trans-Atlantic data transfers, but the need for the EC and U.S. to reach agreement on a Privacy Shield 2.0 remains critical. The new SCCs provide a framework for cross-border data transfers that reflects the guidance of the EDPB and the CJEU “Schrems II” opinion. However, the provisions in clause 14 in the new SCCs still require the parties to conduct a “Schrems II” assessment of the specific circumstances of the transfer as well as the laws and practices of the third country, including any legal requirements authorizing access by public authorities. Footnote 12 to clause 14 clarifies that the parties can take into account practical experience with prior instances of requests for disclosure from public authorities (or the absence of any such requests) when conducting this assessment. At the end of the day, particularly if the data importer is an “electronic communications service provider” potentially subject to an order to disclose under FISA §702, the parties will need to conduct their clause 14 assessment in a context where the CJEU has now cast doubt on the essential guarantees offered by US policy, with the risk of enforcement actions from EU data protection authorities if the data transfer assessment is challenged.
An agreement on Privacy Shield 2.0 would provide the EC and U.S. with an opportunity to clarify and even sharpen the rights of data subjects and redress available in the U.S. legal system so that the EC finds U.S. law does indeed offer “essentially equivalent” guarantees. Privacy Shield 2.0 would serve as a valid alternative basis to the new SCCs for transfers to the U.S. Also, for those companies relying on the new SCCs, it would provide additional assurance for their “Schrems II” assessments under clause 14.
What happens if agreement on Privacy Shield 2.0 is not reached?
It is difficult to know with certainty but our expectation is that cross-border data transfers may become increasingly difficult over time. Yes, parties can implement the new SCCs and perform their own clause 14 assessments of the specific circumstances. But more fundamentally, why are individual companies expected to assess the law and policy on intelligence surveillance in third countries, and how they can perform such assessments in a way that provides a reasonable degree of certainty in terms of possible challenges from EU data protection authorities? Such laws and practices have nothing to do with commercial privacy, nor how well the company designed and implemented their global data privacy programs, particularly given that national security matters are expressly excluded from the application of GDPR. In the wake of “Schrems II,” we have already seen some initial DPA enforcement actions and investigations. At this important time, it is essential for the EC to come forward and start identifying jurisdictions as providing “essential equivalence” on intelligence agency access, much as the EC has done for years on adequacy decisions regarding third country data protection laws. The task for individual companies becomes even more challenging as they look beyond the U.S. to other third countries, such as China, India or Israel.
What are potential impacts on civil liberties, if any, should the EC and U.S. reach an agreement on Privacy Shield 2.0?
Privacy Shield 2.0 provides an opportunity for the EC and U.S. to help clarify and strengthen the protections for data privacy and civil liberties, as well as provide more certainty for trans-Atlantic commerce. Among other advantages, Privacy Shield 2.0 would provide an extraordinary benefit to enhance privacy protections in the U.S. by engaging the U.S. Federal Trade Commission to enforce EU data protection requirements against U.S. companies on U.S. territory. The failure to reach agreement on Privacy Shield 2.0 would therefore be a significant loss for trans-Atlantic commerce as well as protection of personal data for EU data subject in the U.S.
Over the long term, how might the EC enter bilateral negotiations with third countries around the world to assure they provide essential equivalence to EU standards on intelligence surveillance?
This is a daunting task. Increasingly, there have been calls for the EU, U.S. and other major democratic societies to “go big” and seek a multilateral treaty on data protection and government access to personal data. Such a treaty would provide a high degree of data protection in democratic societies worldwide and assure certainty to global commerce in the digital age regarding cross-border data transfers. Although this treaty initiative should not distract from the critical short-term work of reaching an agreement on Privacy Shield 2.0, only a multilateral treaty will adequately address the challenges posed by the current patchwork of local and regional data protection laws worldwide.