The recent Court of Justice of the European Union (CJEU) Schrems II ruling, which invalidated the longstanding U.S.-EU Privacy Shield framework, has created a wave of uncertainty for the legal industry. Ever since the U.S.-EU Safe Harbor framework was retired in 2015 as a result of Schrems I, lawyers have faced challenges in ensuring the legality of transferring data between the EU and U.S. in multi-national litigation and investigations. For the last five years, Privacy Shield has been central to alleviating that burden. Now, lawyers are left wondering what’s next and whether their current standard contractual clauses (SCCs) for data transfers will remain viable. And if not, what options are left?
The years since Schrems I have brought significant changes to how data privacy is viewed on the global stage. Most notable of these is the enactment of GDPR, which includes specifications for the mechanisms that may be used to legally transfer data outside of the EU. Privacy Shield is named as an adequate mechanism in GDPR, but now that the court has dismantled it, only SCCs and binding corporate rules (BCRs) remain. In Schrems II, the court appeared somewhat uncertain regarding the continued use of SCCs. The ruling indicated that SCCs remain adequate for now, but that organizations must apply additional rigor in evaluating the legal protections in the receiving country, and in some cases, to consider including even greater protections in their contracts. This directly calls into question whether the safeguards afforded in current SCCs are enough to withstand the scrutiny of EU authorities. These developments all underscore the ongoing tension between American surveillance laws and European privacy rights and the EU’s lack of faith in U.S. systems to keep the personal and sensitive information of European residents confidential.
Further muddying the waters is the fact that in the U.S., the Federal Trade Commission issued a statement that it continues “to expect companies to comply with their ongoing obligations with respect to transfers made under the Privacy Shield Framework.” This presents a Catch-22 for companies that must comply with the laws on both sides of the pond and extremely significant implications for the continuation of cross-border work.
How will counsel assess whether a country has “adequate protections” in place to legally support the use of SCCs?
To what extent has the risk landscape changed?
How will this decision expand the proliferation of private litigation?
Will data localization become a more cost-effective strategy due to its risk-minimizing effect?
Will this decision drive more momentum toward comprehensive federal data privacy legislation in the U.S.?
Lawyers will be grappling with these and other questions stemming from this ruling for many months to come. But amid this uncertainty, there are a number of sensible next steps organizations can take to move ahead as the requirements evolve.
- Get a Handle on the New Risks: In a recent FTI Consulting survey of data privacy professionals, more than half of respondents strongly agreed with the belief that a good faith effort to comply with data privacy laws would mitigate regulatory consequences. This number jumped to 72 percent among technology companies (which will be among the most impacted by Privacy Shield invalidation). Organizations in that camp of leaning on good faith as part of their risk strategy should view this new ruling as a red flag that good faith may no longer be good enough when it comes to EU regulators.
Schrems II infers that companies using SCCs are now responsible for analyzing whether adequate protections are provided in those SCCs, but no clear framework for conducting that analysis has been laid out (outside of the ruling’s mention of GDPR Article 45 as a resource for understanding how the EU Commission makes adequacy determinations). Legal teams need to work with external experts and internal stakeholders to gain a better understanding of how Schrems II and impending scrutiny of SCCs will affect the organization’s unique risk landscape. This should include working with internal IT and information security teams to review existing data maps and consulting with data privacy experts to assess whether a receiving country has adequate protections (which may span technical, legal, and procedural safeguards) to support current SCCs. Risk assessment on this front is going to require intense, fact-based analysis, which will vary widely from company to company depending on the kind of data being transferred, what the data is being used for, the nature of the business, the risk tolerance of the company, etc. - Don’t Rely on SCCs as a Failsafe: Organizations need to prepare for the possibility that SCCs may be insufficient for data transfers to the U.S. Many organizations may be interpreting the decision as a green light to keep transferring with SCCs, but it’s important to remember that multiple EU Data Protection Authorities have suggested that it’s risky or unlawful to transfer data between US and EU as a result of the inherent privacy and national security tensions with the U.S. Unless and until those are resolved at the legislative level, the safest bet for companies will be to carefully assess data transfers under SCCs and be prepared for significant changes in the long run.
- Map the Data: An important practical step in this issue is evaluating existing data flows and the legal basis the organization is using for processing and transferring data across borders. Mapping the data, and where Privacy Shield and SCCs are being used, will be critical in identifying key areas of risk. Look at the different business units that may influence or facilitate data flows and the range of new systems IT or other groups are implementing. This includes understanding the full chain of data processing, including sub-processors and their data protection practices. With that level of insight, counsel can start exploring other possible legal mechanisms the organization may use to transfer data.
- Consider Options for Data Localization: Now is the time for counsel to begin evaluating the possibility of reducing or eliminating cross-border transfers. Keeping EU data in the EU is the safest option from a regulatory perspective and may make good sense for many organizations. Authorities in each country have varying levels of interpretation of what constitutes adequate safeguards in SCCs, which will surely complicate matters for companies transferring between numerous EU countries and the U.S. Relations between the UK and EU will also come into play in this issue, as the EU is yet to issue an adequacy decision for data transfers to the UK. Across all jurisdictions, organizations should keep an eye on emerging guidance and rulings around the use of SCCs (and potentially BCRs), and weigh the impacts of those decisions against the cost and operational variables of localizing their data.
Companies that have been relying heavily on Privacy Shield and/or SCCs are now facing a great deal of uncertainty. Judging by recent opinions from authorities across Europe, a wait-and-see approach is no longer viable. Legal teams need to be ready with an action plan. Communicating these issues to senior leadership now will be critical to begin obtaining buy-in for the rigorous planning, analysis, and decisions that will be involved in developing a new risk strategy. With executive support, an understanding of the data landscape and guidance from experts, organizations will be in a strong position to pivot upon whatever comes next.
Eric Pender, an information governance expert and former consultant within FTI Consulting’s Technology segment, also contributed to this article.
