CJEU Invalidates EU-U.S. Privacy Shield Framework
Source: Ciprian Timofte, Partner Țuca Zbârcea & Asociații

by Ciprian Timofte, Partner Țuca Zbârcea & Asociații

On July 16th, the CJEU issued the Schrems II judgment which invalidates the Privacy Shield Decision and provides clarifications on SCCs. 

A lot of noise and “fog” amongst organizations, particularly on the effects of the Schrems II judgement. It is expected for the EU supervisory authorities and EDPB to react soon and to shed more light on this issue for the organizations. 

Until then, please find below some key aspects that you should consider. 

1. What does it mean that the EU-U.S. Privacy Shield was invalidated? 

The EU-U.S. Privacy Shield allowed organizations from the European Union to export data to U.S.-based organizations listed under the EU-U.S. Privacy Shield List. The EU-U.S. Privacy Shield was built around Article 45 GDPR, which grants the Commission the right to decide that certain third countries or territories ensure an adequate level of protection for data subjects and therefore organizations are allowed to transfer data to such countries or territories. Hence, the Commission found, in Article 1(1) of the Privacy Shield Decision, that the U.S. ensures an adequate level of protection for personal data transferred from the EU to organizations in the U.S. under the EU-U.S. Privacy Shield. 

By way of Schrems II judgement, the CJEU found that, on the contrary, the U.S. does not ensure an adequate level of protection (substantially equivalent to that ensured by EU countries) and to this effect ruled out that Commission Decision on EU-U.S. Privacy Shield is invalid. 

This means that EU organizations should not be able anymore to rely on EU-U.S. Privacy Shield for transferring data to U.S.-based organizations. 

2. What about the ongoing transfers under the EU-U.S. Privacy Shield? 

On this highly sensitive topic, the CJUE was quite blunt and ruled out that organizations should use the alternative data transferring means prescribed under Article 49 GDPR. 

To be noted, the U.S. Secretary of Commerce, Wilbur Ross stated on 16 July 2020 that the U.S. Department of Commerce will continue to manage the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and shall maintain the Privacy Shield List. 

While this is still a ”grey” area and it is quite early to put conclusions on the table, unless a new adequacy decision for U.S. is to be adopted by the Commission, most likely the EU-U.S. Privacy Shield will become a ”walking dead” and will finally die. We expect that, in line with the CJUE Schrems II judgement,in the near future the EU supervisory authorities and EDPB shall issue (common) positions and further guidance to organizations not to further use the EU-U.S. Privacy Shield and to seek to rely on alternative valid data transfers means. 

3. Is there any grace period for becoming compliant as regards ongoing transfers under the EU-U.S. Privacy Shield? 

No. Organizations should promptly consider alternative valid means for the transfer of data to the United States. This could be either putting in place adequate SCCs or BCRs (feasibility to be assessed on a case-by-case basis) or using any of the alternative transferring mechanisms described under Article 49 GDPR. 

4. Are standard contractual clauses (SCCs) still valid? 

Yes, in principle. Still, the key issue here would be for EU organizations exporting the data to third countries based on SCCs to be able to prove that the data importer from that third country is able toactuallymeet the safeguards undertaken under SCCs. This would entail that organizations relying on SCCs must verify that the legislation of the third country ensures a similar level of protection as under the EU law as regards the rights of the data subjects. 

5. What should organizations expect for future? 

Firstly, organizations should expect a significant increase in the number of data subjects’ requests for accessfocused on data transfers to third countries. We may reasonably assume that the most exposed industries will be telecom, financial (banking included), insurance, health, retail, IT, etc. 

Correspondingly, we anticipate an increase in the number of data subjects’ complaints and, to this effect, of investigations initiated by EU authorities (ANSPDCP included) in relation to data transfers to third countries (irrespective if made based on EU-US Privacy Shield, SCCs or BCRs). 

Also, we cannot exclude for the national authorities to open ex officio investigations on the validity of the data transfer mechanisms used by organizations, with a focus on data transfers towards third countries. Notably, some of the EU supervisory authorities already called for theneed ofaunitary approachas regards the dealing with companies thattransfer data to thirdcountries.1

To be noted, however,maybethe most dramatic impact for the organizationsisthat as perArticle 58 GDPR the EU supervisory authorities (ANSPDCP included) shall be able toprohibit(temporarily or definitively) ortoorder the suspension of a datatransfer or a set of transfersbased on SCC,if they find that the transfer islikely to have a substantial adverse effect on theguarantees providing adequate protectionto the data subject (including where it would befound that the legislationof the data importer in fact prevents the latter to comply with thesafeguards committed formally under the SCCs).

Finally, on the regulatory side it is expected thatthe Commission shall issueupdated versionsof SCCscomprisingharshermechanismsfor ensuringadequate and effective protection ofdata subjects and, most likely, organizations will be bound to enter new SCCs based on theseupdated versions.2

6.What should organizations do next?

You may consider pursuing the following steps:

a.Identify urgently and mapall data transfers to third countries for which you rely onEU-U.S.Privacy Shield, SCCs or BCRs.

b.For data transfers towards US:

i.Temporary suspend or ceaseany data transfers based on EU-U.S.Privacy Shield.Closely monitor any evolution on the topic, particularly the premise of issuance bythe Commission of a new adequacy decision for US.

ii.Seek alternative valid transfer mechanismsunder GDPR, such as SCCs, BCRs or thederogations listed under Article 49 GDPR. 

iii.If none of the above isfeasible,assessthe business impactderiving from ceasing anysuchdatatransfersimmediatelyanduse alternatives(such asshiftingthedatabase in EU or in a third country recognized as ensuring an adequate level ofprotection). 

c. For data transfers tothird countries other than U.S.made based on SCCs:

i.Evaluate if the third country’s legislation ensures a similar level of protection as EU law does.Inter alia, you should check the legal safeguards related to any potential access to data by the public authorities of that third country and the actual capacity of the data importer to comply with the commitments from the SCCs. 

ii. If not the case, you could consider the following: Check if that third country benefits of an adequacy decision issued by the Commission. Where affirmative, initiate negotiations for the termination of the SCCs and further rely on that adequacy decision.

If no adequacy decision exists, you may consider putting in place additional safeguards to the SCCs to render the protection of the data subjects effective. 

If no additional safeguards are available or feasible, you may be willing to terminate the SCCs and consider alternative valid transfer mechanisms under GDPR (such as BCRs or one of the derogations listed under Article 49 GDPR).

If none of the above is feasible, assess the business impact deriving from ceasing any such data transfers to that third country immediately and use alternatives (such as shifting the data base in EU or in a third country recognized as ensuring an adequate level of protection). 

d. Review the used information documents (privacy policies, information notices, etc.) to ensure that you comply with all transparency requirements prescribed by GDPR in terms of data transfers towards third countries. 

e. Prepare an action plan andpresent the same to the management from your organization. 

f. Document all steps to ensure you are able to prove that you put in place effective controls to comply with the GDPR and the new framework set by CJUE Schrems II judgement.

To read the entire legal bulletin, please download the .pdf attached or visit http://www.tuca.ro/legal_bulletin/

May 14, 2021 09:17
A notable success obtained by RTPR representing Electrica group’s electricit...more »
May 12, 2021 08:24
On Friday, the 7th of May 2021, the Bucharest Court of Appeal passed a landmar...more »
April 26, 2021 10:48
April 15, 2021 14:48
Mareș & Mareș announced that it was ranked first in the Legal 500 annual...more »
Govnet Next Events