As discussed in an earlier alert, the Court of Justice of the European Union in a landmark decision in the Schrems II case invalidated the EU-US Privacy Shield framework, which was widely used by thousands of US organizations to transfer data between the United States and European Union. In the aftermath of Schrems II, one of the questions on which organizations were awaiting a response was whether a grace period would be issued, as was the case when the old EU Safe Harbor framework was invalidated. The European Data Protection Board responded in the negative, creating more anxiety for organizations that transfer personal data across the Atlantic.
On July 24, 2020, the European Data Protection Board (EDPB) issued a set of frequently asked questions (FAQs) aiming to respond to some of the questions that arose in the aftermath of the Schrems II decision. In the FAQs, the EDPB clearly stated that there will not be any grace period, unlike when the EU Safe Harbor decision was invalidated in 2015, and that transfers based on the EU-US Privacy Shield (EU Privacy Shield) are unlawful.
According to the EDPB, unavailability of a grace period is sensible as the Court of Justice of the European Union’s (ECJ’s) invalidation of the EU Privacy Shield was based on its finding of US laws’ failure to provide an “essentially equivalent level of protection” to EU personal data as found by the ECJ. The EDPB recommends that data exporters consider other alternatives to export data to the United States.
The implications of the unavailability of a grace period are serious for organizations, as interrupted data flows can create business disruptions for organizations on both sides of the Atlantic. This is particularly concerning given all of the other operational challenges and economic downturns that organizations are facing due to the coronavirus (COVID-19) pandemic.
Further, the organizations may feel that they have to immediately revise their privacy notices and third-party contracts (e.g., customer and vendor contracts) that referred to such organizations’ EU Privacy Shield commitment without necessarily considering the best measures to implement to transfer lawfully personal data.
In light of the EDPB FAQs, it is clear that any data transfer made under the EU Privacy Shield must immediately come to a halt. This means the organizations that relied solely on the EU Privacy Shield can no longer transfer any data to the United States without assuming liability until they have an alternative mechanism in place to transfer personal data allowed under the EU General Data Protection Regulation (GDPR) such as standard contractual clauses (SCCs) or binding corporate rules (BCRs).
However, institution of an alternative mechanism will take some time, especially given the existing operational disruptions created by the COVID-19 pandemic. As a result, this lapse of time between the halting of data transfers under the EU Privacy Shield and establishment of a functioning alternative mechanism for transfer data will create business interruptions for organizations in Europe and the United States. It is, however, noteworthy that some European supervisory authorities have so far announced that organizations should continue to comply with their EU Privacy Shield commitments until further European guidance is issued.
The lack of a grace period will create further complications for organizations. In a statement addressing the Schrems II decision, US Secretary of Commerce Wilbur Ross stated that the United States will continue to administer the EU Privacy Shield Program and that the ECJ’s decision “does not relieve participating organizations of their Privacy Shield obligations.” Therefore, the organizations certified under the EU Privacy Shield will have to obey their obligations arising thereunder for no practical purpose while working on creating alternative mechanisms to enable data transfer.
The EDPB FAQs also shed some light on the pending questions surrounding the future use of SCCs and BCRs. The EDPB emphasized that data exporters using SCCs or BCRs to transfer personal data to US importers should engage in a case-by-case analysis to ensure that the “US law does not impinge on the adequate level of protection” that the SCCs and BCRs guarantee. Such assessments will have to take into account the circumstances of the transfers, and any supplementary measures that data exporters could put in place. Therefore, the lack of a grace period will also be challenging for organizations using SCCs or BCRs because it will take time for these organizations to conduct a case-by-case analysis for each data transfer, which in return increases the costs of and delays such data transfer.
A grace period would have provided more clarity for organizations on how to conduct these case-by-case analyses. The EDPB said that it is still determining the kind of supplementary legal, technical, or organizational measures that could be provided, in addition to SCCs or BCRs, to transfer data to a third country where SCCs or BCRs alone do not provide a sufficient level of guarantees.
Given that the ECJ invalidated the EU Privacy Shield based on the lack of adequate protections provided in US law, it is unclear how US importers will be able to guarantee an adequate level of protection for EU personal data to pass data exporters’ assessments for use of the SCCs or BCRs without supplementary measures in place. Organizations will be keen to see the forthcoming guidance on the supplementary measures. In the meantime, measures such as limiting data transfers, so far as is practicable, and ensuring that transfers are secure (including considering encryption methods) should be seriously considered and implemented if possible.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
Ronald Del Sesto
Dr. Axel Spies