The Schrems II Ruling: Where are we now?
Premise: In 2015, the Court of Justice of the European Union (CJEU) ruled that the 2000 Safe Harbor framework, a privacy mechanism for sharing personal data for organizations between the United States and the European Union, was invalid. Based on an initial 2013 complaint made by Maximilian Schrems, an Austrian privacy advocate, the ruling, known as “Schrems I,” filed soon after the Edward Snowden revelations. In his complaint, Schrems argued that U.S. companies did not sufficiently protect personal data for it to be securely shared by European users, and were subsequently violating the Safe Harbor requirements.
In response, in July 2016 the European Commission gave an adequacy determination–or the European Union’s stamp of approval–to the EU-U.S. Privacy Shield to replace the Safe Harbor agreement, meaning that data transfers between the two could continue under this framework. The Privacy Shield differed from the Safe Harbor agreement by restricting U.S. government access to data, among other changes. However, the bilateral data relationship has sown uncertainty for U.S. businesses because the United States does not have a national privacy law to bring some consistency to negotiations.
What Happened: Fast forward five years to July 16, 2020. On that date, the CJEU invalidated the Privacy Shield in a case known as “Schrems II,” leaving many transatlantic companies without a straightforward data-sharing framework.
This decision meant that companies in the United States and the European Union were forced to begin looking elsewhere for a legal personal data transfer mechanism. The case ruled that standard contractual clauses (SCCs) and binding corporate rules (BCRs) remained usable, albeit with their own conditions. SCCs are contractual obligations that lay out the rules to ensure that data will be safeguarded in the importing country outside the European Economic Area. BCRs, on the other hand, are mechanisms applicable within European companies that operate internationally.
But the EU SCCs had last been updated in 2010, which made falling back on them after Schrems II harder as they did not incorporate requirements of the European Union’s 2018 General Protection Data Regulation (GDPR). In June 2021, the European Commission adopted new SCCs along with supplementary guidance from the European Data Protection Board (EDPB). But some worry that the EDPB’s guidance will further complicate some U.S.-EU data transfers instead of clarifying them.
What the U.S. Government Thinks: Given that many U.S. companies do business with EU-based ones, the decision left things up in the air for the United States. In September 2020, the Department of Commerce released a white paper responding to Schrems II. It explained:
1) Most of the data collected by U.S. companies is not taken for intelligence purposes;
2) The United States already shares intelligence data with the European Union for counterterrorism purposes; and
3) The United States has developed privacy legislation not recorded in the CJEU’s decision.
Along with this clarification, the two parties continue to negotiate a Privacy Shield replacement. Although they discussed this issue during President Joe Biden’s recent trip to Brussels, the European Union and the United States failed to reach a bilateral agreement. However, EU Commissioner for Justice Didier Reynders clarified that an agreement could be reached before the end of the year.
Analysis: Ongoing rulings will continue to occur so long as there are contradictions between the United States and the European Union’s privacy frameworks. In an attempt to remedy this, there has been plenty of movement on the use of SCCs, and slower progress on a Privacy Shield replacement. But SCCs–even shiny, new ones–can’t be the lynchpin of future data transfers; they are not a single framework and are more of a short-term solution. To this end, the United States should prioritize ongoing negotiations for a Privacy Shield successor. If the solution is SCCs now, Privacy Shield replacement later, the latter should continue to be urgent.
The Schrems II ruling reveals how badly the United States needs to implement a national data privacy law. True, a national privacy law won’t necessarily avoid similar issues in the future on its own, as it is unlikely that a U.S. data privacy law will gain an adequacy decision from the European Union given debates over intelligence laws. As Maximilian Schrems told CNBC, “The Privacy Shield was not the main issue, the issue is that the Privacy Shield had to yield to U.S. surveillance laws.” But, a national privacy law would create consistency for future agreements by giving the United States a better foundation for international data relations. A national data privacy law could subsequently prevent a third invalidation ruling through a uniform stance for the United States in negotiations with the European Union.
Right now, the current mesh of over 50 different U.S. state privacy laws–– combined with the GDPR, SCCs and BCRs––is starting to affect business negatively. In April 2021, the Portuguese Data Protection Agency (CNPD) ordered its National Institute of Statistics (INE) to stop transferring census data to the United States, as the institute was using Cloudflare to help process data. Cloudflare, a web security and infrastructure company, is based in California. Although relevant SCCs were in place, the ruling court found that the privacy protections were insufficient to protect European personal data. The case warranted that Cloudflare’s headquarters location subjects it to U.S. surveillance laws that could require U.S. government access to personal data without notifying data subjects. Indeed, the court directly based its ruling on the Schrems II decision. If this continues to be the case, one, federally pre-emptive, U.S. data privacy law can help the United States and the European Union argue their way to a “durable” data transfer mechanism.
The Cocktail Party Edition: The European Union has now struck down two data sharing mechanisms between the United States and the European Union—the latest in a ruling known as Schrems II—based on questioning the protection of personal data from the European Union and prompting a rebuttal from the U.S. Department of Commerce. The United States and European Union are working on a replacement for the Privacy Shield, but to patch the hole in international data transfers, the EU Commission and European Data Protection Body recently published updated mechanisms. This is a temporary solution, however. Finding a replacement for the Privacy Shield will set up an effective, longer-lasting framework. Such rulings also remind us that without a national privacy law, the United States is less equipped to deal in data abroad.
