What Are the Implications of the End of EU-U.S. Privacy Shield Framework for Your Business?

On July 16, 2020, the European Court of Justice struck down the validity of the Privacy Shield Framework on data transfers between the European Union and the United States in its long-awaited decision Facebook Ireland Ltd. v. Maximillian Schrems.

Danielle Miller Olofsson has co-authored this article.

The Privacy Shield Framework (“Privacy Shield”), which governs data transfers between the European Union (“EU”) and the United States (“US”), provided companies in the US and the EU with a mechanism to comply with data protection requirements when transferring data.

The importance of the Privacy Shield to US business is that in its absence, companies transferring data from the EU have to put in place any one of a variety of mechanisms such as binding corporate rules or standard contractual clauses (“SCCs”) guaranteeing that such personal information processed in the US will be afforded the same protection as in Europe under the General Data Protection Regulation (“GDPR”).

According to the GDPR, unless a country benefits from adequacy status, that is to say unless the European Commission (“Commission”) has recognised that the country has similar data protection laws in place to those of the EU and is therefore “adequate”, its companies must adopt a series of data protection measures comparable to Europe’s. Up until now the Privacy Shield was a form of work around in the absence of the US having been granted adequacy status – a status granted to Canada.

On July 16, the European Court of Justice (“ECJ”) struck down the validity of the Privacy Shield thereby plunging US business into tremendous uncertainty concerning the transfer of personal data from the EU. The judgement should also serve as a warning of things to come as Canada’s adequacy status comes up for renewal.

Background

In 2013, Austrian national Maximillian Schrems brought a case against Facebook Ireland to block data transfers from the EU to Facebook US where the data underwent processing. He argued that once in the US the data did not receive sufficient protection against access by US public authorities. In 2015, the ECJ to which the High Court of Ireland referred the case, overturned a Commission decision, the Safe Harbour decision, stating that the existing framework for data transfers between the EU and the US was adequate. Facebook responded by adopting standard data protection clauses (or SCCs) according to which it would transfer data from the EU to the US. The practice was approved by the Commission. The US and the EU then agreed upon the Privacy Shield to facilitate the transfer of Data between the US and the EU which the Commission approved in 2016.

The present Facebook Ireland Ltd. v. Maximillian Schrems (“Schrems”) case stems from a reformulated demand by Mr. Schrems to block data transfers by Facebook from the EU and the US since this data is not adequately protected from access by US public authorities under the Privacy Shield. This demand was referred by the High Court of Ireland to the ECJ to determine:

• whether the GDPR applies to transfers of personal data pursuant to standard data protection clauses (or SCCs);
• the level or protection required by the GDPR in connection with such a transfer;
• the obligations incumbent on the supervisory authorities in those jurisdictions; and
• the validity of the Commission’s decision validating the Privacy Shield.

Decision

The Schrems decision essentially confirmed the Commission’s decision allowing data transfers using SCCs but struck down the Commission’s decision validating the Privacy Shield. It affirms that access by US public authorities to data concerning non-US nationals is not circumscribed in the same way that it is under the GDPR, that is to say subject to a form of proportionality limiting access to what is strictly necessary and subject to clear and precise rules. It also cited the Privacy Shield’s ombudsman mechanism that does not allow for an adequate level of protection for individuals who seek to exercise their right.

The Schrems decision also made the following points:

• The GDPR applies to transfers of data for economic purposes by entities in the EU to entities outside the EU;
• The level of protection required for data transferred from the EU should be essentially the same as that offered by the GDPR or by the European Charter of Fundamental Rights of the EU;
• In the absence of an adequacy decision, a data protection authority must suspend the transfer of information from the EU using SCCs if it is clear that these clauses cannot be complied with; and
• Entities situated in the EU transferring data using SCCs must ensure that the legislation of the recipient’s jurisdiction will allow the safeguards provided by the SCCs to be enforced.

As stated above, the Schrems decision plunges US business transferring data from Europe into tremendous uncertainty as they will no longer be able to rely on the Privacy Shield. The decision also places an onerous burden on commercial entities in the EU that transfer data to countries that do not benefit from an adequacy status. These entities will now have to scrutinise the SCCs that are in place in light of the laws of the jurisdiction to which the data is being transferred to ensure that these laws make possible the safeguards that are provided for in the SCCs.

Possible Affect on Canadian Business

Up until now Canadian organisations subject to the Personal Information Protection and Electronic Document Act (“PIPEDA”) have been able to rely on Canada’s adequacy status to transfer data from the EU. One of PIPEDA’s greatest weaknesses, however, is its ombudsman model in which an individual may bring a complaint before the Office of the Privacy Commissioner (“OPC”) but the OPC can only issue a recommendation to remedy any violation. The OPC has no coercive power and as such cannot protect an individual’s right to the same extent as the GDPR. It will remain to be seen whether this and other weaknesses affecting PIPEDA will be enough to have Canada’s adequacy status revoked in the event our federal law is not drastically amended soon.

With respect to businesses subject to Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (“PPIPS”), the Schrems decision should serve as a warning. PPIPS was already deemed inadequate by an advisory committee to the Commission in 2014. If Bill 64 that proposes to substantially amend PPIPS to bring it in line with the GDPR is not passed quickly, Quebec businesses will have no other choice than to put in place SCCs or other onerous mechanisms to continue to receive data from the EU.

The Schrems decision has dealt a massive blow to US companies transferring data from the EU. It illustrates the EU’s seriousness in enforcing data protection even extraterritorially. In light of this, Canadian businesses transferring data from Europe would be unwise to rest on their laurels assuming that PIPEDA and Canada’s adequacy status will protect them. They should begin considering the adoption of SCC to protect such transfers.