Schrems II Judgment Day

The Court of Justice of the European Union ("CJEU") issued its judgment today in the Schrems II case^₁  and it is fair to say that it has caused some shock amongst the privacy community and our clients.

First things first: don't panic!

Data flows will continue, and can continue, for the time being. It will take time for regulators and organisations to reflect on what is a very complicated judgment (misleadingly simple in its headline of "Privacy Shield invalid; Standard Contractual Clauses valid").

Very briefly the CJEU held that the Standard Contractual Clauses ("SCC") were not automatically invalid. However, their use did have to be assessed on a case-by-case basis in particular taking into account the "relevant aspects of the legal system of the [relevant recipient] country".  The organisation based in the EU sending data out of the EU under the SCCs is responsible for the assessments and potentially putting into place "supplementary measures" (should there be any issue with that regime).  Regulators have to police these assessments.

No doubt regulators will in due course be pronouncing on how to take into account those assessments and what measures may be put in place.

When it comes to Privacy Shield, the position is a little starker. As a result of the lack of proper oversight of the ability of US security and law enforcement agencies in their access to non-US citizen's data (and the lack of sufficient rights for individuals), it was struck down as "invalid". Transfers relying on Privacy Shield will now need to find another way of transferring data.

We have been here before; Safe Harbor (Privacy Shield's predecessor) was struck down by the same court in 2015. Those of us around in privacy back then will recall a hasty repapering of transfers using SCCs.  The regulators even gave a "grace period" for companies to do that.  We can expect more of the same now.

The European Commission has already said that other mechanisms exist in place of Privacy Shield, including SCCs. The SCCs are in any case being modernised and new versions should be available soon.  It can be expected that the Commission will do what it can to deal with the judgement here.

A likely problem though, which will have to be addressed, and to be frank, has been ignored by the Commission in its immediate reaction today, is the difficulty of using SCCs in the US when the CJEU was so critical of the US legal regime when discussing Privacy Shield.

It will take time for the dust to settle. Immediate steps that organisations could consider include:

• If you have relied on Privacy Shield, prepare to sign SCCs with your counterparts on the relevant data flows.
• Think about how you may consider and document the risk of the particular transfer. Are there any additional "supplementary measures" that could be put in place?
• Is there scope to change the data you send – e.g. by encryption if the transfer is only for storage purposes?
• Remember that the SCCs have not changed. To the extent that the SCC do not offer the appropriate protection this has always been the case since your transfer began.
• Don't be complacent: watch carefully what your local regulator is saying.  They are probably equally concerned (given their resources) as to the extra requirement imposed upon them by the CJEU.
• Inevitably, some large companies will think even more about silo-ing data within the EU. We may well expect a greater interest in EU data centers.

Above all: don't panic. There is a massive political need to fix the problem and we can expect urgent attention from both the EU and the US.

With that in mind, please do join a Fieldfisher webinar tomorrow on Friday 17 July or Monday 20 July in which Eleonor Duhs, Michael Brown and I explain the key practical implications for organisations arising from the judgment. To register, please click here.

¹Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/1)