The Schrems II Decision: The Day After

By on Jul 17, 2020

This blog is for information purposes only and it does not constitute legal advice or advice on how to achieve operational privacy and security or compliance with laws or regulations.

The European Court of Justice (“CJEU”) yesterday invalidated the Privacy Shield, an agreement between the European data regulators and the U.S. Chamber of Commerce created in 2016 that allows businesses in the European Union to transfer data to the U.S.  The Court said Privacy Shield, which is used by more than 5,000 companies (though not McAfee), does not comply with European privacy rights.

The decision is seen as one of the most important international privacy cases in recent history and arose from a complaint against Facebook brought to the Irish Data Protection Commissioner by Max Schrems.

Schrems has been challenging the transfer of his data (and the data of EU citizens generally) to the United States by Facebook, which has its European base in Ireland. His first case (“Schrems I”) led the Court in 2015 to invalidate the Safe Harbor arrangement, a prior arrangement governing that data transfers from the EU to the US. The Safe Harbor scheme was replaced by the EU-US Privacy Shield on July 12, 2016, in response to the case.

The Court gave two major reasons for its decision (“Schrems II”) that the European Commission was wrong to say the Privacy Shield adequately protected the data of EU residents.  The Court said that

  • S. surveillance programs are not limited to what is strictly necessary and proportional and hence do not meet the requirements of Article 52 of the EU Charter on Fundamental Rights;
  • EU data subjects lack actionable judicial redress with regards to U.S. surveillance, and, therefore, do not have a right to an effective remedy in the U.S., as required by Article 47 of the EU Charter.

Additionally, the CJEU ruled that:

  • Standard Contractual Clauses (“SCCs”), which are currently being reviewed by the European Commission, and Binding Corporate Rules (“BCRs”) remain valid mechanisms for transferring data outside of the European Union;
  • BUT companies must verify, on a case-by-case basis, whether the law in the recipient country ensures adequate protection, under EU law, for personal data transferred under SCCs and, where it doesn’t companies must provide additional safeguards or suspend transfers. The ruling placed the same requirement on EU data protection authorities to suspend such transfers on a case-by-case basis where equivalent protection cannot be ensured.

We’ve been starting hearing some myths that need debunking:

  • Myth 1: Keeping data in Europe is the ONE solution. Well no, it isn’t. The internet is Global, the Cloud is global and data localization may not prevent the application of the U.S.’s Cloud Act;
  • Myth 2: The U.S. will need to change its laws: Not so fast! This may help,  but will take some time, and to meet what the Court wants will require changes both to the Patriot Act and a new recourse means – no small ask of a U.S. Congress when the House and the Senate are working well together, much less in the middle of a pandemic with a lot of political divisiveness;
  • Myth 3: This only concerns the U.S. Nope, government surveillance (and secretive surveillance) exists almost everywhere – and is necessary, including in the European Union and in some of the jurisdictions that the EU has said have adequate protections.  This ruling could open the door for many uncomfortable conversations with jurisdictions that have thought they were safe in the past.
  • Myth 4: The ruling says that European companies must stop using U.S. service providers, especially Cloud service providers. No, that’s again bashing multinational corporations which abide by the strictest security standards.

From a practical standpoint, what are the changes?

  • Companies that used to transfer data under the Privacy Shield should consider signing SCCs and may want to think about a project to put in place BCRs;
  • SCCs may need to be amended to add additional language so to provide additional safeguards when faced with access requests by public authorities around the world.

What does this mean for McAfee customers? McAfee is committed to adhering to the applicable laws.  We are glad to sign SCCs with customers.  We have done a lot of work to make sure that our products were ready for the GDPR, and continue to track the regulatory and judicial changes.  We’re glad to talk to you about this and other issues, contact us here.

 

About the Author

Noémie Weinbaum

LL.M, CIPP-E, Admitted to the Paris Bar since 2003 With nearly 20 years of experience in Information Technology Law and Privacy, amongst which ten spent in the sector of Finance as the Deputy Head of Legal Shared Services for Natixis, Noémie holds a long record in negotiating complex deals in international and regulated contexts, and ...

Read more posts from Noémie Weinbaum

Categories: Data Security

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to McAfee Securing Tomorrow Blogs