The European Court’s Schrems II Decision and Its Impact on U.S. Businesses
On July 16, 2020, the European Union Court of Justice (“ECJ”) handed down its judgment in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems. This case, known widely as Schrems II, created uncertainty in data transfers between Europe and the United States.
The Schrems II case originated with privacy rights activist and Austrian national, Max Schrems. Schrems filed a complaint under the General Data Protection Regulation (“GDPR”) with the Irish Data Protection Commissioner to prohibit Facebook Ireland from transferring his personal data to the United States. In its judgment, the ECJ ruled that the Standard Contractual Clauses, a set of model contract clauses issued by the European Commission for use by businesses that transfer personal data outside of the European Union (“EU”), are valid.
The ECJ ruling on this matter also invalidated the EU-U.S. Privacy Shield Framework (“Privacy Shield”), which regulated transatlantic exchanges of personal data for commercial purposes to enable U.S. companies to more easily receive personal data from EU entities under GDPR. Many U.S. companies relied on the Privacy Shield as protection for transferring personal data from Europe to the United States while ensuring compliance with privacy laws on either side of the Atlantic.
Compliance by U.S. Companies
The ECJ now expects businesses that export personal data to assess whether their data transfers appropriately protect the data from interference by the recipient’s government; if they do not, the data protection supervisor in the EU member state from which the data is sent, may begin a potentially lengthy enforcement process. If the recipient country’s protections fail to meet EU standards, then the companies must provide adequate safeguards, or refrain from transmitting the data.
The slow pace of EU rulings and enforcement, combined with the hefty costs of compliance, may lead some companies to continue with business as usual and wait to see if consequences follow. The risk associated with this strategy is significant because the fines that may be imposed can be significant, up to €20 million or 4% of a business’s annual turnover, whichever is higher.
U.S. businesses that regularly receive personal data from the EU should understand that the laws and regulations regarding data transfer will continue to change. Many companies set their data transfer processes and rarely revisit them until an issue arises. We encourage all business owners to stay on top of, and regularly revisit, their privacy compliance to avoid potential issues.
In the immediate future, companies can no longer rely on the Privacy Shield. Companies can, however, use the Standard Contractual Clauses and safe harbor forms, which are still valid. We highly recommend that companies monitor the situation for future legislation and reach out to a privacy professional to either ensure maintained compliance or begin the process of becoming compliant.