The European Court of Justice (ECJ) recently struck down the validity of the Privacy Shield framework as a mechanism to transfer the personal data of residents of the European Union from the EU to the United States, citing concerns over U.S. national security surveillance.1 The use of Standard Contractual Clauses (SCCs) as a data transfer mechanism also faced scrutiny from the ECJ, but the court ultimately determined that the SCCs remain valid. This notwithstanding, as of today organizations that use the SCCs will have an added obligation to verify, prior to any transfer, whether the personal data being transferred will continue to enjoy the fundamental rights afforded under European data privacy laws.
In short, outbound data transfers from the EU to the United States can continue using the SCCs, but not the Privacy Shield.
Transatlantic data transfers from the EU to the United States have long been in the crosshairs of European-based privacy advocates. In 2015, Austrian privacy advocate Max Schrems successfully sought the invalidation of the Safe Harbor Privacy Principles, claiming that his personal data collected by Facebook Ireland was transferred to U.S.-based servers belonging to Facebook Inc., where upon arrival it would be subject to U.S. national security and surveillance activities. In the wake of Safe Harbor’s 2015 invalidation, the European Commission and the United States quickly sought to develop a new framework to take its place. The “EU-U.S. Privacy Shield” became the replacement framework 10 months later.
The Privacy Shield program had since become a mainstay of transatlantic digital commerce, being used by more than 5,000 companies. The recent demise of the Privacy Shield framework, following a second suit brought by Mr. Schrems, suddenly leaves these thousands of companies in compliance-limbo. This precarious position is further amplified as 29 highly active European Data Protection Authorities, each of them national entities with their own enforcement budget, closely monitor whether organizations will make the appropriate adjustments following the ECJ’s ruling.
Impact on U.S. Businesses, Including Financial Services
The ECJ’s recent decision will have a significant and immediate impact on U.S.-based organizations that service the European market. To begin, it is recommended that any organization that previously relied upon the Privacy Shield framework switch gears by immediately revising, and if need be, entering into new data processing agreements with their vendors and other business partners that incorporate the SCCs.
Fortunately this will be of less consequence to financial services companies, since the Privacy Shield regime was enforced by the U.S. Federal Trade Commission (FTC) and the U.S. Department of Transportation (DOT). Potential members of the Privacy Shield framework must therefore already have been subject to the jurisdiction of the FTC or the DOT before even applying. Since banks and other financial institutions are not subject to the jurisdiction of the FTC or the DOT, they were historically unable to take advantage of the Privacy Shield program.
This disqualification has resulted in a near industry-wide reliance on the SCCs to facilitate transatlantic data flows. Yet, financial services are not untouched by the ruling, since the ECJ still established an added obligation to ensure that transatlantic data flows are designed in a way that limits potential government surveillance. This will be no easy task.
A key consideration when assessing the appropriateness of new agreements will be whether the personal data to be transferred has been, or is likely to be, the subject of sweeping bulk data collection activities by U.S. law enforcement—especially national security agencies under the U.S. Foreign Intelligence Surveillance Act (FISA) or relevant executive orders that enable surveillance activity. This is of particular consequence to the financial services industry, given its role in combating global financial crimes, money laundering, and other illicit activity. Few industries will face a greater hurdle in establishing that the use of the SCCs still satisfy the fundamental rights afforded under European data privacy laws than the financial services industry.
To clarify, the ECJ’s recent decision only applies to data transfers that occur between two different organizations. Data transfers that occur exclusively within one organization fall outside the scope of the ECJ’s ruling, and may proceed as normal. Note, however, that companies which fall under the same corporate group do not enjoy this benefit, and so they will still need to perform a summer 2020 compliance review of their international data transfers.
On the subject of corporate groups, financial institutions are also welcome to explore the use of Binding Corporate Rules, a third alternative data transfer mechanism that enables groups of closely aligned organizations to freely transfer personal data within their network. Organizations may transfer personal data across borders so long as each of them adheres to a binding set of universal corporate and data governance rules—hence the name. Binding Corporate Rules fell outside the scope of the ECJ’s recent ruling, and thus remain a respected international data transfer mechanism for those organizations that are willing to allocate the significant time and resources required to have their Binding Corporate Rules approved by European regulators.
Whichever path institutions select moving forward (SCCs or Binding Corporate Rules) the point is clear: It is strongly recommended that organizations perform an international data transfer compliance review in the coming weeks and months.