The Standard Contractual Clauses Find Safe Harbor

Privacy Plus+

Privacy, Technology and Perspective

The Standard Contractual Clauses Find Safe Harbor.  This week, the Court of Justice of the European Union (CJEU) issued a non-binding opinion that upheld the Standard Contractual Clauses (SCCs) a valid means for data transfers outside the European Union (EU) to the United States (US). 

Background – Law on Data Transfers

Unlike in the US, the EU’s Charter of Fundamental Rights affords EU citizens a fundamental right to privacy in family life, home and communications.  Thus, the default rule in the EU is that personal data transfers outside of the European Economic Area (EEA) are prohibited. A transfer (or export) of personal data is only permitted only if certain adequate data protection safeguards exist.

The European Commission (EC) has recognized the following countries to have adequate safeguards in their laws—Andorra, Argentina, Canada (commercial organizations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay, and the US (limited to EU-US Privacy Shield).  

For transfers of personal data to the US, three transfer mechanisms exist: Privacy Shield, Binding Corporate Rules, and Standard Contractual Clauses

EU-US Privacy Shield:

Privacy Shield framework became effective on August 1, 2016 after the EC issued its decision finding Privacy Shield provided an adequate level of data protection safeguards.  To participate in Privacy Shield, an eligible organization must develop a conforming privacy policy, identify an independent recourse mechanism and self-certify through the privacyshield.gov website.

The Privacy Shield Framework includes:

• strong data protection obligations on companies receiving personal data from the EU;

• safeguards on US government access to data;

• effective protection and redress for individuals; and

• an annual joint review by EU and US to monitor the correct application of the arrangement.

Binding Corporate Rules

Binding Corporate Rules (BCRs) are designed to allow multinational companies to transfer personal data from the EEA to their non-EEA affiliates, but do not provide a basis for transfers made outside the organization’s group. BCRs must demonstrate that the organization provides adequate safeguards for such transfers, and the organization must get approval for its BCRs from the EU data protection authorities, with one authority, such as the CNIL, acting as the lead.

Standard Contractual Clauses

For US companies not covered by Privacy Shield or for transfers outside of those covered by BCRs, the Standard Contractual Clauses provide the only (and the most commonly used) mechanism to ensure the free flow of data from the EEA to the US.  The SCCs are often attached to contracts between US companies and data senders for outsourced services, cloud infrastructure, and data hosting.

Schrems I & II

Since Edward Snowden’s revelations about U.S. government’s Prism mass surveillance program, tensions have run high between the EU and the US.

Schrems I (C-362/14)

In 2015, privacy activist, Max Schrems, successfully challenged Privacy Shield’s predecessor, called the Safe Harbor framework.  Previously, Safe Harbor had authorized the transfer of personal data from the EU to the US.  However, the CJEU declared Safe Harbor invalid in light of US surveillance laws, which authorized the bulk connection of personal data, finding that it did not provide the adequate data protection required under EU law. 

Click on the following link to read the decision in Schrems I:

http://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=3900236

When Safe Harbor was struck down, many companies felt far less safe transferring regulated personal data, and were left scrambling for other ways to do so consistently with EU law.

Schrems II (C-311/18)

Schrems then filed another complaint, challenging the SCCs, arguing essentially that the SCCs violated EU law by not providing adequate data protection in light of US surveillance laws, and specifically challenging Facebook Ireland’s reliance on the SCCs. The CJEU has rejected that argument, and upheld the validity of the SCCs. Click on the following link to read the decision in Schrems II:

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62018CN0311

Many in the privacy world, who had been nervously awaiting this decision, are breathing a sigh of relief, especially in advance of the holidays.

Privacy Plus+ will return in 2020.  Happy Holidays!

Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.