Today, the Court of Justice of the European Union issued a landmark decision striking down the EU-U.S. Privacy Shield—an agreement between EU and U.S. authorities authorizing transfers of EU personal data to the United States—but upholding the validity of standard contractual clauses (“SCCs”), another mechanism that EU-based organizations use to transfer data internationally. Covington represents BSA | The Software Alliance (“BSA”) in the case, and key aspects of BSA’s arguments on the validity of SCCs were reflected in the Court’s decision.
The Court’s judgment, in Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (“Schrems II”), holds that the Privacy Shield does not take adequate account of U.S. laws authorizing public authorities to access data transferred from the EU to the United States. The Court also concludes that the ombudsperson mechanism referred to in the Privacy Shield Decision does not provide effective administrative or judicial redress for the data subjects concerned. The Court holds therefore that the Privacy Shield does not provide protections that are “essentially equivalent” to those set out in EU law — and invalidated the Privacy Shield with immediate effect. The judgment essentially decides the outcome of a separate case pending before the Court, Case T-738/16, La Quadrature du Net and Others v. Commission, which focused directly on the validity of the Privacy Shield, and in which Covington also represented BSA.
In a separate part of its judgement, the Court upheld the validity of the SCCs, which many EU entities currently rely on to transfer data internationally. The Court added, however, that use of the SCCs requires an a priori compliance assessment of the context of each individual transfer, including the laws of the country where the recipient is based and any additional safeguards adopted by the parties. In the Court’s words, EU law requires entities relying on the SCCs “to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.” (para. 134)
The Schrems II judgment will require many EU data controllers to reassess, and in some cases adapt, the mechanisms they use to transfer data internationally, not just to the United States but potentially to other foreign countries as well.
The Covington team representing BSA in these cases is led by partner Lisa Peets and includes Brussels and London lawyers Kristof Van Quathem, Bart Van Vooren, and Sam Jungyun Choi. Companies with questions on the impact of today’s decision should feel free to reach out to any member of the team.