What alternatives to Privacy Shield are available to U.S.-based companies that need a legal mechanism to transfer personal data to the U.S. in compliance with EU data protection rules?

• European Data Protection Board guidance: In part — “Whether or not you can transfer personal data on the basis of (binding corporate rules/SCCs) will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. These supplementary measures along with (BCRs/SCCs), following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee. ... It is still possible to transfer data from the EEA to the U.S. on the basis of derogations foreseen in Article 49 (EU General Data Protection Regulations) GDPR provided the conditions set forth in this Article apply. The EDPB refers to its guidelines on this provision.”
• Next steps for Privacy Shield participants: In part — “Where the organization participates in Privacy Shield as a controller, implementation of the SCCs for such controller-to-controller data transfers can help strengthen the position that the transfers are permissible. Given the reasoning of the CJEU in ‘Schrems II,’ the organization will still need to undertake due diligence to evaluate and document the risks associated with the transfers ... Where the organization acts as a data processor on behalf of customers in the EU, the organization should consider preparing and presenting to customers updated terms that include the SCCs for controller-to-processor transfers. The organization should also be prepared to answer due diligence questions from customers regarding disclosures to public authorities and related issues raised in the CJEU opinion. It will be important to have a clear understanding of whether, in practice, the organization has needed to respond to such intelligence gathering by public authorities in the past, as well as what it's policies and practices are for responding going forward. Depending on the context, some organizations may be able to adopt other strategies. For example, if the organization engages in direct to consumer online transactions, it might be able to narrow the data collections to that which is necessary to perform the transaction with the consumers."

Can or should EU-U.S. Privacy Shield participants recertify considering the “Schrems II” decision?

• U.S. Department of Commerce guidance: In part — “This decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework. The U.S. Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List.”
• U.S. Department of Commerce FAQs: In part — “[O]rganizations’ continued participation in the EU-U.S. Privacy Shield demonstrates a serious commitment to protect personal information in accordance with a set of privacy principles that offer meaningful privacy protections and recourse for EU individuals.”
• U.S. Federal Trade Commission guidance: In part — “We continue to expect companies to comply with their ongoing obligations with respect to transfers made under the Privacy Shield Framework. We also encourage companies to continue to follow robust privacy principles, such as those underlying the Privacy Shield Framework ....”
• Next steps for Privacy Shield participants: In part — “Even though the legal value of Privacy Shield participation has been invalidated from a GDPR perspective, the U.S. obligations to adhere to Privacy Shield promises still apply. If an organization were to decide to disregard its Privacy Shield commitments, it could still be subject to action by the U.S. Federal Trade Commission. The organization might also have obligations in agreements with customers or others to adhere to the Privacy Shield, and those commitments may not be terminated merely because of the CJEU ruling. As such, organizations need to be mindful to continue to adhere to Privacy Shield obligations even in this interim period following ‘Schrems II.’”

• Swiss Federal Data Protection and Information Commissioner statement: In part — “After closely analysing the (Swiss-U.S. Privacy Shield) regime, the FDPIC concludes in his position paper of 8 (Sept.) 2020 that, although it guarantees special protection rights for persons in Switzerland, it does not provide an adequate level of protection for data transfer from Switzerland to the (U.S.) pursuant to the Federal Act on Data Protection.”
• Swiss Federal Data Protection and Information Commissioner Policy paper: In part — “Because there is no guarantee of rights that would afford persons concerned in Switzerland protection comparable to that afforded by Art. 13 paras 2 and 29 ff. FC, Art. 8 ECHR and Art. 4 FADP, the FDPIC considers that data protection within the meaning of Art. 6 Para. 1 FADP is insufficient in the (U.S.), even for the processing of personal data by (U.S.) companies that are certified under the PS regime. As a result of this assessment based on Swiss law, the FDPIC concluded that the indication ‘Adequate level of protection under certain circumstances’ had to be removed for the (U.S.) in the FDPIC’s list of countries.”

Does “Schrems II” impact use of the EU-U.S. Privacy Shield to transfer personal data from the U.K. to the U.S.?

• EDPB information note on BCRs with U.K. supervisory authority as lead authority: In part — “BCR holders who have the UK SA as their BCR Lead SA need to put in place all organisational arrangements to identify a new BCR Lead SA in the EEA. The change of BCR Lead SA will have to take place before the end of the Brexit transition period.” The note further states it “is without prejudice to the analysis currently undertaken by the EDPB on the consequences of the CJEU judgment DPC v. Facebook Ireland and Schrems for BCRs as transfer tools.”
• U.K. Information Commissioner’s Office statement: In part — “The (EDPB) has now issued its FAQs on the invalidation of the Privacy Shield and the implications for the (SCCs), and this guidance still applies to (U.K.) controllers and processors. Further work is underway by the European Commission and EDPB to provide more comprehensive guidance on extra measures you may need to take. In the meantime, you should take stock of the international transfers you make and react promptly as guidance and advice becomes available. The EDPB has recommended that you must conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework, whether the transfer is to the U.S. or elsewhere. The receiver of the data may be able to assist you with this. The judgment says that supervisory authorities have an important role to play in the oversight of international transfers. We are therefore taking the time to consider carefully what this means in practice. We will continue to apply a risk-based and proportionate approach in accordance with our Regulatory Action Policy.”
• Impact of “Schrems II” on the U.K.: In part — “Although the U.K. formally left the EU Jan. 31, nearly all EU law continues to apply in the U.K., including CJEU jurisdiction, until the end of the transition period Dec. 31. This means that companies transferring data from the U.K. to the U.S. were able to rely on the EU-U.S. Privacy Shield until the end of this year. This is no longer the case following Privacy Shield's invalidation. The ‘Schrems II’ judgment immediately disrupts U.K.-U.S. data flows, and organizations will have to use alternative safeguards, like SCCs or (BCRs) to remain compliant.”

Can a business use SCCs to transfer data to the U.S.?

• On June 4, 2021, the European Commission released new standard contractual clauses for international transfers. Organizations will need to use these SCCs for all new data transfer contracts beginning late September 2021, and incorporate them into existing data transfer contracts beginning late December 2022. These new SCCs impact the answers to each of the questions below. These should be read in conjunction with the EDPB’s recommendations on supplementary safeguards cited in the relevant section below.
• LinkedIn Live: SCCs master class
• Analyzing the new SCCs
• EDPB Recommendations 01/2020: In part — “The CJEU held that Section 702 of the U.S. FISA does not respect the minimum safeguards resulting from the principle of proportionality under EU law and cannot be regarded as limited to what is strictly necessary. This means that the level of protection of the programs authorised by Section 702 FISA is not essentially equivalent to the safeguards required under EU law. Assessment: If your assessment of the relevant U.S. legislation leads you to consider that your transfer might fall within the scope of Section 702 FISA, but you are unsure if it falls within its practical scope of application, you may decide either: 1. To stop the transfer; 2. To adopt appropriate supplementary measures that ensure effectively a level of protection of the data transferred essentially equivalent to that guaranteed in the EEA; or 3. To look at other objective, reliable, relevant, verifiable and preferably publicly available information (which may include information provided to you by your data importer) to clarify the scope of application in practice of Section 702 FISA to your particular transfer. …”
• U.S. Government Letter and White Paper: In part — “[I]n an effort to assist organizations in assessing whether their transfers offer appropriate data protection in accordance with the (CJEU's) ruling, the U.S. government has prepared the attached white paper, which outlines the robust limits and safeguards in the United States pertaining to government access to data.”
• Irish Data Protection Commission statement on “Schrems II”: In part — “[W]hile in terms of the points of principle in play, the Court has endorsed the DPC’s position, it has also ruled that the SCCs transfer mechanism used to transfer data to countries worldwide is, in principle, valid, although it is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable. This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis.”
• Early DPA guidance concerning the use of SCCs: In part — “(Data protection authorities) across the continent have offered strikingly disparate assessments of what the ruling means for EU-U.S. data transfers that rely on (standard contractual clauses). While several DPAs — notably in Berlin, Hamburg and the Netherlands — seemed to have declared them to be mostly invalid and advised companies to cease such transfers and/or switch to local providers, others, such as those in the U.K., France and Spain, seemed to have not explicitly deemed them invalid. Another group of DPAs, which includes Ireland’s (Data Protection Commission) and Germany’s (Federal Commissioner for Data Protection and Freedom of Information), have taken what could be described as an intermediary position between these two points, advising companies that they may continue to rely on SCCs but must heed the risks inherent in the mechanism and undertake additional assessments to determine if these transfer are lawful.”
• Comments by Hogan Lovells Partner Eduardo Ustaran: In part — “Ustaran said it's important to note that while the court said SCCs work in principle, they also have to work in practice. ‘For a mechanism to work in practice, one has to assess effectively if they can comply with the obligations in the clauses. The reality is the (SCCs) were almost too good to be true in the sense that it was a very easy-to-use mechanism,’ Ustaran said. ‘You can just search for it, print it, sign it, put it in the drawer and forget about it. What the court is reminding us is that this (is) a mechanism that creates legal obligations, and if the parties can not comply with those obligations, the mechanism doesn’t work, and therefore the data transfers are not valid.’”

Can a business use SCCs to transfer data to other third countries outside of the EU?

• EDPB guidance: In part — “The Court has indicated that SCCs as a rule can still be used to transfer data to a third country, however the threshold set by the Court for transfers to the U.S. applies for any third country. The same goes for BCRs. The Court highlighted that it is the responsibility of the data exporter and the data importer to assess whether the level of protection required by EU law is respected in the third country concerned in order to determine if the guarantees provided by the SCCs or the BCRs can be complied with in practice. If this is not the case, you should assess whether you can provide supplementary measures to ensure an essentially equivalent level of protection as provided in the EEA, and if the law of the third country will not impinge on these supplementary measures so as to prevent their effectiveness. ... Should you or the data importer in the third country determine that the data transferred pursuant to the SCCs or to the BCRs are not afforded a level of protection essentially equivalent to that guaranteed within the EEA, you should immediately suspend the transfers.”
• Article by Baker McKenzie’s Francesca Gaudino and Michael Egan on controller-to-processor SCCs: In part — “The decision by the Court of Justice of the European Union in ‘Schrems II’ provides that the controller-to-processor (SCCs) are a viable mechanism for data transfers from the EU to third countries but identified further conditions that need to be considered when implementing them to address the requirement to provide ‘adequate protection’ to such transfers.”
• Article by Baker McKenzie’s Harry Valetk and Julia Kaufmann on controller-to-controller SCCs: In part — In part: “Considering the CJEU’s reasoning in ‘Schrems II,’ it also seems unavoidable to apply the additional conditions for transfers under C2P SCCs to transfers under C2C SCCs. While Articles 46(1) and (2)(c) of the EU General Data Protection Regulation were analyzed by the CJEU only for C2P SCCs, they represent the same legal basis for transfers under C2C SCCs. Article 46(1) of the GDPR, moreover, specifically says that data transfers to a third country may only occur on the condition that data subjects have enforceable rights and legal remedies.”

Can businesses still transfer data to the U.S. using BCRs?

• EDPB guidance: In part — “Whether or not you can transfer personal data on the basis of BCRs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. These supplementary measures along with BCRs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee.”
• BCRs: In part — “[T]he Court of Justice of the European Union has not in any way touched upon the validity of existing BCRs. That said, BCRs are essentially another ‘adequacy instrument,’ just like the (SCCs) and EU-U.S. Privacy Shield. ... In practice, the main difference is that the burden on assessing the adequacy of the safeguards rests with the supervisory authorities if a company uses BCRs, while the user of SCCs must, according to the CJEU, make its own adequacy assessment and is accountable if wrong.”

Can businesses use BCRs to transfer data to other third countries outside of the EU?

• EDPB guidance: In part — “The Court has indicated that SCCs as a rule can still be used to transfer data to a third country, however the threshold set by the Court for transfers to the U.S. applies for any third country. The same goes for BCRs. The Court highlighted that it is the responsibility of the data exporter and the data importer to assess whether the level of protection required by EU law is respected in the third country concerned in order to determine if the guarantees provided by the SCCs or the BCRs can be complied with in practice. If this is not the case, you should assess whether you can provide supplementary measures to ensure an essentially equivalent level of protection as provided in the EEA, and if the law of the third country will not impinge on these supplementary measures so as to prevent their effectiveness.”

• EDPB guidance: In part — “It is still possible to transfer data from the EEA to the U.S. on the basis of derogations foreseen in Article 49 GDPR provided the conditions set forth in this Article apply. The EDPB refers to its guidelines on this provision.” The guidance cites footnote 5, “EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, adopted on 25 May 2018, p.3.”
• Data Transfers from the EU: Will Derogations Save the Day?”: In part — “The point of Article 49 is for it to be used in situations where a country hasn’t been considered to offer adequate protection … and then secondly where you can’t use appropriate safeguards, so where you can’t use standard contractual clauses, binding corporate rules. … I think there is somewhat of a paradox almost at the heart of GDPR here, at the provisions dealing with data transfers and that is because all of the provisions in Chapter V … have to meet the general principle set out in Article 44 which is that any transfer of personal data to a third country or international organization must comply with the conditions in Chapter V … to ensure that the level of protection guaranteed by the regulation is not undermined.”
• Use of derogations for data transfers post "Schrems II": In part — “[T]he Court states that its decision to invalidate Privacy Shield won’t create a ‘legal vacuum’ for data transfers because organizations can still turn to Art. 49 derogations. Similarly, in its guidance on the decision, the European Data Protection Board (EDPB) points to derogations as an available mechanism for continuing to transfer data to the U.S. ‘provided the conditions set forth in [Art. 49] apply.’ The EDPB refers businesses that wish to rely on derogations to its 2018 guidelines on Art. 49 derogations. To use any of these derogations, a business must be mindful of the details and document its decision. Each derogation comes with its own set of administrative and technical requirements. Read on for our summary of the EDPB’s guidelines on a few of the derogations relevant to commercial transfers: consent, contract, and compelling legitimate interests.”
• Derogations: In part — “The receiving country's legal system and adequacy of its data protection level do not generally play a role in determining the applicability of the derogations. Thus, companies that can currently rely on the derogations should be able to continue to do so (although this may be different for the ‘compelling legitimate interest’ derogation, …) … The title of Article 49 alone, ‘Derogations in specific situations,’ suggests derogations have a limited scope of applicability. Further, the European Data Protection Board made it clear in its 2018 guidance that derogations only apply where there are no other transfer mechanisms available, and companies have considered other solutions. Therefore, the derogations only serve as an exception to the requirements for cross-border transfers and should not be a standard, everyday solution to cover such transfers.”

How do businesses conduct case-by-case assessments of the sufficiency of foreign protections when using SCCs, BCRs or other transfer mechanisms?

• EDPB Recommendations on measures that supplement transfer tools to ensure compliance: In part — “Your assessment should be focused first and foremost on third country legislation that is relevant to your transfer and the Article 46 GDPR transfer tool you are relying on. Examining also the practices of the third country’s public authorities will allow you to verify if the safeguards contained in the transfer tool can ensure, in practice, the effective protection of the personal data transferred. Examining these practices will be especially relevant for your assessment where: (i) legislation in the third country formally meeting EU standards is manifestly not applied/complied with in practice; (ii) there are practices incompatible with the commitments of the transfer tool where relevant legislation in the third country is lacking; (iii) your transferred data and/or importer fall or might fall within the scope of problematic legislation (i.e. impinging on the transfer tool’s contractual guarantee of an essentially equivalent level of protection and not meeting EU standards on fundamental rights, necessity and proportionality). …”
• EDPB Recommendations on the European Essential Guarantees for surveillance measures: In part — “The aim of the updated European Essential Guarantees is to provide elements to examine whether surveillance measures allowing access to personal data by public authorities in a third country, being national security agencies or law enforcement authorities, can be regarded as a justifiable interference or not.”
• Recommendations on supplementary measures: In part — “We expanded on the possible sources of information that data exporters may use, of course information that also may be provided in cooperation with the data importer. One of these possible sources is the practical experience of the importer, for instance having received a request from public authorities in that third country or not having ever received a request from public authorities in that third country. This doesn’t mean that data exporters can rely solely on the practical experience of the data importer. … It always needs to be contrasted and corroborated by other elements. This could be other exporters working in the sector [or] … other sources of information … in Annex 3.”
• Discussion on data transfers in practice: In part — “Mak[e] sure that you look at it holistically, that you still did that case-by-case analysis, that you were looking at the time span from when that one request may have come into play, that you were looking at the specific circumstances. Even though it was the same type of data it might be a different type of company, a different type of product. So, I think it is a lot more nuanced…I think there is that opportunity to do that risk-based assessment.”
• EDPB’s data transfer recommendations adopt a risk-based approach with teeth: In part — “Although subjective factors such as practical experience may now play a role in assessing the adequacy of a transfer, the final recommendations carefully circumscribe the manner in which organizations may conduct this broader analysis. In addition to reviewing the legal framework that applies in the receiving country, organizations should take into account ‘relevant, objective, reliable, verifiable and publicly available or otherwise accessible’ information that reveals whether the transferred data will be appropriately safeguarded in practice. An expanded annex to the recommendations outlines the types of sources that may be used when conducting this analysis, including reports from regulators, parliamentary and independent oversight bodies, reports from providers of business intelligence, as well as from business, professional and trade associations, and ‘warrant canaries’ (i.e., public statements indicating that law enforcement and national security requests have not been received) from the importer or entities in the same industry sector. …”

When conducting case-by-case assessments, what is the appropriate comparator of sufficiency, as established by the Court of Justice by the EU in ‘Schrems II’?

• ‘Schrems II’: The Immediate Aftermath: In part — “One of the issues that was addressed … was what the appropriate comparator is when regulators or companies are doing this assessment, whether it is a comparison to EU law, Member State law or Member State practices governing government access and the protections around government access. The Court seems to have been fairly clear that we are looking at EU law here not Member State law or Member State practices as the appropriate comparator.”

What supplementary measures can companies use to provide sufficient protections when case-by-case assessments reveal deficiencies?

• EDPB Recommendations on measures that supplement transfer tools to ensure compliance: In part — “These recommendations contain (in Annex 2) a non-exhaustive list of examples of supplementary measures with some of the conditions they would require to be effective. As is the case for the appropriate safeguards contained in the Article 46 transfer tools, some supplementary measures may be effective in some countries, but not necessarily in others. You will be responsible for assessing their effectiveness in the context of the transfer, and in light of the third country law and practices and the transfer tool you are relying on, as you will be held accountable for any decision you take on that basis. This might also require you to combine several supplementary measures. You may ultimately find that no supplementary measure can ensure an essentially equivalent level of protection for your specific transfer. In those cases where no supplementary measure is suitable, you must avoid, suspend or terminate the transfer to avoid compromising the level of protection of the personal data. You should also conduct this assessment of supplementary measures with due diligence and document it.”
• Discussion with EDPB rapporteur for the recommendations on supplementary measures: In part — “Supplementary measures … it’s usually only in combination that they can be truly effective. So even if we are talking about encryption, proper encryption needs appropriate organizational measures, needs to have some procedures in place, some policies. And even to be able to implement encryption into a transfer, you need a contractual obligation….”
• Discussion on data transfers in practice: In part — “The next two to four years is going to be about tactical implementation of privacy controls. Minimization counts now. Privacy by design counts. Using encryption in the right way, using pseudonymization. Historically, we have been very comfortable moving a lot of data just because we have to move a lot of data. Now, we have to look at that data and say, OK, we only need to move these data sets and here’s how we’re going to protect it….”
• EDPB’s data transfer recommendations adopt a risk-based approach with teeth: In part — “As with the first draft of the recommendations, encryption is offered as an example of a supplementary measure that can ensure adequate protection, provided that the cryptographic function is sufficiently strong and the encryption key is not accessible by public authorities within the receiving country. The final recommendations, however, introduce a degree of uncertainty concerning the use of encryption. Specifically, footnote 81 highlights that ‘protective capacity of cryptographic algorithms is subject to decline over time’ as computing power and techniques improve. As a result, encryption must be viewed as a time-limited solution: an implicit call for shorter retention periods to prevent the risk of encryption algorithms being cracked over time.”

• Transferring HR data: In part — “The CJEU's decision has the potential to severely disrupt U.S. multinationals' administration of their global workforce. Those who have relied on Privacy Shield to transfer personal data from their EU subsidiaries to the U.S. parent corporation and U.S. affiliates, or to U.S.- based service providers supporting global HR administration, will need to identify an alternative data transfer mechanism. The alternatives, however, are limited. BCRs are not a practical solution for many U.S. multinational employers because of their complexity and the required investment of time and budget to implement them. At the same time, the European Data Protection Board has effectively eliminated consent as an option for cross-border transfers of employees’ personal data. While SCCs remain valid, their utility as a data transfer mechanism could be short-lived.”

• Discussing technology, media and telecommunications services after “Schrems II”: In part — “At a minimum, providers must offer the contractual safeguards their customers need to buy and use their services in compliance with applicable law. According to the GDPR, this means unmodified SCC and national data protection laws pile on requirements in some countries.”
• Will the EU become an information island?: In part — “That means, for example, that a manufacturing company in Germany that wants to outsource its data center to India must determine whether the laws of India sufficiently protect personal information, a pharmaceutical company in the Netherlands that wishes to share research to fight COVID-19 with researchers in Brazil must determine if the Brazilian government engages in bulk surveillance, and a company in France that wishes to share the names and email addresses of its employees with its parent company in Singapore as part of a global employee directory must determine if those French citizens could obtain appropriate judicial redress for privacy violations in Singapore.”

• Using SCCs post-'Schrems II': Guidance from DPAs