SCHREMS II – IT’S DÉJÀ VU ALL OVER AGAIN

The more things change, the more they stay the same. On July 16, 2020, the Court of Justice of the European Union (“CJEU”) issued its decision in the so called “Schrems II” case. If you need some background on the case, you can find our original blog post on the case here.  

The two main takeaways of the Schrems II decision are:

  1. 1. The CJEU invalidated the EU-US Privacy Shield framework.
  1. 2. The CJEU reaffirmed the validity of standard contractual clauses (“SCCs”).

While the validity of SCCs were upheld, and remain a viable transfer mechanism, the CJEU holding requires businesses utilizing SCCs to analyze whether the destination country provides an adequate level of data protection.  Where the country doesn’t, the business must provide additional safeguards or suspend the transfer. Similarly, EU data protection authorities must suspend or prohibit a transfer of personal data to a third country if the data protection authority has determined that SCCs cannot be complied with in the third country and data protection cannot be ensured. 

Recall that the Privacy Shield worked together in a closely integrated manner with the GDPR. It was not a separate law or a substitute for GDPR compliance. More specifically, and to use a bit of regulatory jargon (we’ll leave unexplained for now in the interest of brevity), the Privacy Shield had served as what is known as a “partial adequacy decision” falling under GDPR Article 45. In short then, what the CJEU has done in the Schrems II case is take the Privacy Shield, a proven, centralized system for regulatory oversight and enforcement on both sides of EEA-US data transfer equation, and replace it with a system of self-policing by transferors and ad hoc decision making by local EEA authorities.  

That’s all likely to work out about as well as it did in 2015 when the EU-US Safe Harbor was invalidated in the Schrems I case. Back then, data transfers continued (and even increased), through a two year period of ambiguity, confusion and almost complete non-enforcement until the Privacy Shield went into effect to fill the void left by the CJEU’s invalidation of the Safe Harbor.  

So what does all this mean for US businesses who had relied on the Privacy Shield?  Not much over at least the next week or two, and likely longer.  Contracting counter-parties in the EEA, rather than regulators, will be the most likely source of pressure to adopt the SCCs.  The U.S. Department of Commerce, for instance, issued a statement in response to the Schrems II decision informing US businesses that it intends to continue to operate for the time being as if the Privacy Shield remains in effect and, as such, the CJEU decision does not relieve participating businesses of their Privacy Shield obligations. 

If US and EU negotiators can’t work together to fix this soon, companies will need to start looking at alternative to the Privacy Shield such as SCCs, binding corporate rules or the derogations under GDPR Article 49.  Regardless of what happens as a result of Schrems II, US businesses that remember and practice our recurring mantra about applying the Pareto Principle to their data security and privacy compliance obligations will get through this fine. So if you haven’t already:

  • adopt a risk-based technical and administrative data protection program,
  • take the time to actually implement that program (“saying” it is one thing, “doing it” is another)
  • tell your employees and customers what you’re doing with the data you collect about them and why,
  • give your employees and customers some degree of access to, and autonomy over, that data,
  • keep a close eye on third parties (including vendors) with whom you share that data, and
  • respond swiftly to, and be honest with those affected by, unauthorized use if it occurs.

Learn more and contact the Gordon & Rees Privacy, Data & Cybersecurity practice group here.

How Many Schrems Does It Take to Stop a Data Transfer?

The so-called “Schrems II” case was heard earlier this week. It’s impossible to give this topic the treatment it deserves in a single blog post. So for now, here’s a quick FAQ:

What’s this case about?

Collecting personal data from the European Economic Area (aka, the “EEA”) and transferring to other countries is restricted by law. It can be done, but companies have to use certain statutorily prescribed mechanisms. Those, more or less, have been the rules of the game since at least 1995 continuing through today under the new GDPR which you’ve probably heard a lot about.

The prescribed mechanisms have varied over the years, but one constant has been what are known as “Standard Contractual Clauses” or “SCCs.” SCCs are a set of data protection contract terms that have been pre-approved by the EU data protection regulators. In the “old days” (by which we mean the mid- to late 1990s) they were called “model clauses.”

If each of the EEA- and US-based counterparties to a data transfer transaction agree to bind themselves to the SCCs, then an otherwise prohibited transfer becomes permissible.

In simplest terms, the Schrems II case is trying to stop companies from being able to do that. The plaintiff’s claim is that the SCCs are not valid under EU law because they fail to provide adequate levels of protection for personal data.

Why do they call it Schrems II?

Schrems is the surname of an EU qualified attorney and political and privacy activist. He and the ecosystems of activist organizations around him are serial plaintiffs. This is their second (and definitely not final) attack on EU-US data transfers.

Back under the old 1995 law, one way to conduct a permitted personal data transfer was to use the EU-US Safe Harbor Framework. If a company took a couple of (pretty minimal) steps and signed up with the US Department of Commerce to be part of the Safe Harbor, it could receive personal data from the EEA.

Spurred on by the intelligence agency surveillance scandals that occurred during the Obama administration, Schrems, then a law student, brought a series of cases trying to invalidate the EU-US Safe Harbor. After a few procedural losses and a bit of forum shopping, he finally succeeded in 2015. That case became instantly known as “Schrems I” because Schrems and his supporters were already preparing their challenge to the SCCs. And, again, that’s exactly what’s happening now under Schrems II.

Didn’t the EU-US Privacy Shield replace the Safe Harbor

Yes. A detailed analysis of the Privacy Shield (and its all-important relationship to the GDPR) is beyond the scope of this post, so here’s the summary version:

The Privacy Shield is considered a “partial adequacy decision” under GDPR Article 45. As such, it allows companies to collect/transfer EEA personal data to the US as long as the US-based recipient company is Privacy Shield self-certified.

But this case isn’t about the Privacy Shield (at least not nominally—more on that in a minute) or even GDPR Article 45. As stated in the prior two FAQs, this case is about one of the other prescribed mechanisms, the long-standing SCCs which have been in existence for nearly 25 years and today fall under the aegis of GDPR Article 46.

That said, while we’re still waiting on our own confirmation, it’s being reported by reliable news sources that, in open court this past Tuesday, Schrems’ lawyers asked the court to also invalidate the EU-US Privacy Shield—despite not having actually pled or argued for it previously (in fact there is an entirely separate case for that) and despite the fact that it derives from a statutory mechanism (GDPR 45) that is separate and distinct from the SCCs (which, again, are GDPR 46).

What happens if the European Court of Justice invalidates the SCCs

Déjà vu all over again. Things will very likely look pretty much the same as they did in 2015 when the Schrems I court invalidated the Safe Harbor. Which means there will be a long interregnum during which there will be less regulation, more unfettered transfers and lots of confusion.

You see, like the too-clever-by-half Wile E. Coyote character of Warner Brothers cartoon fame, in the first case that bears his name, Schrems thought he was going to dynamite, and thereby halt, EU-US data transfers by invalidating the Safe Harbor. But in the end, the only thing that went up in smoke was his goal of protecting data transfers.

Invalidating the Safe Harbor didn’t stop transfers out of Europe to the US at all. Instead, the result in Schrems I combined with the already looming specter of Schrems II, led companies to conclude that European law was, to put it colloquially, a hot, unenforceable mess.

EU regulators, already under-staffed, under-funded and overwhelmed, were more or less paralyzed after Schrems I. So responsible, law abiding companies had to more or less make it up as they went along. Most did their best to self-regulate and relied on SCCs. Others, knowing Schrems II was imminent and SCCs thereby in doubt, used ad hoc data export/import contracts. Meanwhile, the less law abiding were all too happy to flout the spirit of the law entirely and were doing pretty much whatever they wanted with impunity.

That same environment of confusion and virtual lawlessness, rather than Schrems’ goal of stopping or better protecting US transfers, will play out again if the Schrems II court invalidates SCCs. It’ll happen a thousand-fold if the Schrems II court decides, sua sponte, to invalidate the Privacy Shield too

What can we do now to prepare?

For starters, keep reading this blog! In addition to that, remember our recurring mantra about applying the Pareto Principle to data security and privacy compliance.

Sure it’s true that there are variations between laws and some laws have real quirks (CCPA anyone?!). But it’s even more true that just about every data sec or privacy law (from HIPAA to the NY Cyber-reg to GDPR) has the following (or a very similar) set of building blocks at its foundation:

  • adopt a risk-based technical and administrative data protection program,
  • tell your employees and customers what you’re doing with the data you collect about them and why,
  • give your employees and customers some degree of access to and autonomy over that data,
  • keep a close eye on third parties (including vendors) with whom you share that data, and
  • respond swiftly to, and be honest with those affected by, unauthorized use if it occurs.

So put that foundation in place, and check on it periodically, and you’ll be well on your way to achieving 80% compliance no matter what the Schrems II court decides.

New Massachusetts Law Creates More Stringent Notification Requirements for Data Breach Incidents

While we’ve all been busy keeping an eye on California’s CCPA mess and the brewing federal privacy legislation, Massachusetts enacted some amendments to its already stringent consumer-protection oriented privacy laws. (See MGL c.93H)

As a result of the amendments, effective April 11, 2019, Massachusetts’ general breach notification statute will include the following new requirements:

  1. Consent to Access Credit Reports – Before getting hold of a consumer’s credit report for most non-credit purposes, third parties must obtain the consumer’s consent. In the process, they also need to disclose the reason they’re seeking access.
  2. Security Freezes – Consumer reporting agencies can no longer charge a fee to consumers to place, lift, or remove a security freeze on their credit reports.
  3. Credit Monitoring Services – Companies experiencing a security breach involving social security numbers must offer affected MA residents free credit monitoring services for at least 18 months (or 42 months if the company is a consumer reporting agency). Additionally, companies that experience a security breach must file a report with the Attorney General and Department of Consumer Affairs and Business Regulation certifying their credit monitoring services comply with state law.
  4. No Waiver – Individuals affected by breaches can no longer be required to waive their private right of action as a condition to getting credit monitoring services.
  5. Breach Notice Obligations – Notice to the Attorney General and Department of Consumer Affairs and Business Regulation must include additional information such as the person responsible for the breach (if known), the type of personal information compromised, and whether the entity has a written information security program in place. Notice to consumers must include the name of the parent or affiliated corporation if the entity that experienced the breach is owned by another entity.
  6. No Delay in Notice to Residents – Notice to residents cannot be delayed on the grounds that the total number of residents affected has not been ascertained. If and when additional information is obtained, additional notice must be provided as soon as practicable and without unreasonable delay.

It’s not clear how these requirements will work in practice, but for those whose business activities expose them to Massachusetts law, existing incident response and management policies should be revisited by the end of March to make sure they reflect these new obligations.