How a “Trust-but-Verify” Approach to Privacy Supports U.S.-EU Data Transfers after Schrems II
By : Mark Kuivila
On July 16, 2020, the European Court of Justice (“ECJ”) issued its highly anticipated decision in the Schrems II case. The ECJ upheld the EU Commission’s Standard Contractual Clauses (“SCCs”) as an adequate mechanism for transferring personal data for the EU to the U.S. but, unexpectedly, invalidated the EU-U.S. Privacy Shield framework as an appropriate alternative justification. The court found that the Privacy Shield framework did not provide adequate restrictions on the ability of U.S. public authorities to access EU data subjects’ information after transfer to the U.S.
Additionally, the court highlighted that while SCCs remain valid, supervisory authorities must assess whether such agreements can provide effective protections for EU citizens given the laws of the importing country and evaluate the adequacy of individual SCCs as implemented in those jurisdictions. If SCCs are found to be inadequate or deficient on either basis, supervisory authorities must prohibit or suspend the transfers.
Invalidation of Privacy Shield has left many industry members scrambling to make sure they aren’t thrown out of compliance, but as shocking as the judgement was, we’ve actually been here before. In 2015, the ECJ invalidated the U.S.-EU Safe Harbor Framework, Privacy Shield’s predecessor in kind, on similar grounds. Now that these administrative schemes have been struck down twice, the question for policy makers becomes, “where do we go from here?”
There has been increased advocacy for federal data privacy regulation in the U.S. recently, and the Schrems decision is likely to only fuel that discussion. Even businesses operating under SCCs should be wary of the increased scrutiny regulators will likely apply to such agreements given the perceived inadequacy of U.S. privacy protections in EU courts. In light of the global trend towards data privacy, federal privacy protections could support greater transnational reciprocity and facilitate international data commerce for U.S. companies.
To ensure that businesses take more than a “sign-and-forget” approach to privacy obligations, regulators might consider adopting a “trust-but-verify” maturity mechanism similar to that used for the Department of Defense’s Cybersecurity Maturity Model Certification (“CMMC”). Requiring independent third-party verification for the new international reciprocity program rather than the self-certification used for Privacy Shield would provide international regulators with assurances that U.S. companies have implemented controls to provide EU data subjects with equivalent protections to those offered by European law.
Even in the absence of a new federal reciprocity framework, U.S. and EU businesses conducting international data commerce based on SCCs would benefit from adopting a trust-but-verify component into these arrangements. Relying on self-certifications or sign-and-forget attitudes in privacy compliance leads to increased risks for all parties involved. Third-party verification helps ensure that transfers made under SCCs will stand up to the increased scrutiny that’s likely to come from supervisory authorities in the near future.