EU’s Highest Court Upends Personal Data Transfers to the United States: Action Steps for U.S. Multinational Employers to Keep HR Data Transfers on Track

The Court of Justice of the European Union (“CJEU”), on July 16, 2020, invalidated the European Union-U.S. Privacy Shield Framework (“Privacy Shield”), which more than 5,300 U.S. organizations had relied on to lawfully transfer personal data from the European Union (“EU”) to the United States.1 While the same decision upheld the validity of the Standard Contractual Clauses (“SCCs”), also used by thousands of U.S. organizations to transfer EU personal data to the United States, the CJEU’s ruling opened the door for EU data protection regulators to suspend data transfers between the EU and United States that rely on the SCCs. These tectonic shifts in the data protection landscape raise substantial challenges for U.S. multinational employers that have relied on Privacy Shield and SCCs to centrally manage their global workforce from the parent corporation’s U.S. headquarters.

After briefly explaining the data transfer framework established by the EU’s General Data Protection Regulation (“GDPR”), we will describe the key elements of the CJEU’s decision and identify its most critical implications for transfers of human resources (“HR”) data from the EU to the United States. We conclude by recommending short- and long-term action items for U.S. multinational employers in response to the Court’s ruling.

Transferring HR Data from the EU to the United States Before the CJEU’s Decision

Trans-Atlantic transfers of HR data from the EU to the United States are a daily occurrence within U.S. multinational corporations. On any given day, HR stakeholders and supervisory personnel in the EU may upload personal data concerning EU employees to a global human resources information system (“HRIS”) and to other business applications maintained on servers in the United States and sent to their U.S. counterparts via emails, electronic files, or other documents containing the personal data of EU employees. These data transfers are the lifeblood for a U.S. multinational’s global administration of its workforce.

The GDPR generally would prohibit transfers of EU personal data to the United States because the European Commission has not issued a determination that U.S. law provides an adequate level of protection for EU personal data. As a result, U.S. multinational employers that wish to receive personal data of their EU workforce must enter into a legally binding “data transfer mechanism” approved by the European Commission or transfer the data subject to a derogation, as described below. These data transfer mechanisms require the receiving entities in the United States (“data importers”) to implement and maintain a range of safeguards to protect transferred EU personal data. Privacy Shield and SCCs are the two approved data transfer mechanisms most commonly used by U.S. multinational employers.

Under Privacy Shield, the European Commission permitted U.S. multinational employers to perform intra-company transfers of the personal data of their EU employees provided the receiving parent corporation and U.S. affiliates first certified to the U.S. Department of Commerce that they would comply with the “Privacy Shield Principles.” These Principles are intended to extend the fundamental rights that EU employees have under the GDPR to their data transferred to the United States. Employers that self-certified to Privacy Shield agreed to subject themselves to the investigatory and enforcement powers of EU data protection regulators.

As an alternative, U.S. employers could transfer EU employees’ personal data using SCCs. The SCCs, as their name suggests, are standard contract clauses, approved by the European Commission, that are executed by EU subsidiaries as “data exporters” and the U.S.-based data importers. These standard clauses impose on data importers data handling requirements similar to those applicable to data exporters under the GDPR. Notably, in the event the employer does not comply with these data processing principles, the SCCs provide EU employees with a right to enforce the terms of the contract, and even collect damages.

While not as commonly used as Privacy Shield and SCCs, U.S. multinational employers could also transfer EU personal data to the United States based on a set of “binding corporate rules” (“BCRs”) that satisfy the GDPR’s requirements. BCRs must be tailored for each organization and do not go into effect until they have been approved by the data protection regulator in each country where the U.S. multinational employer has employees.

As a fourth alternative, the GDPR permits organizations to rely on “derogations,” or narrow exemptions to the prohibition on the transfer of data to a third country like the United States. Under the GDPR, transferring personal data with the explicit consent of the data subject is a recognized derogation.

The CJEU’s Decision Invalidating Privacy Shield and Putting in Doubt Use of SCCs

The CJEU’s decision is the latest legal outcome of proceedings set in motion by an Austrian national, Maximilian Schrems, in 2013. Schrems filed a complaint with the Data Protection Commissioner of Ireland on the grounds that Facebook Ireland’s transfers of his personal data from Ireland to the United States violated EU data protection law. Schrems contended that the U.S. law failed to provide adequate protection for his personal data against U.S. government surveillance. The case eventually moved to the High Court of Ireland, which referred to the CJEU questions regarding the validity of Privacy Shield and SCCs.

The CJEU’s invalidation of Privacy Shield turned primarily on the fact that Privacy Shield allows U.S. intelligence agencies to access in bulk personal data transferred from the EU to the United States. In particular, the CJEU found that EU residents lack enforceable rights in U.S. courts regarding the undifferentiated collection of their personal data. According to the CJEU, this means that Privacy Shield does not provide an adequate level of protection for transferred personal data as required by the GDPR.

The CJEU upheld the validity of the SCCs as a data transfer mechanism. However, the Court also ruled that EU data protection authorities have the power to suspend transfers of personal data from the EU to a third country, such as the United States, after determining that the third country’s laws interfere with the data importer’s ability to comply with the SCCs’ requirements. The CJEU did not address whether U.S. laws that permit U.S. intelligence agencies to access transferred personal data in bulk and without judicial recourse undercut the validity of the SCCs as applied to data transfers between the EU and the United States. However, that issue likely will be addressed in the underlying proceeding in Ireland after the case is remanded. In light of the CJEU’s invalidation of Privacy Shield, the Irish proceeding could result in a finding that the SCCs do not provide adequate protection for data transferred from Ireland to the United States.

Such a ruling would not be binding in any other country. However, at least some data protection authorities in other EU Member States could reach the same conclusion. In addition, the EU Data Protection Board, the EU-wide data protection regulator, could issue a similar ruling that would be binding on all EU data protection authorities. In short, the SCCs potentially could not be used to transfer personal data from any EU country to the United States.

Even worse for U.S. multinational employers, the CJEU’s scrutiny of whether U.S. data importers can comply with their obligations under SCCs may embolden EU data protection authorities to question whether SCCs could be used to transfer personal data to other third countries—for example, when the personal data of a German employee of an Indian subsidiary is transferred to a manager in India. In its opinion, the CJEU recognized that the SCCs are intended to allow data transfers to countries without data protection laws equivalent to those of the EU. The CJEU emphasized that data exporters and data importers should add supplemental provisions to the SCCs as needed to compensate for the risks posed by these transfers. Nevertheless, where national laws give foreign governments access to EU personal data, U.S. multinationals may have no way to protect that data in accordance with EU standards. This could lead, for example, to a suspension by some EU data protection authorities of data transfers to India, China, Russia, and other nations.

Implications of the CJEU’s Decision for U.S. Multinational Employers

The CJEU’s decision has the potential to severely disrupt U.S. multinationals’ administration of their global workforce. Those U.S. multinationals that relied on Privacy Shield to transfer personal data from their EU subsidiaries to the U.S. parent corporation and U.S. affiliates, or to U.S.-based service providers supporting global HR administration, will need to identify an alternative data transfer mechanism. However, none of the alternatives are particularly palatable.

The CJEU’s decision did not address, let alone put into question, employers’ use of binding corporate rules. However, BCRs are resource-intensive documents that are time-consuming and expensive to implement because, as noted above, they must be tailored for each organization’s own data-handling processes and must be approved by the data protection regulator in each EU Member State where the U.S. multinational has employees.

Reliance on employees’ consent also is not a viable option. Although the GDPR recognizes that data transfers with the data subject’s explicit consent are a permissible derogation, employers cannot rely on employee consent to justify the transfer of HR data. The European Data Protection Board has explained that it perceives an imbalance of power in the employment relationship, which means any consent given by an employee is presumptively invalid.

While SCCs remain a valid and viable alternative to Privacy Shield, and U.S. multinational employers that currently rely on SCCs can continue to do so, their utility as a data transfer mechanism could be short-lived. As explained above, the CJEU’s decision may be used in the underlying proceedings in Ireland to support the suspension of data transfers between Ireland and the United States. Such a decision could cascade into an EU-wide ban on data transfers to the United States based on SCCs.

Next Steps for U.S. Multinational Employers

Given the potentially serious implications of the CJEU’s decision for U.S. multinational employers, what are possible next steps?

First, there is no need to panic, yet. The CJEU’s decision impacts thousands of business on both sides of the Atlantic. EU and U.S. authorities are under tremendous political and economic pressure to develop an alternative approach before a final judgment is issued in the Irish proceeding suspending data transfers from Ireland to the United States based on SCCs. Representatives from both sides have already expressed their commitment to finding a practicable solution. The EU Justice Commissioner noted that the EU Commission is working on updating the SCCs. In addition, in 2015, when the CJEU invalidated the EU-U.S. Safe Harbor, the Privacy Shield’s predecessor, EU data protection regulators stayed enforcement for more than two months to give organizations time to address that decision. EU data protection regulators likely will announce a similar suspension in response to the CJEU’s decision.

In the interim, U.S. multinational employers should consider taking the following steps:

  1. Identify Data Transfers Based on Privacy Shield: Identify all transfers of HR data that rely on Privacy Shield. When reviewing transfers, do not forget those to service providers. Organizations that rely on SCCs for intragroup transfers of HR data may rely on Privacy Shield for transfers of HR data from EU subsidiaries to at least some service providers located in the United States.
  2. Transition from Privacy Shield to SCCs: To the extent an organization currently relies on Privacy Shield for intragroup transfers of HR data, the organization should consider transitioning to SCCs with the understanding that this may be a temporary solution depending on the outcome of the Irish proceedings. Notably, the EU Commission may issue a new version of the SCCs, but any such new version likely will incorporate many elements of the existing SCCs. Therefore, time spent transitioning from Privacy Shield to the current SCCs may bring the organization much of the way to complying with any soon-to-be-issued new version.
  3. Propose SCCs to Service Providers that Rely on Privacy Shield: Many service providers that help U.S. multinationals to manage their global workforce had relied on Privacy Shield. These employers should consider proposing SCCs to service providers that had relied on Privacy Shield.
  4. Revise Data Processing Notices: The GDPR requires employers to provide data processing notices to applicants, employees, independent contractors, and any other individual whose personal data they process subject to the GDPR. These notices must address a long list of topics, including whether personal data is transferred outside the EU and, if so, an identification of the approved data transfer mechanism. Employers that had relied on Privacy Shield will need to revise these notices to reflect the replacement data transfer mechanism that they implement.
  5. Continue to Comply with Privacy Shield: Organizations that have certified to Privacy Shield must continue to comply with the Privacy Shield Principles for the duration of the certification. Organizations can withdraw from Privacy Shield by formally submitting a request to withdraw. However, if the organization retains personal data that it received on the basis of its Privacy Shield certification, the organization must continue to comply with the Privacy Shield Principles with respect to that data or otherwise provide adequate data protection for that data, such as through SCCs.
  6. Watch for Political Developments: Remarks from members of the European Commission in the aftermath of the CJEU’s decision reflect their recognition of the decision’s wide-ranging impact. They almost surely will be looking for ways promptly to avoid the potential serious disruption that could result from the CJEU’s decision. U.S. multinational employers should expect public announcements over the coming weeks from the European Commission and/or other EU or U.S. governmental authorities that should provide direction on additional next steps.

See Footnotes

1 ECJ Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems. It invalidates Privacy Shield, EU Decision 2016/1250. It reinforces the continued viability of “model contractual clauses,” including as instituted by EU Commission Decision 2010/87.

Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.