By James D. Snyder, Senior Counsel, Klinedinst PC
On July 16, 2020, the Court of Justice of the European Union issued its long-awaited decision in the case Data Protection Commission v. Facebook Ireland, Schrems (Shrems II). The EU high court invalidated the European Commission’s adequacy decision for the EU-U.S. Privacy Shield Framework. If you are one of more than 5,000 US companies with European users of customers, and you transfer their personal data to the US for company use, the EU’s top court has now thrown a wrench into your authorization and you will need to figure out an alternative mechanism to authorize the transfers immediately.
Enter California’s California Consumer Privacy Act of 2018 (CCPA), which has been in effect since January 1, 2020. Many have commented that the CCPA is similar to, and in some instances, more stringent than the EU’s General Data Protection Regulation (GDPR). So, could California’s own CCPA lead the way toward California businesses’ transfers of EU data being adequate? This article suggests that California ask the European Parliament this very question; now!
In the aftermath of the death of the US-EU Safe Harbor regime and the implementation of GDPR, the US and the EU agreed on a mechanism called Privacy Shield to authorize the transfer of data from the EU to the US. An alternative for companies transferring data from the EU to the US is to enter into Standard Contractual Clauses (SCC), which are European Commission approved clauses that outline a range of rights that are responsibilities in line with GDPR. In essence, if you are a US company that relied on Privacy Shield until you put a new mechanism in place like SCCs, you cannot serve users or customers in the EU.
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the EU Commission and Swiss Administration to provide companies with a mechanism to comply with data protection requirements when transferring personal data from the EU and Switzerland to the US. In 2016, Privacy Shield was essentially created for ease because, like now, many US companies were without any legal mechanism to make authorized transfers when the Safe Harbor regime was struck down by the EU high court. To use the Privacy Shield register, companies self-certify that they will essentially comply with EU data protection rules. This does not mean that companies who do not already enter into SCC’s to conduct the transfers but suffice to say that many transfers simply relied on this self-certified registration.
The CCPA is a broad law enacted in the State of California that applies to businesses inside and outside of the state, as well as internationally. The CCPA created new data privacy rights for California consumers, requiring businesses to tell them what personal information has been collected and how the business (or any third party) is using the information. Consumers can force businesses to delete their data or prohibit the business from sharing personal information with third parties. (Note that the California data protection process is ongoing with CCPA 2.0 looming on the upcoming ballot, but the updated law would be more restrictive and any updates shouldn’t impact a question of adequacy.)
During the third annual review of the data-transfer agreements at the European Parliament, the question was posed to members of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (when discussing its October 23, 2019 report with representatives of the European Commission and European Data Protection Board)–is it possible for California itself to have its own Privacy Shield arrangement, separate from the other 49 states in the US? The response from the commission was, in principle, yes. The commission explained that GDPR provides for the possibility to recognize a territory at a sub-federal level adequate, so in principle, the commission’s answer was yes. Given 5,000-plus US companies (many of which must or have become compliant with CCPA) are now in violation of GDPR, California should immediately press the EU to confirm the adequacy of CCPA compliance in lieu of Privacy Shield.
GDPR Article 45(1) states, “A transfer of personal data may take place where the commission has decided that the third country [or] a territory within that third country ensures an adequate level of protection,” and 45(3) states, “The implementing act shall specify its territorial application.”
Whether the CCPA would be adequate is likely not the only thing that would be assessed. Like the analysis of Privacy Shield’s adequacy, California’s regime would need to have independent oversight and possibly show that data could be retained within California to pass muster. There is also the question of whether California has the constitutional power to ask for such an agreement and an analysis of conflicts of law issues between the GDPR, the CCPA, and various domestic US laws would need to be assessed. None of the above however should prevent the State from seeking these answers on behalf of its businesses, which likely make up the majority of impacted US businesses.
If California were its own nation, it would be the fifth-largest economy in the world. With a GDP of $2.9 trillion, California would slot between Germany and the United Kingdom in the world’s top economies. California has set the tone for data protection overhauls across the US with the likes of Nevada, New Hampshire, Washington state, Illinois, Virginia, and Florida, to name a few, joining California enacting or actively pursuing data protection overhauls. The Consumer Data Privacy and Security Act of 2020 has also been widely discussed, as the US begins contemplating a Federal data protection regime, but the process is nowhere near complete and many have commented that the Federal bill or alternatives are not nearly as stringent as CCPA, raising adequacy concerns in relation to GDPR.
The European Commission must follow a four-step process to adopt an adequacy decision. First, it must make an initial proposal finding that the third country’s domestic laws are adequate. Article 45(2) of the GDPR provides the framework of this proposal and the European Data Protection Board’s (EDPB adequacy referential includes additional context. Further, the European Court of Justice explained that adequate in the context of an adequacy decision means “essentially equivalent” and does not mean exact alignment with EU privacy laws. Second, the EDPB provides an opinion on the draft proposal. Third, the EU parliament comments on the draft, and finally, the European Commission subsequently adopts the proposal.
The US has a single law in California’s CCPA, that is in place now in the world’s 5th largest economy, that the EU Parliament has already acknowledged could be adequate in and of itself. California must act now to seek a California-EU (and Switzerland) agreement to allow California-compliant businesses to conduct EU-California transfers pursuant to businesses’ compliance with the CCPA. Adequacy decisions by the European Commission are not generally fast and the State of California should make all efforts to begin immediately in the wake of Shrems II.
About the Author
In his practice, Mr. Snyder represents clients in business transactions, M&A, and data privacy issues. He provides legal and compliance counsel to emerging startups and established companies in areas involving licensing, finance and investments, data privacy and security, corporate structuring, contracts, patent, trademark, copyright, and domain portfolios. He has built a reputation as an outside General Counsel, providing legal guidance on a wide range of issues. For questions about policies, documentation, or best practices for remote employees, contact Mr. Snyder at firstname.lastname@example.org.
Klinedinst is the go-to firm for clients looking for litigation, trial experience, transactional representation, and legal counsel. The firm’s offices in Los Angeles, Sacramento, San Diego, Irvine, and Seattle service the entire West Coast. What sets Klinedinst apart is the relationship our attorneys foster with each and every client. Klinedinst lawyers are indispensable strategic partners to business leaders, helping to achieve business objectives and create proactive solutions to resolve the many legal challenges that businesses are confronted with every day. Whether vigorously advocating for business clients in court, or guiding business transactions and negotiations, Klinedinst is the trusted legal advisor to have by your side.
This article is intended to be for informational purposes only. This information does not constitute legal advice. The law is constantly changing and the information may not be complete or correct depending on the date of the article and your particular legal problem. The use of information from this article does not create any type of attorney-client relationship.