Trouble Ahead for Global Data Exchanges: The Court of Justice of the EU Strikes Down “Privacy Shield”

On July 16, 2020, the Court of Justice of the European Union (CJEU) issued a highly anticipated ruling in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (Schrems II). The case centers on the validity of two key data transfer mechanisms: Standard Contractual Clauses (SCCs) and the EU-U.S. Privacy Shield (Privacy Shield) – both of which are methods widely used by U.S. businesses to comply with the EU’s laws regarding the transfer of personal data to countries outside the EU. In considering the effectiveness of data protection in cross-border data transfers, the decision dealt a decisive blow to U.S. companies that rely on the Privacy Shield, by invalidating that mechanism. The Court upheld the validity of SCCs, but created new obligations for organizations across the globe that engage in data transfers with the EU.

In the Beginning: Schrems’ Complaint Against Facebook
The EU General Data Protection Regulation (GDPR) prohibits the transfer of personal data to non-EU countries that do not provide an adequate level of protection for personal data under applicable national law. Data exporters, therefore, must identify and use transmission methods that are compliant with GDPR. Two of these methods for U.S. companies are SCCs and Privacy Shield.

 Max Schrems, an Austrian privacy advocate, filed a complaint against Facebook, the American social media company, with the Data Protection Commissioner (DPC) in Ireland, where Facebook is incorporated. The complaint challenged Facebook’s use of data transfers from Irish servers to those in the United States. Schrems maintained that U.S. laws do not sufficiently protect the data privacy of EU consumers, arguing that the EU data is at risk of being accessed and processed by the U.S. government once transferred. Schrems also alleged that there is no legal remedy that ensures protection of EU data once it transfers to the U.S.

The DPC brought proceedings against Facebook in the Irish High Court, which, in turn, referred questions to the CJEU for a preliminary ruling, including questions regarding the validity of the EU-U.S. Privacy Shield and SCCs.

While the original complaint was filed against Facebook, the outcome of the Schrems II decision affects businesses throughout the world.

The Decision
The focus of the CJEU’s decision in Schrems II is whether the data transfer mechanisms used to establish “adequate protection” of personal data transferred from EU data exporters were successful. The decision considered two major mechanisms: the EU-U.S. Privacy Shield, which the CJEU found to be invalid, and SCCs, which were upheld, but face major hurdles.

Privacy Shield
In October 2015, the CJEU in Schrems v. Data Protection Commissioner (Schrems I) invalidated the agreement between the EU and the U.S. for commercial data transfers, which was known as the “Safe Harbor” arrangement.  In Schrems I, the Court found that the Safe Harbor arrangement was inadequate in protecting data privacy for EU consumers. In February 2016, a political agreement known as the EU-U.S. “Privacy Shield” was jointly proposed by the European Commission and the Obama Administration. The Privacy Shield agreement was created to replace Safe Harbor and to serve as the basis for the European Commission’s decision that the U.S. has an adequate system regarding data protection, government surveillance, and consumer privacy. Privacy Shield allows for the transfer of personal data from the EU to U.S. companies who self-certify compliance with certain privacy standards.

The CJEU found that because U.S. national security, public interest, and law enforcement have “primacy” over the data protection principles of the EU-U.S. Privacy Shield, the Court found that the level of protection afforded to EU users does not meet the level of privacy protection guaranteed in the EU by the GDPR.

The Court found that U.S. laws do not account for the principles of proportionality and do not limit data collection to that which is necessary. Furthermore, the Court found, EU users do not have actionable rights before U.S. courts. Although the U.S. initiated an “ombudsperson” program as an additional way for all EU data subjects to address the transfer of their data from the EU, the CJEU rejected the argument that the ombudsperson program satisfies the GDPR right to judicial protection. The court found that the program does not provide EU users with a cause of action substantially equivalent to those offered by European law and that the ombudsperson “cannot be regarded as a tribunal.” 

With the invalidation of the Privacy Shield, over 5300 U.S.-based companies who rely on the Privacy Shield for compliance are no longer permitted to transfer personal data from organizations located in the EU.

Standard Contractual Clauses
SCCs are sets of template contract clauses, approved by the European Commission, which are agreed to by the data exporter and data importer.  SCCs require certain commitments from the parties, meant to protect the privacy rights of those whose data are transferred.

The CJEU found that the SCCs for the transfer of personal data remain valid. However, the Court added a step, finding that before transmission may occur, there must be an assessment of the context of each transfer. This includes evaluating: the laws of the country where the recipient is based; the nature of the data being transferred; the privacy risks to the data; and any additional safeguards adopted by the parties to ensure that the data will receive adequate protection under EU law.

The Court also found that the data importer must inform the exporter of any inability to comply with the standard data protection clauses.

Implications of the Decision
The effects of the Schrems II decision will be far-reaching and, in the short term, the ruling stands to significantly disrupt EU-U.S. personal data transfers and the businesses that rely on them. Companies that rely on the Privacy Shield need to identify an alternative data transfer mechanism, like SCCs, to continue business as usual. Although a grace period for enforcement may be granted, the need for such organizations to implement alternative mechanisms is urgent. The GDPR allows for fines in the amount of 4% of a company’s global revenue. While these fines have not yet been imposed as a sanction, companies face considerable risk if they fail to address the Schrems II decision.

It is important to remember that SCCs remain valid, although the companies that rely on them face a higher burden of assuring there is an “adequate level of protection” for personal data as required by EU law. These organizations will have to monitor the relevant policies of various countries’ legal systems in order to comply with the ruling regarding SCCs and, if necessary, suspend data transfers.

Although Schrems II struck a blow to one data privacy compliance mechanism, the U.S. and the EU have a proven history of working together to resolve data protection issues. As with the invalidation of the Safe Harbor agreement in 2015, both the U.S. and EU have a strong interest in finding a successor agreement to Privacy Shield. Whether the CJEU objections to Privacy Shield protection for data protection for EU users can be sufficiently addressed remains to be seen.  

Subscribe

Subscribe

* indicates required
/ ( mm / dd )
RSS RSS Feed

Recent Posts

Archives

Jump to Page

By using this site, you agree to our updated Privacy Policy & Disclaimer.