Privacy Shield Invalidated by the Court of Justice of the European Union

On July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated the European Commission’s decision establishing the Privacy Shield framework for international personal data transfers from the European Union to the United States. Other data transfer mechanisms, in particular the Standard Contractual Clauses adopted by the European Commission (SCCs), remain valid. But the SCCs are on shaky ground. That’s because the reasons invoked by the CJEU to invalidate the Privacy Shield – relating to U.S. government surveillance practices – apply to any data transfer mechanism. Below is an analysis of the specific implications of the CJEU ruling on Privacy Shield and an assessment of what happens next with SCCs.

How did we get here?

Max Schrems, an outspoken privacy activist in the EU, lodged a complaint with the Irish Data Protection Commissioner (DPC) in 2013 alleging that Facebook Ireland was unlawfully transferring his personal data to Facebook Inc. in the U.S. because the U.S. did not ensure adequate protection of personal data against government surveillance activities. The matter was referred through the Irish courts to the CJEU, which ruled, in October 2015, that the Safe Harbor framework (Privacy Shield’s predecessor) was invalid. When the matter went back to the DPC, the plaintiff reformulated his complaint to question transfers based on SCCs. Again, the matter was referred to the CJEU by way of the Irish High Court with questions covering both Privacy Shield and SCCs.

Before addressing the specific impacts on Privacy Shield and SCCs, it is important to highlight several significant clarifications provided by the CJEU in its ruling:

• First, absent an adequacy determination (that is, a conclusion by the European Commission that a third country’s laws ensure “an adequate level of protection” for personal data), the standard to be applied is whether the level of protection adopted (by law or by contract) is “essentially equivalent” to that which is provided under the EU’s General Data Protection Regulation (GDPR). And this level of protection must be guaranteed despite the legal mechanism relied upon.
• Next, EU supervisory authorities cannot invalidate the standard contractual clauses adopted by the European Commission (only the CJEU can do that and the court found no grounds for doing so here); but the supervisory authorities can suspend or prohibit transfers based on SCCs if they conclude that the clauses cannot be complied with.
• Lastly, the European Commission’s determination that the U.S. provided an adequate level of protection was flawed because U.S. law “does not provide for the necessary limitations and safeguards with regard to the interferences [authorized] by its national legislation and does not ensure effective judicial protection against such interferences.” The CJEU found that EU residents would not have effective redress in the U.S. against the government’s lawful surveillance activities.

Based on this third conclusion, the court invalidated the Privacy Shield, but left open the question whether data transfers to the U.S. pursuant to SCCs could meet the “essentially equivalent” standard.

What happens to Privacy Shield?

The Privacy Shield framework has now been invalidated, effective the date of the decision. And the CJEU concludes this will not create a legal vacuum because the GDPR provides alternatives to the Privacy Shield data transfer mechanism. So, companies relying on Privacy Shield can no longer do so and must adopt an alternative (like SCCs, discussed below). But their Privacy Shield commitments remain binding and are enforceable by the Federal Trade Commission. Companies self-certifying to the framework must therefore continue to satisfy their respective obligations including the requirements for transparency and dispute resolution.

It’s possible that the European Commission and the Department of Commerce will go back to the drawing board for an updated framework. But they cannot accomplish this task alone, as the CJEU’s decision suggests this will require U.S. legislative action, either to revise surveillance norms or provide for effective redress mechanisms.

What happens to SCCs?

SCCs will undoubtedly become the default data transfer mechanism. But now they will require more than the administrative effort of filling in the blanks and executing. Instead, as the CJEU’s decision indicates, the contracting parties will now have to analyze each data transfer to determine whether essentially equivalent protections are provided for. And this analysis must be documented consistent with the GDPR’s accountability principle.

Adopting SCCs will require the data exporter to determine whether the data importer has been or is likely to be the subject of a foreign surveillance data request and whether the data involved in the transfer is of the type typically subject to such a request. In practical terms, though, it will fall upon the data importer to provide sufficient guarantees that it (or the data) is unlikely to be the target of a government data request. Certain data sets may more easily allow for such guarantees, but others – and especially if used in certain sectors – may not.

Last, the CJEU decision will prompt the European Commission to update the SCCs, which predate the GDPR. This may be a welcome development.

Conclusion

In ruling that the Privacy Shield is invalid, the CJEU called into question U.S. law surrounding government surveillance activities. And those questions exist despite whether a data transfer is conducted under Privacy Shield or any of the other data transfer mechanisms provided for in the GDPR. Companies will have to be thoughtful in their approach to data transfers and assess those transfers to ensure an “essentially equivalent” level of protection as provided under the GDPR.

If you have any questions, please contact Camila Tobón.