ECJ Invalidated the EU-US Privacy Shield Framework

Epstein Becker & Green
Contact

Epstein Becker & Green

On July 7, the Court of Justice of the European Union (ECJ) invalidated the EU-US Privacy Shield framework in its ruling in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (Case C-311/18). More than 5,000 organizations in the United States have certified their adherence to this framework, and have relied on it to receive personal data from organizations in the EU in compliance with the General Data Protection Regulation (GDPR) since 2016. The framework was a joint effort between the US Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. The Department of Commerce released the following statement:

The United States shares the values of rule of law and protection of our democracies with our partners in the European Union (EU).  Therefore, we are deeply disappointed that the Court of Justice of the European Union (“ECJ”) has invalidated the EU-U.S. Privacy Shield framework.  The United States is reviewing this outcome and the consequences and implications for more than 5,300 European and U.S. companies, representing millions of transatlantic jobs and over $7.1 trillion in commercial transactions.

The United States and the EU have a shared interest in protecting individual privacy and ensuring the continuity of commercial data transfers.  Uninterrupted data flows are essential to economic growth and innovation, for companies of all sizes and in every sector, which is particularly crucial now as both our economies recover from the effects of the COVID-19 pandemic.  This decision directly impacts both European companies doing business in the United States as well as American companies, of which over 70 percent are small and medium enterprises.  The United States will continue to work closely with the EU to find a mechanism to enable the essential unimpeded commercial transfer of data from the EU to the United States.

Safe Harbor 

European law provides privacy guarantees to its data subjects, and prohibits transfers of data to countries outside the European Union unless those countries offer an “adequate level of protection.” To stipulate to an adequate level of protection, the EU and US entered into an agreement administered by the US Department of Commerce that established the necessary level of protection for cross-border data transfer and established a “Safe Harbor” to support such transfers. Once signed up, a company’s obligations are then enforced by the Federal Trade Commission (FTC). Prior to GDPR, the Safe Harbor framework was established that determined that data protection measures within the United States and EU were roughly equivalent. With the fall of the Safe Harbor provision and the rise of the Privacy Shield and GDPR, a more extensive approach has been formalized in Article 4 which replaces Personal Data with a broader scope: a “data subject” which is one “who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person.” GDPR allows for the transfer of data based on a few mechanisms, including an adequacy decision regarding the sufficiency of data protections of specific regimes or countries, transfers subject to appropriate safeguards, and/or application of binding corporate rules.

Unsafe Harbors in a Heartbeat

On October 6, 2015, the Court of Justice of the European Union (CJEU) issued the final ruling in Schrems v. Data Protection Commissioner (Case C-362/14) (“Shrems”) which deemed the US Safe Harbor provision invalid. Schrems also brought this new case challenging Privacy Shield.  The ECJ’s decision to revoke the Privacy Shield due to lack of adequate protection leaves companies in a situation very similar to the fall of Safe Harbor. However, standard contractual clauses are still viewed as an appropriate safeguard mechanism for data transfers, which the ECJ upheld as a valid approach.

One ongoing area of tension between the EU and US appears to be that the US views privacy as a matter of commerce while the EU views privacy as a fundamental human right. Due to this discrepancy in viewpoints, it has been argued that neither the Safe Harbor nor Privacy Shield were designed to afford the protections of privacy as a fundamental right in the US in the context of state-sponsored surveillance.  The CJEU did not hold, as a matter of law, that the US lacked an adequate level of protection yet the CJEU did bring up in an earlier Commission Decision held July 26, 2000, that “the Commission did not state in Decision 2000/520, that the United States in fact ‘ensures’ an adequate level of protection by reason of its domestic law or its international commitments.” The 2020 decision, however, did finally address this concern and was based on two factors: (i) Privacy Shield does not offer adequate protection in light of the risk of broad disclosure to US intelligence agencies or other public authorities; and (ii) the Privacy Shield Ombudsperson lacks independence and authority to adopt decisions that bind US intelligence services in terms of managing this disclosure risk.

Impact on Company Data Transfers

With the Privacy Shield deemed invalid, EU Data Protection Authorities (DPAs) have the ability to initiate action against American companies on a massive scale.  To reduce risk of such enforcement, companies should undertake several immediate steps, including the following:

  1. Evaluate and monitor the level of enforcement risk if your organization is relying on Privacy Shield.
  2. Consider halting EU-US data transfer to reevaluate the adequacy of the transfer mechanisms on which your organization relies to support such transfers.
  3. Re-evaluate the sufficiency and implementation of alternative transfer mechanisms such as model contracts, standard contractual clauses, binding corporate rules, and/or individual consent.
  4. Monitor guidance coming from EU and US authorities regarding appropriate alternative transfer mechanisms moving forward.

To help navigate the invalidation of the Privacy Shield, it is recommended you consult legal counsel. Specifically, your organization may mitigate risk by revisiting model contracts and standard contractual clauses to determine if they meet GDPR requirements. This will enable your company to ensure adequate protection under EU law and transfer such data using appropriate safeguards that would satisfy the EU DPAs.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Epstein Becker & Green | Attorney Advertising

Written by:

Epstein Becker & Green
Contact
more
less

Epstein Becker & Green on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.