The Court of Justice of the European Union (CJEU) Invalidates the EU-U.S. Privacy Shield
On July 16, 2020, the CJEU invalidated the EU-U.S. Privacy Shield (the Privacy Shield) in its decision in Facebook Ireland v. Schrems (Schrems II), holding that the Privacy Shield transfer mechanism does not ensure compliance with the level of protection required by EU law. While the decision is complex, the Court focused on government surveillance practices in the U.S., which the CJEU viewed as unjustly prioritizing national security over the rights and freedoms of European data subjects. In particular, the Court noted that Section 702 of the Foreign Intelligence and Surveillance Act and Presidential Policy Directive 28 lacked the requisite protections. Additionally, the CJEU found that the Privacy Shield did not provide European data subjects with actionable rights in court against the U.S. government for violations, and thus lacks a sufficient redress mechanism for EU data subjects as required by EU law. The CJEU further noted that while the Privacy Shield requires that the U.S. appoint an ombudsperson, this individual allegedly lacked the authority to make decisions that are binding on the U.S. government and intelligence agencies.
U.S. Companies That Rely on the Standard Contractual Clauses Are Now Subject to Further Scrutiny
While the CJEU invalidated the Privacy Shield, the Standard Contractual Clauses (SCCs) remain intact for the moment. Some commentators have already pointed to Schrems II as validating the efficacy of SCCs. However, the decision rejects any remnants of the “sign and forget” mentality with respect to SCCs and reinforces the obligation of data exporters and importers to ensure an adequate level of protection for personal data in the importer’s jurisdiction. Additionally, the Court noted that the exporter and supervisory authority are required to invalidate a transfer pursuant to SCCs where they cannot guarantee adequate protection, which will likely result in further scrutiny of the thousands of SCCs already in place.
U.S. Companies That Rely on the Privacy Shield Must Explore Other Data Transfer Options in Order to Avoid GDPR Violations
For companies previously relying on the Privacy Shield, hope is not lost. Businesses in the EU that export data into the U.S. (including those that work with data processors in the U.S.) can still use SCCs for these transfers. Additionally, the GDPR (Articles 45 and 49) provides additional transfer mechanisms, including binding corporate rules, explicit consent from data subjects for each transfer, or when the transfer is necessary for the performance of a contract with the data subject. Companies that relied on the Privacy Shield as their best option, especially businesses in the U.S. that collect data directly from EU consumers, will likely be revisiting transfer mechanisms they rejected in favor of the Privacy Shield. Until such time as a replacement for the Privacy Shield is negotiated, these options should be considered to ensure that EU-U.S. data transfer remains compliant with applicable European laws and regulations, including the GDPR.
Will the U.S. Department of Commerce and the EU Commission Negotiate a Replacement for the Privacy Shield?
In reaction to the CJEU’s decision, both U.S. and EU officials have indicated a willingness to negotiate and establish a transfer mechanism to replace the Privacy Shield. After praising the CJEU’s decision, Didier Reynders, European Commissioner for Justice, added that he “will reach out to ... U.S. counterparts and look forward to working constructively with them to develop a strengthened and durable transfer mechanism.” Similarly, in reaction to the decision, Wilbur Ross, the U.S. Secretary of Commerce, stated that it would work with European officials to “limit the negative consequences to the $7.1 trillion trans-Atlantic economic relationship that is so vital to our respective citizens, companies, and governments.”