On July 7, the Court of Justice of the European Union (ECJ) invalidated the EU-US Privacy Shield framework in its ruling in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (Case C-311/18). More than 5,000 organizations in the United States have certified their adherence to this framework, and have relied on it to receive personal data from organizations in the EU in compliance with the General Data Protection Regulation (GDPR) since 2016. The framework was a joint effort between the US Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. The Department of Commerce released the following statement:
The United States shares the values of rule of law and protection of our democracies with our partners in the European Union (EU). Therefore, we are deeply disappointed that the Court of Justice of the European Union (“ECJ”) has invalidated the EU-U.S. Privacy Shield framework. The United States is reviewing this outcome and the consequences and implications for more than 5,300 European and U.S. companies, representing millions of transatlantic jobs and over $7.1 trillion in commercial transactions.
The United States and the EU have a shared interest in protecting individual privacy and ensuring the continuity of commercial data transfers. Uninterrupted data flows are essential to economic growth and innovation, for companies of all sizes and in every sector, which is particularly crucial now as both our economies recover from the effects of the COVID-19 pandemic. This decision directly impacts both European companies doing business in the United States as well as American companies, of which over 70 percent are small and medium enterprises. The United States will continue to work closely with the EU to find a mechanism to enable the essential unimpeded commercial transfer of data from the EU to the United States.
European law provides privacy guarantees to its data subjects, and prohibits transfers of data to countries outside the European Union unless those countries offer an “adequate level of protection.” To stipulate to an adequate level of protection, the EU and US entered into an agreement administered by the US Department of Commerce that established the necessary level of protection for cross-border data transfer and established a “Safe Harbor” to support such transfers. Once signed up, a company’s obligations are then enforced by the Federal Trade Commission (FTC). Prior to GDPR, the Safe Harbor framework was established that determined that data protection measures within the United States and EU were roughly equivalent. With the fall of the Safe Harbor provision and the rise of the Privacy Shield and GDPR, a more extensive approach has been formalized in Article 4 which replaces Personal Data with a broader scope: a “data subject” which is one “who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person.” GDPR allows for the transfer of data based on a few mechanisms, including an adequacy decision regarding the sufficiency of data protections of specific regimes or countries, transfers subject to appropriate safeguards, and/or application of binding corporate rules.
Unsafe Harbors in a Heartbeat
On October 6, 2015, the Court of Justice of the European Union (CJEU) issued the final ruling in Schrems v. Data Protection Commissioner (Case C-362/14) (“Shrems”) which deemed the US Safe Harbor provision invalid. Schrems also brought this new case challenging Privacy Shield. The ECJ’s decision to revoke the Privacy Shield due to lack of adequate protection leaves companies in a situation very similar to the fall of Safe Harbor. However, standard contractual clauses are still viewed as an appropriate safeguard mechanism for data transfers, which the ECJ upheld as a valid approach.
One ongoing area of tension between the EU and US appears to be that the US views privacy as a matter of commerce while the EU views privacy as a fundamental human right. Due to this discrepancy in viewpoints, it has been argued that neither the Safe Harbor nor Privacy Shield were designed to afford the protections of privacy as a fundamental right in the US in the context of state-sponsored surveillance. The CJEU did not hold, as a matter of law, that the US lacked an adequate level of protection yet the CJEU did bring up in an earlier Commission Decision held July 26, 2000, that “the Commission did not state in Decision 2000/520, that the United States in fact ‘ensures’ an adequate level of protection by reason of its domestic law or its international commitments.” The 2020 decision, however, did finally address this concern and was based on two factors: (i) Privacy Shield does not offer adequate protection in light of the risk of broad disclosure to US intelligence agencies or other public authorities; and (ii) the Privacy Shield Ombudsperson lacks independence and authority to adopt decisions that bind US intelligence services in terms of managing this disclosure risk.
Impact on Company Data Transfers
With the Privacy Shield deemed invalid, EU Data Protection Authorities (DPAs) have the ability to initiate action against American companies on a massive scale. To reduce risk of such enforcement, companies should undertake several immediate steps, including the following:
To help navigate the invalidation of the Privacy Shield, it is recommended you consult legal counsel. Specifically, your organization may mitigate risk by revisiting model contracts and standard contractual clauses to determine if they meet GDPR requirements. This will enable your company to ensure adequate protection under EU law and transfer such data using appropriate safeguards that would satisfy the EU DPAs.