In a landmark decision on July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated the U.S.-E.U. Privacy Shield. This decision is expected to affect more than 5,000 organizations that have relied on the Privacy Shield for the transfer of personal data from the EU to the US.
The decision not only creates uncertainty in day-to-day data transfers from the EU to the US, but also affects US-based businesses engaged in providing services to EU companies. It also places responsibility on many businesses that previously relied on the Privacy Shield to now find another approved mechanism for transferring personal data out of the EU.
For many companies, this will likely mean entering into EU Standard Contractual Clauses (SCCs), a contractual framework approved by the EU according to EU privacy law standards, to govern the transfer of EU data. Even then, the CJEU has called into question whether SCCs appropriately protect transfers of data from the EU to the US.
The Privacy Shield is a framework that allows transfers of personal data from EU to US organizations who have certified and agreed to higher standards of data protection than those required under US data and privacy laws.
The Privacy Shield replaced the previous US-EU Safe Harbor, which was struck down by the CJEU in Maximillian Schrems v. Data Protection Commissioner (2015) for inadequate privacy protection of EU data, largely due to the Safe Harbor’s program that permitted processing of personal data for US law enforcement and national security purposes.
With the Safe Harbor invalidated, the US Department of Commerce and the European Commission eventually adopted the Privacy Shield in 2016 as the successor regime. Companies relying on the Privacy Shield would complete an online self-certification where they would agree to adhere to certain privacy principles when processing EU personal data, including notice, choice, consent and accountability for transfer.
After the adoption of the Privacy Shield, in attempting to reconcile the 2015 Schrems judgment, the Irish courts posed several additional questions to the CJEU regarding the SCCs. The CJEU proceedings to address those questions took an unexpected turn when the CJEU ultimately affirmed the SCCs, but instead invalidated the Privacy Shield.
Implications and Next Steps
With the recent invalidation of the Privacy Shield, any business that deals with data from the EU must reevaluate their data transfer processes, which would most likely include, if not done already, entering into SCCs with vendors and others to govern data transfers.
However, as the CJEU suggested in its ruling, the SCCs are subject to further scrutiny by regulators and that companies should include “additional safeguards” beyond the text of the SCCs to adequately protect data transfers. For example, US companies receiving EU data may wish to directly address the concerns of the CJEU regarding the SCCs, especially with respect to the likelihood that such companies would receive requests to comply with US national security laws. Thus to the extent possible, US companies may wish to provide additional safeguards into their SCCs by representing that they have not and are not likely to receive requests from the US government to comply with certain national security laws, particularly Section 702 of the 2008 Amendment to the Foreign Intelligence Surveillance Act and Executive Order 12333. Companies may also wish to provide additional safeguards to protect against or limit government surveillance in their SCCs.
DISCLAIMER: The subject matter discussed above is constantly evolving and may change on a frequent basis. The information contained in this post is for general education and informational purposes only.