Invalidation of EU-US Privacy Shield Leaves Businesses Scrambling

It is déjà vu all over again for companies that transfer personal data on European residents to the United States. This month, the European Court of Justice (ECJ) invalidated the EU-US Privacy Shield framework, leaving businesses with one less option to accomplish EU-US transfers of personal information. That being said, those interested can rest assured that not all is lost. 

A Bit of Background

Back in 2000, the European Commission adopted the International Safe Harbor Privacy Principles (Safe Harbor), which allowed US companies to comply with the EU's Data Protection Direction so long as they self-certified compliance with seven key privacy principles. Fifteen years later, in 2015, the European Court of Justice (ECJ) declared this Safe Harbor invalid because EU residents lacked sufficient safeguards to protect their privacy under US law, stemming in part from the revelations of Edward Snowden that the US National Security Agency was covertly engaged in mass-spying on American citizens. To get transatlantic data flowing again, the EU and US agreed to a new privacy framework known as the EU-US Privacy Shield, providing EU residents with new legal protections, including the right to force EU-US data exporters to arbitration for alleged privacy violations. And all was well . . . until July 16, 2020.  

In response to a lawsuit filed by the same privacy advocate that invalidated the Safe Harbor, the ECJ invalidated the EU-US Privacy Shield, declaring that it too lacked adequate data protections for EU residents. Of note, under the EU General Data Protection Regulation (GDPR) enacted in 2016, personal data on EU residents may only be transferred outside of the EU if the recipient country ensures adequate privacy safeguard including enforceable rights and effective legal remedies, also known as an “adequacy decision.” And to date, very few countries have been recognized by an adequacy decision (Argentina, Canada, Israel, Japan, New Zealand, and Switzerland among them). 

For its part, the EU-US Privacy Shield was an attempt to achieve an adequacy decision with respect to specific companies without the necessity of actually changing US privacy law. And therein lies the rub: the ECJ reasoned that, as it found in the Safe Harbor case, US law promotes the national security, public interest, and law enforcement interests in personal information over the privacy interests of data subjects. As such, the EU-US Privacy Shield failed to secure the data protection rights of EU residents, and without an adequacy decision, the GDPR prohibited EU data protection authorities from permitting transfers of personal information between the EU and US. 

Except . . . Standard Contractual Clauses (SCCs)

In 2010, the European Commission issued a decision setting forth specific standard contractual clauses that, if incorporated into agreements between EU and US data exporters, would provide adequate safeguards with respect to EU residents. In its decision this month, the ECJ held that these clauses might still be adequate as an alternative to EU-US Privacy Shield, so long as the laws of the recipient country afford a level of protection equivalent to that guaranteed within the EU. The ECJ placed the onus of assessing the adequacy of the recipient country's legal protections on the data exporters and left the issue of enforcement to regional supervisory authorities. For such authorities, already struggling under the weight of GDPR enforcement, it was an unwelcome pronouncement. 

A Path Forward

For companies that had already achieved EU-US Privacy Shield certification, the 2020 invalidation may throw their standard operations and data flows into disarray. Still, two key options remain available to them: (1) amendment of third-party agreements to incorporate SCCs, and/or (2) binding corporate rules (BCRs) that allow multinational corporations to make intra-company transfers of personal data between the EU and US. Unlike SCCs, BCRs require approval from the supervisory authority of the EU member state where the organization operates (which can often take six months or more). 

In light of these changes, businesses that actively transfer personal data between the EU and US should seek advice and counsel as to how best to stabilize their data flows in light of the ECJ's recent decisions. Of course, the cybersecurity and data privacy professionals at Michelman & Robinson are here to help toward that end. 

This blog post is not offered, and should not be relied on, as legal advice. You should consult an attorney for advice in specific situations.