Privacy Shield no more – EU-US data transfers invalidated for the second time

The Court of Justice of the European Union (CJEU) has ruled that the Privacy Shield arrangement does not offer sufficient protection to EU citizens’ data in light of the requirements arising from the GDPR and has declared the arrangement invalid. The CJEU’s judgment also places serious limitations on the use of Standard Contractual Clauses (SCCs) for the transfer of personal data outside of the EEA.

Under the GDPR personal data cannot be transferred outside of the EEA unless there is an appropriate safeguard in place. The most commonly used safeguards are the Privacy Shield (for transfers of data to the US) and the SCCs. This judgment therefore gives businesses operating internationally a serious cause for concern and many will need to make changes to the way they operate as a result of it.

Privacy Shield is a mechanism relied on by a large number of businesses to safeguard the flow of personal data from the EEA to the US. This might include businesses with branches in both the US and the EEA and businesses doing business between the US and the EEA.

The CJEU’s judgment

This is the latest ruling in the long-running battle between the Irish Data Protection Commissioner, Facebook Ireland, and Austrian privacy activist Max Schrems, in which the lawfulness of Facebook Ireland’s transfer of EU citizens’ personal data to Facebook Inc. in the United States has been challenged. For background to the case, please see our blog here.

In a press release made on 16 July 2020, the court said “the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities… are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law”.

It is not the first time the court has ruled against Facebook due to concerns about US surveillance powers. In October 2015, the CJEU invalidated the Safe Harbor arrangement on grounds that it failed to protect EU citizens’ personal data from surveillance by US authorities, such as the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI). The new Privacy Shield arrangement, which was quickly brought in to replace Safe Harbor, was meant to address such concerns by creating an ombudsperson system in order to deal with complaints. However, the court found that such system did not ensure “the independence of the ombudsperson” or “rules empowering the ombudsperson to adopt decisions that are binding on the US intelligence services”, leaving the court with little choice but to invalidate the Privacy Shield arrangement.

Schrems, commenting on the ruling, said that “the US will have to seriously change their surveillance laws, if US companies want to continue to play a role on the EU market.”

Standard Contractual Clauses remain valid

In response to Schrems’s reformulated complaint against Facebook Ireland, the Irish High court also asked the CJEU to examine the validity of Standard Contractual Clauses. In its decision, the CJEU found nothing to affect the validity of SCCs provided that effective mechanisms are incorporated to ensure compliance with the level of protection required by EU law and that transfers of personal data pursuant to such clauses are suspended or prohibited where it is impossible to honour them.

This effectively imposes an obligation on a data exporter and the data recipient to verify, prior to any transfer, whether that level of protection is respected in the third country concerned. If the level of protection does not meet that required by EU law, then the parties must prohibit or suspend the transfer of data.

For the purposes of assessing the adequacy of the level of protection, particular consideration must be given to both the SCCs agreed between the data exporter and importer and, as regards any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country. Data transfers to the US which rely on the SCCs are therefore still likely to be caught by the same issues arising from US domestic law, although the court has said that additional safeguards can be put in place to supplement the guarantees contained in the SCCs. Whether this is adequate or not will require a case by case assessment.

Comment

The CJEU’s judgment will require thousands of companies that rely on Privacy Shield to transfer data from the EU to the US to put in place an alternative mechanism to legitimise the transfer or otherwise suspend all data transfers to the US.  SCCs are very likely to be considered the next best option usually because they are fairly quick and easy to put in place. However, in light of this decision, businesses will now have to consider if EU citizens’ data is afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR, which will require a fact intensive analysis on a case by case basis.

It could be said that SCCs have actually been strengthened by this decision. Before now SCCs were often seen as a formality – a document that was simply signed by the parties, put into a drawer and forgotten about. The CJEU’s ruling requires organisations to effectively implement these clauses in a way that gives effect to the appropriate safeguards, enforceable rights and effective legal remedies required by the GDPR. How this will be managed, however, remains to be seen.

There will be a lot of development in this space over the next few months and years as the effect of this ruling starts to bite. Be sure to check back here for the latest updates. If you have any questions or would like to discuss the impact of this ruling on the international data transfers that your organisation makes, please get in touch with Nick Phillips or Selina Clifford.

If you aren’t receiving our legal updates directly to your mailbox, please sign up now