European Court of Justice Invalidates Privacy Shield, Upends Cross-Border Transfers
On Thursday, July 16, 2020, the European Union's top court issued a landmark ruling that will immediately transform how companies can lawfully transfer EU personal data to the United States.
The court invalidated the EU-U.S. Privacy Shield, one of the most common mechanisms used by U.S. companies in connection with cross-border data transfers. The decision reaffirms the validity of standard contractual clauses—another common cross-border transfer mechanism—but reiterates their limitations in a manner that could pave the way for additional complications for U.S. companies in the future.
Privacy Shield Declared "Invalid"
The Privacy Shield, established in 2016 as a successor to the invalidated Safe Harbor principles, created a framework that allowed the transfer of personal data from the EU to the U.S., where the receiving company certified its compliance with certain data-protection measures. It was negotiated to provide an easier, faster way for U.S. companies to comply with the GDPR's cross-border transfer restrictions despite the U.S.'s inadequate legal protections for the privacy of EU residents.
The CJEU's decision dismantles the Privacy Shield framework, essentially because the U.S. has not upheld its end of the bargain. The court invalidated its prior decision approving the Privacy Shield on the grounds the U.S. "does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law." It specifically cites the lack of independence of the ombudsperson in charge of ensuring U.S. compliance, as well as the ombudsperson's inability to restrict U.S. intelligence services' use of EU personal data.
This is the second negotiated cross-border shortcut invalidated by the CJEU, and the court's rationale makes it unlikely a replacement framework will be negotiated any time soon.
Standard Contractual Clauses Prohibited When "Impossible to Honour"
In the same opinion, the EU court upheld the validity of its prior decision approving of standard contractual clauses, another cross-border transfer mechanism relied on by many U.S. companies. However, the opinion cautions SCCs are valid only to the extent they ensure "compliance with the level of protection required by EU law" and reminds data exporters and recipients of their obligation to verify "whether that level of protection is respected in the third country concerned." The court further cautioned that "transfers of personal data pursuant to such clauses are suspended or prohibited in the event of the breach of such clauses or it being impossible to honour them."
Taken together with the court's commentary on U.S. surveillance programs, these cautions suggest standard contractual clauses could be found to be insufficient, on a case-by-case basis, to permit lawful transfers of data into the U.S.
Things are going to get complicated.
The top priority for U.S. companies will be to immediately cease any reliance on the Privacy Shield framework. That may include the following:
Companies relying on the Privacy Shield framework to meet the GDPR's cross-border rules should immediately turn to another method of compliance;
Companies that have service providers relying on the Privacy Shield should immediately require those service providers to adopt another method of compliance; and
Data-protection addenda and other agreements that hinge on Privacy Shield compliance should be amended.
Other cross-border transfer mechanisms include:
Adopting standard contractual clauses for transfers to or from third parties (these remain valid, but it would be prudent to expect future challenges);
Adopting binding corporate rules for transfers within a corporate group; and
Evaluating the application of "derogations," or exceptions, such as data-subject consent, or whether the transfer is necessary for the performance of a contract with the data subject.
Companies should promptly consult with their legal counsel to evaluate which transfer mechanism will be appropriate and to determine how best to handle service provider agreements that may now be outdated.
Looking further ahead, the U.S. will not overhaul its privacy regulations any time soon nor is it likely to suspend or substantially alter its surveillance programs. Consequently, the Privacy Shield is not likely to be replaced by a similar U.S.-friendly shortcut to cross-border transfers. In addition, it would be prudent to expect future challenges to transfers of personal data to the US that rely solely on standard contractual clauses.
In reality, the EU court's decision likely means many thousands of companies will not be in compliance with the GDPR's cross-border transfer rules. How the EU data-protection authorities conduct their enforcement efforts in the aftermath of today's decision remains an open question, but U.S. companies should pay close attention to better understand the risks ahead.