September 24, 2020

Volume X, Number 268

September 24, 2020

Subscribe to Latest Legal News and Analysis

September 23, 2020

Subscribe to Latest Legal News and Analysis

September 22, 2020

Subscribe to Latest Legal News and Analysis

Major Blow for US Businesses That Process EU Personal Data: ECJ Strikes Down Privacy Shield

On July 16, 2020, the European Court of Justice (ECJ) struck down the EU-US Privacy Shield (Privacy Shield), an important program that provided US businesses with a legal mechanism for transferring personal data from the EU to the US in compliance with the General Data Protection Regulation (GDPR). This new ruling has major implications for US businesses that have depended on Privacy Shield to process EU personal data. Those businesses must now re-evaluate and leverage a different legal mechanism to transfer personal data into the US.

The US Department of Commerce designed Privacy Shield in conjunction with the European Commission, which in July 2016 determined the program adequately protected EU personal data and therefore approved it. Privacy Shield enabled US-based organizations to both self-certify and publicly commit to compliance with the program’s requirements and, in exchange, receive assurance that their transfer of EU data would comply with EU law. However, by joining the Privacy Shield program, US businesses committed to the US government’s enforcement of the program. In other words, although the US does not have nationally-applicable standards that reach the same level as Privacy Shield, any businesses joining the program agreed that US authorities could punish them for breaching the program’s requirements.

Despite Privacy Shield’s heightened requirements, including the requirement that businesses voluntarily subject themselves to US enforcement, the program was successful: more than 5,000 businesses joined, including social media giants Facebook and Twitter. Additionally, many large European businesses, such as Eaton Corporation, Ingersoll-Rand and SAP, joined primarily to ensure that their transfers of human resource data were protected. But adoption wasn’t limited to large multinationals, as approximately 65 percent of participants are considered small to medium enterprises and 41 percent have a revenue of below $5 million.

The ECJ, however, just threw a wrench into the plans of any business relying on Privacy Shield for protection. In Schrems II (the “II” being necessary because an earlier Schrems decision struck down a previous EU/US cooperation program called “Safe Harbor”), the ECJ decided that US national security and law enforcement requirements—essentially, government surveillance, with Section 702 of FISA being of particular concern (FNs 54-58)—interfere with the fundamental rights of EU citizens whose data is transferred to the US. Specifically, the ECJ found that EU citizens did not have the required legal recourse in the US for a violation of their rights under GDPR. The US Secretary of Commerce, Wilbur Ross, issued a statement that the US Department of Commerce would continue to enforce Privacy Shield obligations despite the ruling. He also indicated that the Department of Commerce would work with the European Commission and European Data Protection Board to limit negative impacts on US businesses.

Additionally, the ECJ upheld the validity of the Standard Contractual Clauses (SCCs) as a legal method for transferring personal data. The SCCs are non-negotiable legal contracts created by the EU to allow for the transfer of personal data to countries without an adequacy decision. While some businesses praised the ECJ’s decision to uphold the SCCs, others are concerned that the ECJ laid the groundwork for a future conclusion that the SCCs will not work with US businesses. The ECJ questioned whether businesses could comply with the SCCs provisions if the business was subject to laws inconsistent with the GDPR. The ECJ stated that controllers must determine on a case-by-case basis whether a processor can meet the requirements of the SCCs considering the level of protection afforded to data in the processor’s country. The ECJ stated that parties to the SCCs could potentially agree to additional protections above and beyond the SCCs but did not outline what those additional protections would be.

This decision has immediate ramifications for any US business that processes EU personal data pursuant to Privacy Shield and may have future impacts on US businesses relying on the SCCs if controllers determine that US processors cannot comply with the SCCs due to applicable law. Because Privacy Shield no longer provides a legal method for transferring personal data to the US, data controllers now have a legal obligation to suspend personal data transfers that do not comply with EU law. If your business processes EU personal data, you should immediately:

  • Ensure that your data transfers and processing comply with GDPR requirements

  • Implement another legal method for transferring personal data from the EU, such as the SCCs, Binding Corporate Rules or consent

  • Before ceasing to comply with the Privacy Shield requirements, ensure that you follow all necessary guidelines for withdrawing

Copyright © 2020 Godfrey & Kahn S.C.National Law Review, Volume X, Number 203

TRENDING LEGAL ANALYSIS


About this Author

Sarah A. Sargent Associate Milwaukee Cybersecurity Practice Group, Technology & Digital Business Practice Group
Associate

Sarah Sargent is a member of the Data Privacy & Cybersecurity Practice Group and Technology & Digital Business Practice Group. She holds the CIPP/US and CIPP/E certifications from the International Association of Privacy Professionals, allowing her to draw from both domestic and international best practices when it comes to questions of data privacy.

Sarah’s practice focuses on assisting clients in implementing innovative technology and finding practical business solutions for privacy compliance. She counsels clients on privacy compliance with a variety of state, federal,...

414-28-9450
Zachary R. Willenbrink Litigation Attorney Godfrey & Kahn Milwaukee, WI
Associate

Zach Willenbrink is a member of Godfrey & Kahn’s Litigation Practice Group in the firm’s Milwaukee office.

Zach represents clients in many types of litigation, primarily those involving complex commercial, intellectual property, insurance trade practices, international law, and media and entertainment issues, as well as in appeals. He enjoys untangling complex legal and factual issues, in order to understand what is truly in dispute and working toward the best resolution possible. A former member and songwriter in several touring bands, Zach tries to approach disputes creatively in writing briefs, approaching settlement and working toward favorable outcomes at trial and on appeal.

Additionally, Zach accepts a variety of pro bono legal matters, including representation of state prisoners in civil rights appeals to the Seventh Circuit and work with the Eviction Defense Project in Milwaukee County Circuit Court.

Prior to joining Godfrey & Kahn, Zach spent more than four years as a law clerk with Judge J.P. Stadtmueller of the Eastern District of Wisconsin. Before that, Zach graduated magna cum laude from Marquette University Law School. At Marquette, Zach was co-president of the Public Interest Law Society and Marquette’s chapter of the American Constitution Society. He served as a research assistant to Senator Russ Feingold and Dean Joseph Kearney, interned with Judge Lynn Adelman of the Eastern District of Wisconsin and volunteered with Marquette’s Volunteer Income Tax Assistance program.

414.287.9463