In a highly anticipated ruling on July 16, 2020, the Court of Justice of the European Union (CJEU) announced the immediate invalidation of the Privacy Shield agreement between the European Union (EU) and the United States (U.S.). Privacy Shield was a trans-Atlantic mechanism that allowed U.S. companies to freely transfer the personal data of European citizens and residents outside of the EU. The CJEU in Luxembourg ruled that the agreement did not comply with European privacy rights and failed to protect the privacy of its citizens’ data.
As a result, more than 5,300 certified U.S. companies are now forced to adapt their data transfer and privacy policies. Although the court ruled that other data transfer options like standard contractual clauses (SCCs) are still viable, the decision to invalidate Privacy Shield potentially jeopardizes the flow of data across borders and causes significant uncertainty as to what comes next for many companies. In this blog, we’ll take a closer look at the CJEU’s decision to nullify Privacy Shield and what organizations can do now to strengthen the flow of data across borders.
Privacy Shield Background
The U.S.-EU Safe Harbor Framework
Under the EU Data Protection Directive, transfers of personal data to any country outside of the EU are required to provide an “adequate” level of data protection. In 2000, the European Commission and the U.S. government implemented the Safe Harbour framework, an adequacy mechanism that certifies U.S. companies meet the data protection requirements set forth by the EU.
After 15 years, Safe Harbour was dismantled by the CJEU stemming from various complaints by Maximillian Schrems, an Austrian privacy advocate. Schrems alleged that the data privacy rights of EU citizens and residents, as outlined in the Directive and the Charter of Fundamental Rights of the European Union, were not upheld by Facebook when EU citizens’ data was transferred to the U.S. This court case, now referred to as Schrems I, occurred shortly after former NSA contractor Edward Snowden released details on classified U.S. government surveillance programs. Ultimately, the CJEU found that Safe Harbour failed to protect the personal data of EU citizens since the U.S. prioritized national security and public interest over the privacy of personal data.
The U.S.-EU Privacy Shield Framework
After Safe Harbour was ruled invalid, companies needed a way to transfer data between the EU and the U.S. to carry out business operations. To solve this issue, the U.S. Department of Commerce and the European Commission created the Privacy Shield framework in 2016 as a replacement for the failed agreement. Privacy Shield was designed to provide adequate safeguards for the fundamental rights to privacy and data protection for EU citizens and correct the deficits found in the Safe Harbour agreement.
Under Privacy Shield, U.S. companies guaranteed that they would meet seven principles when handling EU-governed personal data, which included:
- Notice: Individuals must be notified about the collection and use of their personal information.
- Choice: Organizations must give individuals the opportunity to opt out of the disclosure of their personal data to third parties.
- Accountability for Onward Transfers: Organizations are accountable for applying the notice and choice principles in order to disclose personal data to third parties.
- Access: Individuals must be able to access their personal data being stored by an organization.
- Security: Organizations must protect personal data from loss, misuse, unauthorized access, and disclosure.
- Data Integrity: Organizations must ensure data is reliable and relevant for the purpose it is being used.
- Recourse, Enforcement, and Liability: Individuals have the right to affordable recourse mechanisms if they believe their personal data has been misused.
The Invalidation of Privacy Shield
Since Privacy Shield took effect in 2016, privacy rights activists in Europe have been trying to prevent companies from moving personal data to countries lacking a comprehensive data protection standard, like the U.S. Once Safe Harbour was nullified, Maximillian Schrems began to express his concerns regarding standard contractual clauses (SCCs), which are individual legal agreements used as an alternative transfer mechanism for the flow of data between the EU and a third country.
Schrems claimed that SCCs did not provide an adequate level of protection for the transfer of data, like the Safe Harbor. In 2019, Schrems filed another complaint against Facebook with the Irish Data Protection Commissioner (DPC), requesting that the transfer of personal data from Facebook Ireland to Facebook U.S. using SCCs be suspended. He argued that the current U.S. surveillance programs prevented his Facebook data from being properly protected. Instead, the Irish DPC filed a separate indictment in an attempt to suspend or invalidate the use of SCCs altogether, not just with Facebook.
Although this case, commonly referred to as Schrems II, challenged only SCCs, the CJEU chose to continue their use since EU privacy regulators can invalidate them on a case-by-case basis if necessary. However, the court overturned the Privacy Shield agreement as it prioritized the needs of U.S. security over the rights of EU citizens. The court found that U.S. surveillance laws kept U.S. organizations from implementing the same privacy protections as in the EU.
What Happens Now?
According to the IAPP, roughly 60% of companies relied on Privacy Shield to transfer data out of the EU, contributing to a transatlantic trade worth $7.1 trillion. The ruling to invalidate Privacy Shield affects over 5,000 companies, 65% of them small or medium-sized enterprises. While many lawmakers are already seeking to establish a successor framework that adequately protects the personal data across borders, it is unclear if or when this would become a reality.
Until that happens, here are a few steps your company can take to ensure personal data transfers continue while still complying with EU data protection requirements.
Adopt standard contractual clauses with caution
Although Privacy Shield was invalidated, SCCs are still permitted for the transfer of EU personal data outside of the EU. However, these clauses are merely a data transfer tool, so organizations must ensure, prior to any data transfers, that there is an adequate level of protection against U.S. government surveillance. The CJEU also emphasized three stakeholder obligations:
- Data exporters are responsible for verifying the importer’s ability to provide an equivalent level of data protection in the third country.
- Data importers must notify exporters if they are unable to comply with the SCCs.
- Data exporters must suspend or terminate the transfer if the importer gives notice that they cannot comply with the SCCs.
Based on these requirements, your organization must decide if it is able to achieve the level of data protection needed to use SCCs. In addition, the CJEU has already confirmed that transfers using SCCs will be highly scrutinized going forward. Utilizing a strong privacy governance tool can help you identify whether your current processes and practices align with the current requirements and determine if SCCs are a viable option.
Increase your understanding of the GDPR's transfer options.
Without Privacy Shield, the GDPR offers a few data transfer mechanisms that constitute as appropriate safeguards companies can utilize, including:
- Binding corporate rules (BCRs): BCRs are a set of rules for data transfers and include all general data protection principles and enforceable rights. BCRs often have a costly and lengthy process to gain approval, so they might not be a practical option for some companies.
- Derogations: Data exporters can use derogations when transferring data to a third country in the absence of an adequacy decision, under GDPR Article 49. However, derogations are only intended for specific situations (e.g., fulfilling a contract), so their use is limited.
While these are two potential transfer options under the GDPR, BCRs and derogations have a narrow reach and take significant time and money to implement. Ensuring that you properly understand the restrictions and requirements of both options will help you determine if they will work for your organization.
Continue your compliance and certification efforts with Privacy Shield.
When the Safe Harbor agreement was invalidated, Privacy Shield was enacted only a few months later. While the timeline for a replacement is unknown, the successor will most likely share commonalities with Privacy Shield. Continuing your compliance efforts, if not already certified, can potentially provide a foundation for complying with the new framework in the future.
The U.S. Department of Commerce has expressed that it will also continue to administer the Privacy Shield program, which includes processing self-certifications and recertifications, and stated the CJEU’s decision will not relieve companies from their Privacy Shield obligations. Therefore, if you’re already compliant with the Privacy Shield, responsibilities to uphold the framework have not ceased to exist. In addition, the UK’s Information Commissioner’s Office (ICO) has requested that companies already reliant on Privacy Shield continue business as usual until new guidance is available.
Implement a strong data privacy and governance program.
In order to determine which new data transfer mechanism should replace Privacy Shield, you need to understand how your company collects, stores, uses, and transfers data. Implementing a robust data governance strategy can help your organization build processes and policies for managing data, evaluating third parties, and even monitoring regulatory change. With the help of the NIST Privacy Framework, your organization can improve its approach to using and protecting personal data and determine which data transfer mechanism aligns best with your organization’s business needs.
In addition, one key difference between the U.S. and the EU is how the two countries view data. The U.S. considers personal data a property right while the EU views it as a human right. This is a critical difference because U.S. government surveillance programs operate under Foreign Intelligence Surveillance Act (FISA). FISA argues that surveillance only begins when the data is examined, but the EU believes surveillance starts at the point of collection. Building and maintaining a strong privacy and data governance program can help your organization recognize when the U.S. government is making requests that conflict with EU laws and help you avoid fines and penalties from EU regulators.
Explore EU cloud providers or data centers as a data transfer option.
After Privacy Shield was invalidated, transfers of data between the EU and the U.S. came into question. However, the CJEU’s ruling did not impact a company’s ability to transfer data using an EU cloud service provider, like Microsoft or Google, or an EU data center. Leveraging an EU cloud service or data center to collect, store, and transfer data provides all the assurances of the GDPR, without the risk of noncompliance with EU data protection laws that comes from hosting data in the U.S. While the cost may be more, the cloud offers a strong solution when SCCs, BCRs, and derogations are not a possibility.
Stay current on updates released by the European Commission.
The European Commission has confirmed it is currently working on updating and modernizing SCCs in order to bring them into alignment with the GDPR, along with creating alternative methods for transferring personal data. However, a timeline for these updates has not been announced. Your company should closely monitor any further developments regarding SCCs or potential successor to the Privacy Shield to guide your next steps.
In a ruling that left thousands of companies in limbo, the dismantling of Privacy Shield highlights the growing importance of proper data protection practices. Organizations once reliant on this framework will need to quickly identify an alternative data transfer mechanism that adequately protects personal data across borders. However, while we wait for further guidance from EU regulators, taking the proper steps now will ensure your company is ready for future data transfer regulations.
If you’re looking for additional support to help your organization adjust to the changes brought on by the invalidation of Privacy Shield, our data privacy experts are here to help.
Get more insights into the latest privacy news.
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.