In a highly anticipated ruling on July 16, 2020, the Court of Justice of the European Union (CJEU) announced the immediate invalidation of the Privacy Shield agreement between the European Union (EU) and the United States (U.S.). Privacy Shield was a trans-Atlantic mechanism that allowed U.S. companies to freely transfer the personal data of European citizens and residents outside of the EU. The CJEU in Luxembourg ruled that the agreement did not comply with European privacy rights and failed to protect the privacy of its citizens’ data.
As a result, more than 5,300 certified U.S. companies are now forced to adapt their data transfer and privacy policies. Although the court ruled that other data transfer options like standard contractual clauses (SCCs) are still viable, the decision to invalidate Privacy Shield potentially jeopardizes the flow of data across borders and causes significant uncertainty as to what comes next for many companies. In this blog, we’ll take a closer look at the CJEU’s decision to nullify Privacy Shield and what organizations can do now to strengthen the flow of data across borders.
Under the EU Data Protection Directive, transfers of personal data to any country outside of the EU are required to provide an “adequate” level of data protection. In 2000, the European Commission and the U.S. government implemented the Safe Harbour framework, an adequacy mechanism that certifies U.S. companies meet the data protection requirements set forth by the EU.
After 15 years, Safe Harbour was dismantled by the CJEU stemming from various complaints by Maximillian Schrems, an Austrian privacy advocate. Schrems alleged that the data privacy rights of EU citizens and residents, as outlined in the Directive and the Charter of Fundamental Rights of the European Union, were not upheld by Facebook when EU citizens’ data was transferred to the U.S. This court case, now referred to as Schrems I, occurred shortly after former NSA contractor Edward Snowden released details on classified U.S. government surveillance programs. Ultimately, the CJEU found that Safe Harbour failed to protect the personal data of EU citizens since the U.S. prioritized national security and public interest over the privacy of personal data.
After Safe Harbour was ruled invalid, companies needed a way to transfer data between the EU and the U.S. to carry out business operations. To solve this issue, the U.S. Department of Commerce and the European Commission created the Privacy Shield framework in 2016 as a replacement for the failed agreement. Privacy Shield was designed to provide adequate safeguards for the fundamental rights to privacy and data protection for EU citizens and correct the deficits found in the Safe Harbour agreement.
Under Privacy Shield, U.S. companies guaranteed that they would meet seven principles when handling EU-governed personal data, which included:
Since Privacy Shield took effect in 2016, privacy rights activists in Europe have been trying to prevent companies from moving personal data to countries lacking a comprehensive data protection standard, like the U.S. Once Safe Harbour was nullified, Maximillian Schrems began to express his concerns regarding standard contractual clauses (SCCs), which are individual legal agreements used as an alternative transfer mechanism for the flow of data between the EU and a third country.
Schrems claimed that SCCs did not provide an adequate level of protection for the transfer of data, like the Safe Harbor. In 2019, Schrems filed another complaint against Facebook with the Irish Data Protection Commissioner (DPC), requesting that the transfer of personal data from Facebook Ireland to Facebook U.S. using SCCs be suspended. He argued that the current U.S. surveillance programs prevented his Facebook data from being properly protected. Instead, the Irish DPC filed a separate indictment in an attempt to suspend or invalidate the use of SCCs altogether, not just with Facebook.
Although this case, commonly referred to as Schrems II, challenged only SCCs, the CJEU chose to continue their use since EU privacy regulators can invalidate them on a case-by-case basis if necessary. However, the court overturned the Privacy Shield agreement as it prioritized the needs of U.S. security over the rights of EU citizens. The court found that U.S. surveillance laws kept U.S. organizations from implementing the same privacy protections as in the EU.
According to the IAPP, roughly 60% of companies relied on Privacy Shield to transfer data out of the EU, contributing to a transatlantic trade worth $7.1 trillion. The ruling to invalidate Privacy Shield affects over 5,000 companies, 65% of them small or medium-sized enterprises. While many lawmakers are already seeking to establish a successor framework that adequately protects the personal data across borders, it is unclear if or when this would become a reality.
Until that happens, here are a few steps your company can take to ensure personal data transfers continue while still complying with EU data protection requirements.
Although Privacy Shield was invalidated, SCCs are still permitted for the transfer of EU personal data outside of the EU. However, these clauses are merely a data transfer tool, so organizations must ensure, prior to any data transfers, that there is an adequate level of protection against U.S. government surveillance. The CJEU also emphasized three stakeholder obligations:
Based on these requirements, your organization must decide if it is able to achieve the level of data protection needed to use SCCs. In addition, the CJEU has already confirmed that transfers using SCCs will be highly scrutinized going forward. Utilizing a strong privacy governance tool can help you identify whether your current processes and practices align with the current requirements and determine if SCCs are a viable option.
Without Privacy Shield, the GDPR offers a few data transfer mechanisms that constitute as appropriate safeguards companies can utilize, including:
While these are two potential transfer options under the GDPR, BCRs and derogations have a narrow reach and take significant time and money to implement. Ensuring that you properly understand the restrictions and requirements of both options will help you determine if they will work for your organization.
When the Safe Harbor agreement was invalidated, Privacy Shield was enacted only a few months later. While the timeline for a replacement is unknown, the successor will most likely share commonalities with Privacy Shield. Continuing your compliance efforts, if not already certified, can potentially provide a foundation for complying with the new framework in the future.
The U.S. Department of Commerce has expressed that it will also continue to administer the Privacy Shield program, which includes processing self-certifications and recertifications, and stated the CJEU’s decision will not relieve companies from their Privacy Shield obligations. Therefore, if you’re already compliant with the Privacy Shield, responsibilities to uphold the framework have not ceased to exist. In addition, the UK’s Information Commissioner’s Office (ICO) has requested that companies already reliant on Privacy Shield continue business as usual until new guidance is available.
In order to determine which new data transfer mechanism should replace Privacy Shield, you need to understand how your company collects, stores, uses, and transfers data. Implementing a robust data governance strategy can help your organization build processes and policies for managing data, evaluating third parties, and even monitoring regulatory change. With the help of the NIST Privacy Framework, your organization can improve its approach to using and protecting personal data and determine which data transfer mechanism aligns best with your organization’s business needs.
In addition, one key difference between the U.S. and the EU is how the two countries view data. The U.S. considers personal data a property right while the EU views it as a human right. This is a critical difference because U.S. government surveillance programs operate under Foreign Intelligence Surveillance Act (FISA). FISA argues that surveillance only begins when the data is examined, but the EU believes surveillance starts at the point of collection. Building and maintaining a strong privacy and data governance program can help your organization recognize when the U.S. government is making requests that conflict with EU laws and help you avoid fines and penalties from EU regulators.
After Privacy Shield was invalidated, transfers of data between the EU and the U.S. came into question. However, the CJEU’s ruling did not impact a company’s ability to transfer data using an EU cloud service provider, like Microsoft or Google, or an EU data center. Leveraging an EU cloud service or data center to collect, store, and transfer data provides all the assurances of the GDPR, without the risk of noncompliance with EU data protection laws that comes from hosting data in the U.S. While the cost may be more, the cloud offers a strong solution when SCCs, BCRs, and derogations are not a possibility.
The European Commission has confirmed it is currently working on updating and modernizing SCCs in order to bring them into alignment with the GDPR, along with creating alternative methods for transferring personal data. However, a timeline for these updates has not been announced. Your company should closely monitor any further developments regarding SCCs or potential successor to the Privacy Shield to guide your next steps.
In a ruling that left thousands of companies in limbo, the dismantling of Privacy Shield highlights the growing importance of proper data protection practices. Organizations once reliant on this framework will need to quickly identify an alternative data transfer mechanism that adequately protects personal data across borders. However, while we wait for further guidance from EU regulators, taking the proper steps now will ensure your company is ready for future data transfer regulations.
If you’re looking for additional support to help your organization adjust to the changes brought on by the invalidation of Privacy Shield, our data privacy experts are here to help.
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.