EU Court Decision Invalidating Privacy Shield Results in Massive Confusion for U.S. Businesses

This post has been updated. Read the first addendum here, the second addendum here and the third addendum here.

On July 16, 2020 the Court of Justice of the European Union (“CJEU”) invalidated the Privacy Shield, the safe harbor mechanism that has facilitated the transfer of personal data from the EU to processors in the United States. The Court’s decision has sowed chaos and confusion among companies of all sizes who rely on international data transfers to function efficiently, or at all.

The Privacy Shield was created in 2016 as a replacement for a prior safe harbor mechanism which had been deemed inadequate by the same court. In its July decision the CJEU concluded that the Privacy Shield also failed to assure that the data of EU residents would enjoy protection in the U.S. equivalent to that enjoyed in the EU. The CJEU cited what it perceived as two fundamental problems. The first is the fact that national security and law enforcement interests in the U.S. can take precedence over individual privacy rights (most privacy policies contain a specific exception where data transfer is required by law). Thus companies faced with a U.S. government subpoena to turn over customer data might end up in the position of having to choose whether to defy the subpoena or face the prospect of major fines for violating GDPR requirements. The CJEU press release stated:

In the view of the Court, the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country… are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, …, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.

CJEU Press Release, 7/16/20

Secondly, the CJEU found that data subjects do not have an effective legal remedy, concluding that the ombudsman created under the Privacy Shield and housed in the U.S. Department of State

…. does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law…

CJEU Press Release, 7/16/20

As background, GDPR provides several bases for legal transfer of EU personal data to other countries. One is an “adequacy decision;” that is, a determination that the laws of certain countries provide protection to the data subject equivalent to that afforded under EU law. The Privacy Shield agreement between the U.S. and the EU was what allowed the U.S. to receive an “adequacy decision.” The CJEU holding now removes the U.S. from that favored category.

A second mechanism is the use of Standard Contractual Clauses or “SCCs.”  These commonly-used agreements between data controllers and data processors are incorporated into vendor contracts. The validity of SCCs was upheld in the new CJEU decision, subject to due diligence assessments to be made prior to the transfer to assure that adequate safeguards to protect the data are in place in the receiving country. However, SCCs are also problematic because of the issue of U.S. government surveillance rights.

Consent is also a possible basis for data transfer under GDPR, although a problematic one because of the numerous elements required for valid consent. For example, data subjects must be informed in advance of the possible risks of the data transfer.

What is a business to do given the current uncertain situation?  It’s not immediately clear. Privacy law experts believe that a new agreement between the U.S. and EU regulators will be forthcoming at some point, and that an informal grace period may exist in the interim. The Department of Commerce has stated that businesses self-certified under the Privacy Shield mechanism can continue to rely on that, but it is not clear how this will work. Most likely, businesses that relied on the Privacy Shield will need to turn to SCCs as their legal basis for data transfer. That will involve additional due diligence on the part of all parties, as well as detailed record-keeping to document the assessments made and support the conclusion that the transfer complies with GDPR requirements.

The future answer may be a digital cold war of sorts, or, on the other hand, may move the U.S. in the direction of a federal privacy law akin to GDPR. If we can help with any issues related to the new decision, don’t hesitate to contact us.