Alerts and Updates

CJEU Declares Privacy Shield Invalid but Upholds Validity of Model Clauses (Sort Of)

July 17, 2020

With over 5,300 organizations registered with Privacy Shield, it has no doubt been relied on as a trusted way to transfer data to the U.S. and ensure compliance with the principles of the GDPR.

Background

A sense of déjà vu descended over the international data transfer landscape on July 16, 2020. In a landmark ruling, the Court of Justice of the European Union (CJEU) announced that Privacy Shield, one of the main mechanisms used by companies to transfer personal data from the EU to the United States, is invalid.

This ruling stemmed from a case involving privacy activist Max Schrems and Facebook.

Mechanisms for Transferring Data Outside of the EU

As a default position, the GDPR restricts the transfer of personal data outside the EU, unless one of the mechanisms that the GDPR provides to enable such transfer is used. One such mechanism is an adequacy decision. If a country outside the EU is on the “white list” (i.e., is deemed by the European Commission to have laws equivalent to the GDPR) then transfers can take place to that country without hindrance.

The U.S. is not regarded by the European Commission as having laws that offer European data subjects the same level of protection as the GDPR, and is therefore not included on the “white list.”

Another mechanism the GDPR provides to ensure the transfer of personal data is the use of standard contractual clauses (SCCs). These are essentially “off the shelf” clauses that have been approved by the European Commission and are commonly built into contracts dealing with international data transfers. One set of these clauses deal with transfers between data controllers whilst the other set deals with transfers between a data controller and a data processor.

These were put in place before the GDPR came into effect (they were introduced under the predecessor law) and are therefore currently being looked at by the European Commission with a view to revision in light of the GDPR.

The SCCs have limitations. For instance, they do no not bind organizations that are not parties to the contract (e.g., regulators and law enforcement agencies in third-party countries). They can also become unwieldy when used as a basis of transfer of personal data between group companies.

A third, less common option (used mainly within groups of companies) is the use of “binding corporate rules.” Binding corporate rules are a framework that typically enables companies within a corporate group to transfer data between each other. They need to be approved by one of the EU privacy regulators. Binding corporate rules are likely to gain popularity, although again they have their limitations.

Another method in the context of transfers between Europe and the U.S. is what is called the “Privacy Shield.” The Privacy Shield is a scheme designed by the U.S. Department of Commerce and the European Commission to enable exports of data to a registered participant. Organizations that signed up to the Privacy Shield were theoretically deemed to have an adequate level of data protection and a transfer of data from the EU could therefore take place to that participant without the need for additional agreements or contracts to be put in place.

It was put together in haste by the two sides when the previous scheme, Safe Harbour, was struck down by Europe’s top court a few years ago. Privacy Shield was supposed to address the inadequacies that the court identified with the Safe Harbour mechanism. In the end, it didn’t prove to be a particularly effective “shield.”

What the Court Decided

Schrems challenged the validity of SCCs in relation to Facebook’s transfer of data from Facebook Ireland to its parent in the U.S. Schrems argued that U.S. national security law did not provide adequate protection for EU citizens whose data was transferred to the U.S.

When considering this, the Irish court referred a number of questions to the CJEU. The CJEU took this opportunity to also review the validity of the EU/U.S. Privacy Shield at the same time.

Strike Down of the Privacy Shield

In essence, the CJEU was of the view that the prominence of national security and law enforcement in the United States, most notably in relation to surveillance, places data protection as secondary. As such, Privacy Shield does not provide the necessary protections to EU citizens whose data is transferred under it.

Additionally, the CJEU stated that the ombudsperson role, which was implemented to deal with complaints from EU citizens, does not guarantee the rights of EU data subjects, lacks independence and does not have any real power.

Position on SCCs

With regards to the SCCs (the original basis of the court proceedings), the CJEU ruled that the standard contractual clauses remain valid but are not bulletproof. If the recipient cannot or does not abide by the SCCs, then the data protection authorities must act and prohibit the transfer of data notwithstanding the presence of the SCCs.

This is not in itself new information, but it does place greater scrutiny on SCCs and their suitability. For the time being at least, SCCs remain an appropriate mechanism for transferring data from the EU to the U.S. However the detail of the judgment raises questions as to whether businesses can rely on SCCs in the context of EU/U.S. data transfers in the longer term.

The implications of this ruling are significant. With over 5,300 organizations registered with Privacy Shield, it has no doubt been relied on as a trusted way to transfer data to the U.S. and ensure compliance with the principles of the GDPR.

Companies currently relying on Privacy Shield as their grounds for transfer will now need to review all relevant contracts to make sure that they include all EU-approved clauses to enable transfers of data from Europe to the U.S. Some of these companies will have included “fall back” mechanisms in their contract to rely upon in the event of invalidation of one of the approved methods of transfer under the GDPR.

Greater scrutiny will also be needed as to whether it is necessary to transfer the data in question from Europe to the United States or whether the processing can take place within the EU.

What Happens Now?

In reality, regulators are unlikely to take immediate action against companies that have relied on Privacy Shield as a sole basis for their data transfers. They are likely to provide a grace period to allow controllers to suspend transfers or put in place an alternative mechanisms (SCCs or binding corporate rules). At the moment, it is impossible to say how long such a period will last.

Subsequently, further difficulties arise as revisions to existing contractual arrangements may then be needed. As mentioned above, we know that the European Commission is working on a modernization of the SCCs in light of GDPR requirements. Once these come into effect, they will need to be woven into a company’s privacy framework.

Whilst particularly significant in the U.S., this ruling also raises several issues once the UK has moved through the Brexit transition, if the UK fails to get an adequacy decision from the EU Commission dealing with transfers of personal data from Europe to the UK. Surveillance and national security laws will no doubt be a bone of contention between the two sides.

Privacy professionals are probably another group that will not look back on 2020 with fond memories.

For More Information

If you have any questions about this Alert, please contact John M. Benjamin, Edward Pickard, any of the attorneys in our Privacy and Data Protection Group, any of the attorneys in our Technology, Media and Telecom Industry Group or the attorney in the firm with whom you are regularly in contact.

Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.