Déjà Vu All Over Again:
EU High Court Invalidates Privacy Shield For EU–U.S. Data Transfers

Today (July 16) Europe’s highest court, the Court of Justice of the European Union (CJEU), in the case of Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Schrems II) invalidated the EU–U.S. Privacy Shield (Privacy Shield). The Court ruled that the Privacy Shield failed to offer adequate protections for EU personal data transferred to the U.S. The ruling is a stunning development for the thousands of companies that certified to the Privacy Shield over the past four years, sowing confusion about how to legally continue these transfers without exposure to significant legal risk, including potentially hefty General Data Protection Regulation (GDPR) fines.

The GDPR restricts transfers outside of the European Economic Area (EEA) to third countries deemed to lack adequate privacy protections (e.g., the U.S.), unless an appropriate safeguard specified by the GDPR is implemented. The most commonly relied upon safeguards are the Privacy Shield for EEA–U.S. data transfers (which was negotiated by the U.S. and the European Commission (EC) after the CJEU invalidated the Privacy Shield’s predecessor, the U.S.–EU Safe Harbor framework, in Schrems I in 2015), and the EC pre-approved, non-negotiable Standard Contractual Clauses (SCCs). SCCs apply more broadly to transfers of personal data between EU controllers and non-EU controllers and processors. Significantly, the CJEU upheld the SCCs in the same decision.

Background

The CJEU’s decision had its origins in a challenge to Facebook Ireland’s use of the SCCs to legitimize data transfers to its parent company in the U.S. The complainant, Max Schrems, alleged there was no remedy under the SCCs that would allow individuals to vindicate their rights under EU data protection law in relation to the surveillance activities of U.S. intelligence and law enforcement entities. Schrems brought a separate legal challenge against the EU–U.S. Privacy Shield similarly arguing that EEA–U.S. data transfers lacked the same protections.

The Irish Data Protection Commissioner brought proceedings before the High Court in Ireland asking it to refer the question on the validity of the SCCs to the CJEU.

It is worth noting that the CJEU Advocate General advised the CJEU to limit its review of the matter solely to the SCCs, but that if it did decide to rule on the validity of the Privacy Shield, the Advocate General recommended that the CJEU invalidate the Privacy Shield. (You can find our prior alert on the Advocate General’s opinion here.)

The CJEU Decision

By invalidating the Privacy Shield, the CJEU found that the limitations on the protection of EU data transferred to the U.S. and accessed by U.S. intelligence and law enforcement agencies cannot be considered essentially equivalent to the limitations permitted under the GDPR. Specifically, the Court determined that these activities are not “strictly necessary” or “proportionate” uses and individuals are not afforded actionable rights in U.S. courts in relation to the agencies’ surveillance activities. If you are experiencing déjà vu, that would be fair as we have been here; these were the same flaws that the CJEU found to be fatal to the Safe Harbor in Schrems I.

The CJEU also found fault with the Ombudsman — a position that was intended to offer redress to aggrieved EU data subjects. The Court concluded that the Ombudsman lacked independence and the authority to adopt decisions that are binding on the U.S. intelligence services.

What’s Next?

Guidance is still emerging from supervisory authorities. The UK Information Commissioner’s Office (ICO) has advised businesses to continue to comply with the Privacy Shield until further notice, but to refrain from starting to use the Privacy Shield if they are not doing so already. Relatedly, in a statement issued after the ruling, the U.S. Department of Commerce (DOC) expressed “deep disappointment” with the ruling and noted that the DOC is studying the ruling to fully understand its practical impacts. The DOC further stated that it will continue to administer the Privacy Shield framework and maintain the current Privacy Shield list. In the near term the decision is a bombshell for the more than 5,300 companies worldwide who certified to the Privacy Shield while the EC renewed its adequacy finding for the framework after conducting extensive annual reviews. The CJEU decision will also affect numerous EU businesses that rely on the Privacy Shield certification of their U.S. service providers to validly export data to them in the U.S.

With the Privacy Shield suffering the same fate as the Safe Harbor, it is unclear if the EC and the U.S. will return to the table to negotiate a successor to the Privacy Shield (and try to inoculate it from a successful challenge) in the current political climate and given the uncertainties of the outcome of the upcoming U.S. Presidential election. Likewise, any successor to the Privacy Shield will likely face intense scepticism from the business community, which has now seen two export frameworks struck down. It is also unclear if companies will be willing to invest further resources in a Privacy Shield successor unless and until the issues that caused the CJEU to invalidate the Safe Harbor and the Privacy Shield are clearly resolved. Relatedly, while the Swiss data protection authority has not yet commented on the CJEU decision, if faced with a similar challenge it could also potentially align with the CJEU decision and invalidate the Swiss–U.S. Privacy Shield framework, which is based on the same principles and requirements as the EU–U.S. Privacy Shield.

Over the coming weeks, companies will need to assess the availability of alternative transfer mechanisms for their businesses. Thankfully, the CJEU gave the stamp of approval to the SCCs for controller-to-processor cross-border transfers. The importance of this decision cannot be overstated. The three approved forms of SCCs (two versions of controller-to-controller and one version of controller-to-processor) together are the most common mechanisms used by EU controllers to send personal data to recipients based outside the EEA and help facilitate business between the EU and the rest of the world. The SCCs, however, have some notable limitations that mean they will not be a simple replacement for the Privacy Shield for everyone. Importantly, they are not available for EEA-based processors intending to transfer personal data outside the EEA (they can only be relied on by a controller who intends to export personal data) nor are they available for controllers or processors which are based outside the EEA, such as in the U.S. (as they require the data exporter to be based in the EEA). The Commission is aware of these limitations and has plans to release processor-to-sub-processor SCCs. That process must be expedited. The CJEU’s validation of the controller-to-processor SCCs is fundamental to the integrity of the GDPR data transfer regime and may encourage the EC to focus on developing this mechanism further. A word of warning, however: the challenge to the SCCs raised the same issues about U.S. surveillance activities that proved fatal to the Privacy Shield, and the SCCs could be targeted again.

There are other available GDPR mechanisms for non-EEA-based businesses although the alternatives may not be practical for, or available to, all companies.

So what is next for businesses that have certified to the Privacy Shield and are affected by this decision? For now, companies should wait to see what immediate steps the data protection authorities expect businesses to take in relation to EEA–U.S. data transfers. It is possible that a grace period allowing affected businesses to migrate to an alternative solution might be granted. The UK ICO’s statement reflects this approach and it is one we expect many EU regulators will adopt in the immediate aftermath. Regardless, companies should be prepared to implement alternative data transfer mechanisms that reflect EU data protection law protections.

Goodwin’s Chambers and Legal 500 ranked Data, Privacy and Cybersecurity practice offers a multi-disciplinary approach to clients’ data protection needs. One of the longest-standing of any Am Law 50 firm, our global team is uniquely positioned to provide the most innovative solutions to guide clients through the collection, use, processing and protection of their most sensitive information. We have handled hundreds of data breaches, including high-profile, global incidents involving everything from ransomware to nation-state attacks; have advised on over 700 public and private transactions in the last year alone; and have designed strategic privacy, information security and compliance programs for startups, global enterprises, and everything in between. We have litigated landmark privacy cases and defended against class action and government enforcement actions brought by the FTC, OCR/HHS, state attorneys general and regulators across the globe.