ECJ Invalidates the EU-US Privacy Shield as Adequate Transfer Mechanism
In a ruling issued on July 16, 2020, the European Court of Justice (ECJ) invalidated the EU-U.S. Privacy Shield – a primary mechanism available to companies exporting personal data from the European Economic Area (EEA) to the United States.
The General Data Protection Regulation (GDPR) – the European Union’s wide-ranging data privacy law – generally limits the transfer of personal data to countries outside the EEA that employ equivalent safeguards and data protection measures. Countries, like the U.S., that do not have sufficient safeguards in the eyes of the EU, must instead utilize one of a limited set of mechanisms permitted under the GDPR, which, until today, included the EU-U.S. Privacy Shield.
Max Schrems, an Austrian privacy activist, had challenged the agreement, as well as the EU-approved Standard Contractual Clauses (SCCs), arguing that US national security laws did not protect EU citizens from government snooping. The ECJ agreed as it relates to the EU-U.S. Privacy Shield, but not the SCCs for now.
The ECJ found that "the requirements of U.S. national security, public interest, and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country", and that the mechanisms in the EU-U.S. Privacy Shield seemingly intended to mitigate this interference are not up to the required legal standard of "essential equivalence" with EU law.
Schrems has called it a win for privacy, stating that "the U.S. will have to seriously change their surveillance laws if U.S. companies want to continue to play a role in the EU market.”
In the wake of the ruling, the United States Department of Commerce announced it was "deeply disappointed" by the decision, which it believed could have negative consequences on transatlantic commerce. The Department also stated that it will continue to administer the Privacy Shield program, adding “[t]oday’s decision does not relieve participating organizations of their Privacy Shield obligations.”
According to the University College London’s European Institute, the EU-U.S. Privacy Shield system "underpins transatlantic digital trade" for thousands of companies in both the EU and the U.S. These companies will have to use an alternative transfer mechanism, like the SCCs, for the international transfer of data to the U.S. The ECJ warned that the SCCs should be monitored and suspended if the guarantees in them are not upheld.
The ECJ’s ruling is being identified as another step in a seeming "privacy trade war" between the U.S. and Europe, with Europe taking the position that their data protection standards are superior to those in the U.S. Companies can expect that, at minimum, the SCCs will be much more closely scrutinized, and more likely, the ECJ’s warning means more challenges for U.S. companies. The search for legal certainty surrounding global data transfer mechanisms and compliance with international data privacy law continues for many companies under the ECJ’s decision.
For more information on this ruling, contact the authors of this post. Subscribe to this blog to receive notifications when new posts are up.