suji@maierlawgroup.com

Blog

EU Invalidates the EU-US Privacy Shield Framework as a Valid Data Transfer Mechanism

woman-having-a-video-call-4031818.jpg

Background

When the General Data Protection Regulation (“GDPR”) was adopted by the EU, one if its features was to impose obligations on organizations outside the EU if they target or collect EU residents’ personal data.  If the European Commission deems a country’s legal structure inadequate to protect EU residents’ imported data, companies operating in that country must establish some other basis to lawfully import data. 

The EU deems the US as  “inadequate” due to the deep divide between US laws and the GDPR. Considering this, the European Commission previously approved the adequacy of US companies certified by the EU-US Privacy Shield Framework (“Privacy Shield”) as a mechanism whereby data could be legitimately transferred to the US in spite of the country’s “inadequacy” status.  In Decision 2010/87/EU, the EU Commission also adopted the Standard Contractual Clauses (SCCs),  a contractual framework that was deemed to offer adequate protections.  Since then, US companies have relied primarily on the Privacy Shield and the SCCs to legitimize data transfers from the EU.

However, on July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield  program.  Ironically, the Case, C-311/18 Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (called "Schrems II"), didn’t set out to address the validity of the Privacy Shield, but instead questioned the validity of SCCs.  However, the Schrems II case originated from the 2015 CJEU decision in Case C-362/14 Maximilian Schrems v Data Protection Commissioner ("Schrems I"), which invalidated the Privacy Shield’s predecessor, the US Safe Harbor program.  

In Schrems II, the Irish Data Protection Commissioner  (“DPC”) investigated a complaint that Schrem filed claiming that SCCs did not constitute an adequate level of protection for exported personal data of EU citizens. Following the complaint, the Irish DPC concluded that the very nature of US laws on surveillance and intelligence meant there was no redress available for EU citizens whose personal data rights were infringed upon in the US.

The DPC brought proceedings against the defendant, Facebook, in the Irish High Court. The Irish High Court issued a  preliminary ruling on the matter to the CJEU on October 3, 2017 that agreed with the DPC’s reasoning. The Irish High Court therefore asked the CJEU to weigh in and rule on the validity of the SCCs. Specifically, the Irish DPC asked the CJEU to determine whether US legislation ensures the adequate protection of EU citizens’ imported personal data, and whether using SCCs offered sufficient safeguards as to the protection of EU citizens’ freedoms and fundamental rights.

CJEU Followed Advocate General's Opinion

Generally speaking, the CJEU confirmed that SCCs provide appropriate safeguards for international transfers of personal data.  The Irish High Court said that SCCs were compatible with the Charter since data controllers and supervisory authorities are obliged to suspend or prohibit data transfers when there is a conflict between the obligations of the SCCs and the laws of a third country.

However, the CJEU stressed that data controllers established in the EU need to consider not only the international data transfer agreements based on the SCCs agreed between them and the data importer established in the third country, but also the relevant aspects of the data importer's legal system, in particular any access by public authorities to the transferred data. In countries  where the relevant  legal system does not provide inviolable protection of EU citizens’ data, data controllers are required to terminate such data transfers unless they implement additional protections. 

The CJEU went further, finding that the Privacy Shield program did not provide such inviolable protection because it didn’t ensure the protection of EU personal data from access and use by US public authorities on the basis of US law. The CJEU therefore invalidated the Privacy Shield effective immediately. 

What the New CJEU Ruling Means for US Companies

Has your company been collecting personal data of employees, clients, prospects, web visitors, and so on from the EU? If yes, it’s crucial that you consider the following:

  1. Review your vendor and customer agreements to determine whether any data you control or process on behalf of third parties is being transferred to the US in reliance on the Privacy Shield. For example, do you have customers in the EU for whom you provide services in the US?  Do you use a third-party cloud service provider, such as Amazon to store or process customer data?

  2. Do your contracts rely only on Privacy Shield or have you also executed the SCCs for particular vendors or customers?  In this case, one solution is to amend your contracts to rely instead on the SCCs.  However, before you do that, be sure to assess the company’s ability to comply with the terms of the SCCs.  Furthermore, there may be enhanced scrutiny of the SCCs in the future.

  3. Binding Corporate Rules are one alternative transfer mechanism but are not commonly used because they are expensive and time-consuming to implement. You could instead look for derogations (exemptions) that apply to your situation, such as consent. However, many derogations are not particularly reliable in the long-term. 

Companies that are Privacy Shield-certified are still obligated to comply with the Privacy Shield Framework, notwithstanding the Schrems II decision.  Personal data previously imported to the US in reliance on Privacy Shield will have the same protections, even though the EU will not recognize future transfers of data as valid unless there is a different transfer mechanism. For now, do ensure that you and your vendors implement alternative data transfer mechanisms as soon as possible. 

To be proactive and ready to anticipate future changes, we recommend that you develop standard inquiries to use whenever data transfers occur. For example:

  • When you handle global data, from where does the data originate, and which country will receive the data?  Will it be stored on data centers in third party countries?

  • Could public authorities in that country be entitled to access the data?  Is there a reason that public authorities would want access to the data, or is it of a nature that has no national interest? 

  • Does the receiving country’s laws place limits on the access it has? 

  • Does the country  provide a mechanism by which data subjects can seek judicial remedy if needed?

Finally, whatever remediation steps you take, make sure your privacy notices, practices, and website are up to date, relevant, and adequately reflect your privacy practices. 


Authors: Diana Maier, Partner, and Kellie Delaney, Of Counsel.

The Maier Law Group is a boutique employment and data privacy firm that specializes in conducting workplace investigations, providing executive coaching, training employees, mediating both courtroom and workplace disputes (between two conflicting employees), and advising and counseling employers on HR and data privacy issues.

This article has been prepared for general informational purposes only and does not constitute advertising, solicitation, or legal advice. If you have questions about a particular matter, please contact the Maier Law Group directly at info@maierlawgroup.com.