EU court invalidates Privacy Shield data transfer agreement

US companies receiving EU personal data under Privacy Shield will need to find a replacement legal mechanism, and the decision could affect data protection policies and procedures.

GDPR / data privacy / protection
Jirsak / Getty Images

The Court of Justice of the European Union (CJEU) has has invalidated the US-EU Privacy Shield Agreement. The agreement, which ensured US companies agree to adhere to EU standards on data protection and privacy in return for being able to receive personal data from the EU, has been struck down on the grounds that the US legal system doesn’t provide adequate protection to personal data, especially when it comes to state surveillance.

US companies receiving personal data from the EU will now need to find an alternative legal mechanism for receiving data or they will be breaking the law and face potential sanctions under the the EU’s General Data Protection Regulation (GDPR).

Privacy Shield goes the way of Safe Harbor

Privacy Shield was set up after its predecessor, Safe Harbor, was brought down after a legal challenge from privacy activist Max Schrems. Privacy Shield was challenged because, like Safe Harbor, it didn’t offer enough protections to EU citizen data from US surveillance laws.

The CJEU ruled that data protections in the US are not equivalent to those required under EU law because of the “limitations on the protection of personal data” along with the access and use of personal data by US public authorities satisfies requirements. The CJEU ruled the current system did not provide data subjects actionable rights before the courts against the US authorities and so should be invalidated.

“This was an unexpected result. For businesses that transfer personal data from the EU to the US, this represents the worst of all possible outcomes,” says Bridget Treacy, data privacy partner at law firm Hunton Andrews Kurth. “Businesses that relied upon the Privacy Shield will need to assess whether they can utilize SCCs as an alternative data transfer mechanism, but with more proactive scrutiny of the data transfers than previously.”

“EU regulators will need to adopt a pragmatic approach to enforcement, allowing businesses a period of grace in which to implement alternative arrangements to the Shield in order to continue to lawfully transfer personal data from the EU to the US. Businesses will expect urgent guidance from regulators on transition arrangements,” Treacy adds.

Around 5,000 companies in the US are signed up to the Privacy Shield agreement. According to IAPP research, approximately 60% of companies transferring data out of the EU use Privacy Shield, and there are around 250 European-based companies are participating in the Privacy Shield program.

“Today’s decision is nothing short of irresponsible,” says Eline Chivot, senior policy analyst at ITIF's Center for Data Innovation. “It will immediately upend, and in many cases even halt, data transfers between the EU and the United States, leaving many businesses with no suitable alternative.”

Standard contractual clauses remain

The court did rule, however, that standard contractual clauses (SCCs) remain valid. These standardized templates of data protection requirements will be the most likely replacement option for companies affected. Over 80% of companies transferring data out of the EU rely on SCCs, according to IAPP.

The CJEU ruling noted that assessment of SCC agreements must not only consider the protections guaranteed in the contract, but also the potential for access by authorities of the destination country and the legal system of that third country. It also stated that Data Protection Authorities (DPAs) are “required to suspend or prohibit a transfer of personal data to a third country” where SCCs are not or cannot be complied with in that country and the protection required by EU law cannot be ensured. 

This leaves companies open to the possibility that local DPAs might invalidate specific SCCs if they feel data could be subject to local surveillance laws that affect EU citizens, and companies subject to surveillance laws such as FISA 702 in the US – Facebook for example – may see their SCCs blocked. DPAs have always had the power to invalidate SCCs, but the new ruling will compel them to use that mechanism. It also currently unclear on how DPA will be required to make such assessments on the surveillance regimes of other countries.

“SCCs, commonly utilized for transfers around the globe, will be subject to much closer scrutiny by data exporters and by EU regulators,” says Treacy. “Transfers of personal data from the EU to the US will require particular care given comments made by the Court about US surveillance.”

Binding corporate rules remain unaffected but are costly and require a lengthy process to put in place and regulatory approval. They are likely an impractical option for all but the largest companies.

Even with the fall of Privacy Shield and where no SCCS are in place, personal data can be transferred where “necessary” – for example via an email from the data subject or when booking hotels in destination countries etc – or where the data subject is providing clear consent for a company to move data over to the US. This ruling is most likely to affect companies that pass data from an entity in the EU to the parent company outside the region or to a third party that hosts or processes the data outside the Union.

Ruling means more compliance burdens for CISOs

Companies that were reliant on Privacy Shield will likely have to look toward SCCs to ensure they have a legal way to send personal data from the EU to the US. Where Privacy Shield was a single set of compliance requirements for all personal data, SCCs are specific to each data flow, meaning a single organization can have dozens or even hundreds of SCCs in place. There are multiple SCC templates, which gives room for manoeuvre within in them.

The data protection requirements between Privacy Shield and SCCs will likely be similar. As blanket coverage will now be replaced with multiple agreements, there is an increased burden of ensuring each data flow is compliant.

CISOs should work with their data protection officers (DPOs) and legal department to understand data flows across the company, any data protection demands from SCCs that deviate from those previously in place under Privacy Shield, and ensure the compliance to each is documented in case it is challenged.

Where possible it may be beneficial to reassess what data is received from the EU and where it may make more sense for it to remain within the EU territory in order to reduce compliance burdens.

“Businesses that rely on the SCCs will be required to evaluate each data transfer recipient to determine whether the recipient offers an ‘adequate level of protection,’” advises David Dumont, data privacy partner at Hunton Andrews Kurth. “This will mean assessing what type of personal data is being transferred, how it will be processed, whether it may be subject to access by government agencies for surveillance purposes and, if so, what safeguards are available.”

“Most businesses are not readily able to make those assessments. If a recipient is not able to provide an ‘adequate level of protection’, EU businesses are required to suspend those data transfers, failing which a regulator may do so. Urgent guidance will be required from data protection regulators as to what practical level of scrutiny they expect from businesses relying on SCCs,” Dumont adds.

Nader Henein, fellow and information privacy and research director for Data Protection and Privacy at Gartner, says that many EU-based organizations will have to go through the Privacy Shield list to see which of their vendors use the agreement to receive data from the EU, and either go through contracts to see if they rely on SCCs as well. If not, those organizations will have to put SCCs in place, and there may have to be a suspension of services for a time while those agreements are being made

“If any of those companies [on the Privacy Shield list] serve you then that's a red flag, because potentially they're doing it exclusively rather than in conjunction with standard contractual clauses,” Henein says. “If they rely exclusively on Privacy Shield, they have a mountain of paperwork to go through. The controls might not need to change, but before signing contracts legal will have will have to go over it.”

In the short term he recommends switching to SCCs were applicable and consider signing BCRs in the long term. And for companies that were reliant on Privacy Shield and may face issues with SCCs due to any surveillance concerns, Henein says those organizations should keep their data in European servers or in another country that has adequacy.

Will there be a Privacy Shield/Safe Harbor 3?

Cordery Compliance says there is likely a plan for a replacement framework in the works. However, while it might be a quicker fix than establishing SSCs it might be an unstable agreement. Cordery notes that whatever form a third instance of Privacy Shield/Safe Harbor takes would be unlikely to survive for long before being challenged in court.

Even if the agreement had survived this ruling, it was facing another challenge from the La Quadrature du Net privacy activism group in France. Unless there is reform in the  US surveillance laws that protect EU citizen data and end authorities’ access to personal data without individual judicial approval or a redress options for non-US data subjects, whatever replaces Privacy Shield will likely be challenged again by these groups.

“The Court clarified for a second time now that there is a clash between EU privacy law and US surveillance law,” said Schrems in a statement. “As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley."

Copyright © 2020 IDG Communications, Inc.

The 10 most powerful cybersecurity companies