As now widely know, the European Union’s top court, the Court of Justice of the European Union (CJEU), invalidated the EU-US Privacy Shield in a landmark decision handed down on July 16, 2020, and further cast doubt on the continued use of standard data protection clauses for the transfer of personal data between the EU and the US. The Court ruled that the United States does not have adequate legal safeguards to protect the personal data or privacy rights of EU citizens from government surveillance.
The case, Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems, referred to as Shrems II, is the latest chapter in a years-long legal battle encompassing the conflict between the European Union’s privacy laws and government surveillance laws in the United States.
The Privacy Shield was a legal framework established in 2016 that allowed for the transfer of personal data from the EU to the US. The agreement was meant to ensure that registered United States companies would comply with the EU’s data privacy laws, even in the absence of any US federal privacy law. It was used by more than 5,300 companies, including Amazon, Google, and Twitter (in addition to Facebook).
The CJEU found that the Privacy Shield did not actually protect the personal data of EU citizens from US surveillance laws, nor did it allow for an effective legal remedy if an EU citizen’s privacy rights were violated. Therefore, the Court concluded that the United States could not ensure an adequate level of protection for personal data transferred under the Privacy Shield because it was incompatible with the General Data Protection Regulation (GDPR) and the European Charter of Fundamental Rights.
While the CJEU upheld the validity of using standard data protection clauses in contracts to ensure that personal data transferred outside the EU remains adequately protected, the Court cast doubt on whether any contractual clause would be sufficient to protect against government interference in countries without privacy protection laws, like the United States. The Court called on Data Protection Authorities (DPAs) of the EU to review standard data protection clauses on a case by case basis. Although a DPA does not have the power to undermine a United States security law, it can prohibit the transfer of personal data to the US if it finds the contractual clause relied on does not, or cannot, meet the EU’s privacy requirements. In practice, no contractual clause could adequately protect personal data transferred from the EU to the US from the far-reaching surveillance powers of the National Security Agency, so it remains to be seen how this ruling will affect the transatlantic transfer of data moving forward.
The Court’s decision certainly should put both United States companies and lawmakers on high alert, as it made clear that the EU will not bend on the privacy rights afforded to its citizens. Companies will have to figure out a new way to continue receiving personal data from the EU, unless a federal privacy law is passed that alleviates the concerns the CJEU laid out. The Court’s judgment puts pressure on the United States government to limit their surveillance laws targeting non-US citizens and to meet the same standards of privacy rights upheld in the EU. Until that time, companies may have to set-up servers in the EU to process personal data, or stop doing business in the EU. Both options are costly.
Not surprisingly, Secretary of Commerce Wilbur Ross revealed his disappointment in the decision to end the Privacy Shield, citing potential damage to the “$7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments.”
In the meantime, companies should review their privacy policies and have a clear understanding of what data they have, where it comes from, and how it is stored. By accurately tracking personal data and solidifying adherence to the GDPR, companies may be able to continue business as usual while waiting to see what this judgment truly means in practice.