The European Court of Justice (ECJ) struck down the Privacy Shield – the legal mechanism that allowed many small and medium sized companies to transfer personal data from the European Union to the United States without violating the European Union’s General Data Protection Regulation (GDPR). This is the second time in five years that the ECJ has upended a major agreement between the U.S. and the E.U. intended to allow companies to transfer personal data from the E.U. to the U.S., and is a major victory for Max Schrems, the European-privacy advocate who brought both cases. Companies based in the United States that currently transfer any personal data from the E.U. to the U.S. must immediately reexamine the legal basis for these transfers and take appropriate steps.
What is Privacy Shield?
The Privacy Shield was an agreement between the United States and the European Union that allowed companies in the U.S. to register with the U.S. Department of Commerce and promise to abide by European data protection rules for personal data brought from the E.U. to the U.S. In return, the registered companies and the U.S. Department of Commerce promised to work with European data protection authorities to enforce the E.U. data protection rules on these companies, even for data in the U.S. Privacy Shield replaced the previous agreement – known as the Safe Harbor – which had been struck down by the ECJ in a 2015 opinion.
Why Was Privacy Shield Struck Down?
Schrems, an Austrian national residing in Austria, lodged a complaint that the transfer of his personal data by Facebook from servers in Ireland to those in the U.S. violates the GDPR because companies in the U.S. are unable to ensure an appropriate level of data protection. The ECJ agreed, ruling that the Privacy Shield, like its predecessor the Safe Harbor, failed to provide E.U.-level protection for Europeans whose data was transferred to the United States. Specifically, the Court cited U.S. national security laws allowing for mass collection of data as its basis for finding that the Privacy Shield provided insufficient protection of the fundamental rights of persons whose data is transferred to the U.S.
Is There Still a Way to Legally Transfer Personal Data from the E.U. to the U.S.?
Yes. The ECJ declined to strike down another legal framework, known as “standard contractual clauses” that many companies – especially large companies – have used as a legal basis for such transfers. Standard contractual clauses are non-negotiable contracts entered into between European and U.S. entities (often sister companies) that require the U.S. company to abide by E.U. data protection laws. These standard form contracts can be found on the E.U. Commission website. Since the contracts are established forms, they are relatively easy to sign – the challenging part of these contracts is their implementation.
What Open Questions Remain?
There are two major open questions for companies currently relying on the Privacy Shield as a legal basis for transferring data between the U.S. and E.U. First, how quickly must companies sign standard contractual clauses or cease transferring data from the E.U. now that Privacy Shield has been invalidated? The E.U. allowed a grace period after the Safe Harbor was struck down in 2015, but as of this writing has not yet announced whether there will be a similar grace period this time, and if so, how long it will be.
The second major question revolves around the validity of the standard contractual clauses – the only legal mechanism left to allow companies to transfer personal data from the E.U. to the U.S. Though the ECJ declined to strike down standard contractual clauses in this opinion, it did warn that the clauses would need to be suspended if data protection authorities believed that they were not providing adequate protection to E.U. data subjects. This pronouncement dovetails with regulators’ ability to review companies’ adherence (or even the ability to adhere in light of U.S. law) to the clauses and strike them down on a case-by-case basis. This very much leaves open the future of the standard contractual clauses for U.S. companies, as the same logic that invalidated the Privacy Shield would seem to apply to U.S. companies that rely on the standard contractual clauses.
What Does My Company Need To Do?
The practical impact of this decision cannot be overstated. If you currently transfer any personal data from the E.U. to the U.S., you must reexamine the legal basis for these transfers. This will likely require, at minimum, signing and implementing the standard contractual clauses, and keeping an eye on future legal developments in the E.U.
