EU-US Privacy Shield canceled by EU Supreme Court: What it means
The European Court of Justice (ECJ) declared the "EU-US Privacy Shield" to be ineffective but confirmed the validity of "Standard Contractual Clauses".
On 16 July 2020 in its ruling C-311/18 (1), the European Court of Justice (ECJ) declared the "EU-US Privacy Shield" to be ineffective. We’re surprised by the relative silence surrounding the decision, given the potentially big impact on businesses. Therefore, we break down the decision and its impact in this article with a specific focus on the businesses who stand to be impacted the most, namely, any business that provides or utilizes online tools that in some way deal with personal data of EU citizens.
What is the Privacy Shield and why was it canceled?
The “Privacy Shield” was an agreement between the European Union and the United States of America that allowed businesses to share citizens’ personal data across the two continents. It is in fact the second iteration of such an agreement. The predecessor, “Safe Harbour” agreement, was ruled illegal by the ECJ in 2015 after Austrian privacy activist Maximiliam Schrems lodged a complaint against Facebook and the Irish Data Protection Agency. Schrems' complaint focused on prohibiting Facebook Ireland to process his information on servers located in the United States. While his complaint was originally rejected by the Commission (Decision 2000/5205: ‘the Safe Harbour Decision’(2)) on the grounds that the US ensured an adequate level of protection, the ECJ ruled on October 6th, 2015 that this decision was invalid (‘the Schrems I judgment’(3)). Shortly after the ruling, the US and EU established the Privacy Shield to govern the exchange of personal information between the two continents and fill the void left by the ruling related to the Safe Harbour agreement.
Many companies were relieved at the apparent clarity and protection the new Privacy Shield framework gave them in their day-to-day business. However, Maximilian Schrems followed up on his original complaint and the Irish High Court referred to the ECJ for a preliminary ruling(4). In order to address the complaint, the ECJ assessed whether the use of Standard Contractual Clauses (SCCs) and the Privacy Shield offered sufficient protections regarding EU citizens’ fundamental rights and freedoms. The ECJ’s assessment effectively ruled that the Privacy Shield did not provide adequate protection of various rights granted by the Charter of Fundamental Rights of the European Union(5), notably those described in Articles 7 (respect for private and family life) and 8 (protection of personal data).
That ruling is final, putting companies under pressure to act quickly. Since the court decided to uphold the validity of the European Commission's Decision 2010/87/EC on SCCs, one way to comply swiftly is to rely on SCCs as a means of an alternative data transfer method. The downside is that companies are required to first determine whether the applicable US laws provide adequate protection similar to the GDPR, and if not, provide suitable protections via an SCC. One of the biggest impacts will be to widely international industry sectors such as ad-tech, where a simple data transfer, such as recalling certain customer segmentation data, may be seen as a cross-border data transfer depending on server locations. If a company cannot guarantee the safety of an individual's personal data via SCCs they risk significant fines, with GDPR fines ranging up to €20 million or 4% of annual global turnover—whichever is greater.
Many Data Protection Officers of the different EU countries have mentioned concerns about the decision to validate SCCs(6), mentioning it as inconsistent with the Privacy Shield ruling, leading to estimates that the SCCs could also be ruled out as a viable alternative in the coming 12 months. On the other hand, the European Data Protection Supervisor (EDPS) welcomed the clarifications on the responsibilities for controllers, Data Protection Officers, and the associated risks with using SCCs(7).
Implications for Businesses
While the ruling focused on Facebook and the personal data of an individual, it has much broader implications for businesses who process EU citizen data in the US (or any other non-EU country where no specific data agreements are in place such as Russia or China). Major US corporations may still be on the right side of the law with SCCs, however, it remains to be seen for how long. Additionally, smaller companies will have greater difficulties in quickly adapting to the new requirements. Some large online data service providers will (and have already) switch to European servers, but we’ll have to wait and see how quickly they port over their lower tiered services. For instance, Google Analytics, a free service, is used by thousands of companies of all sizes and currently does not have a valid SCC; on the other hand, some of Google’s paid services—such as the Google Cloud Platform and G Suite—do provide compliant and valid SCCs to companies in Europe(8).
Every company in Europe or dealing with data from European citizens now needs to evaluate if any of their cloud-providers send personal data into third countries for processing and on which basis. This is going to be burdensome for smaller companies that often lack both the expertise and the bargaining power to negotiate different means of processing data. This could be a potential detriment specifically for innovative technology startups and other small companies(9) that may avoid serving European citizens, given that the complexity and risk for compliant data processing becomes too burdensome compared to the upside which it stands to capture.
Either way, companies should take a look at their internal data flows as soon as possible, especially if using vendors based in the US that haven been processing data under the Privacy Shield (and not under SCCs). Lastly, there is often a joint controllership (with joint responsibility and liability) when utilizing online service providers, such as social media plug-ins. With many companies nowadays including such plug-ins into their services, there is now an increased risk after the ECJs Privacy Shield decision.
While both the EU and the US released statements on working towards a new and improved data sharing agreement(10), it remains to be seen how quickly a deal can be developed in the current political climate. Companies with sufficient financial resources may find themselves looking at more sophisticated services that offer a more granular control over the handling of data or generally utilize “on-premises” solutions.
However, for many smaller companies, that likely won’t be a cost effective option. As Berlin’s DPA Maja Smoltczyk noted in a press release, “The times when personal data could be transferred to the USA for convenience or cost savings are over according to this judgement. Now is the hour of digital independence for Europe”(11). With the ongoing shift towards more data privacy — be it by as exemplified by companies such as Apple(12), ongoing regulatory initiatives(13), or new court rulings such as this—data ownership should be an integral part of every company's data strategy. This is something Datawallet has been working on and advocated for from day zero(14), and while many companies try to continue with business-as-usual, data ownership will be a topic every online service will have to contend with in the very near future. The plus side is that it offers an opportunity for businesses to strengthen customer relationships and position themselves early as a truly consumer first brand.
Even if there’s a new agreement at some point, there will be a long way of uncertainty for European companies, lots of work for lawyers, and still the risk that a new Privacy Shield would be ruled insufficient, again.
Datawallet is the world’s leading blockchain based data privacy compliance platform. Being the first company to champion the concept of Consumer First Compliance, we not only enable enterprises to comply with complex international data privacy regulations such as CCPA and SB-220 in the United States, GDPR in Europe, and POPI in South Africa. But we furthermore provide users of our clients the ability to fully understand their data and make informed decisions about its usage.
If you want to jump right in and become compliant, start your free trial of our easy-to-use compliance platform here (no credit card required).
Need something tailormade for your organization? Contact us at firstname.lastname@example.org.
(2) Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (OJ 2000 p.7).
(3) Case:C-362/14 Schrems see also Press Release No. 117/15.
(4) A judgement on a preliminary ruling is a final determination of E.U. law, with no scope for appeal, and is binding in all courts and tribunals across the E.U: ’http://curia.europa.eu/juris/document/document.jsf?text=&docid=204046&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=8546800
(8) https://privacy.google.com/businesses/compliance/?hl=en_US (29.07.2020)Regulatory UpdatesCCPAGDPRDatawalletConsumer PrivacyPrivacy Shield