The Demise of the EU-U.S. Privacy Shield

On 16 July 2020, the Grand Chamber of the Court of Justice of the European Union (CJEU) presented its verdict on the ‘Schrems II case,’ declaring the EU-U.S. Privacy Shield invalid. This was quite a shock. Not just because the court chose to deviate from the Advocate General’s advice, which does not happen very often, but also because of the effect this has for companies all over Europe.

The GDPR regulates the free flow of personal data within the European Economic Area (EEA). As all Member States of the EEA apply the same legislation, there are hardly any obstacles. When personal data leaves the EEA; however, this changes because data protection law in those ‘third countries’ may be very different, or even hardly existent. Transfers of personal data to countries outside the EEA is only allowed if the controller or processor has provided appropriate safeguards. On the condition that enforceable data subject rights and effective legal remedies for data subjects are available.

Privacy Shield Adequacy Decision

In principle, it is the responsibility of the controller or processor who transfers the data outside of the EEA to ascertain that the rights and freedoms of the individuals whose data remains adequately protected once the data is transferred to a third country. One of the possibilities to verify this is when the European Commission, in consultation with the European Data Protection Board, decides that the third country in its legislation and in practice provides an adequate level of protection. The EU-U.S. Privacy Shield was such an adequacy decision.

Why is this important?

Suppose you use social media in a commercial setting. In that case, the chances are that the provider is an American company (Facebook, LinkedIn, etc.) storing your information on a server that USA intelligence services may be able to access. The same is true for cloud providers, saving your ‘Dropbox’ or ‘OneDrive’ (etc.) data on their servers. Under USA law, the level of protection of European residents’ rights and freedoms is not equivalent to what the GDPR requires.

What is the Privacy Shield?

In 2016 The EU and U.S. government agreed to the ‘Privacy Shield’ framework after an earlier agreement (‘Safe Harbor’) had been proven inadequate. The Privacy shield included strong data protection obligations on companies receiving personal data from the EU, safeguards on U.S. government access to data, and effective protection and redress for individuals. From the very beginning, however, the reports on the agreed joint annual reviews of the framework showed concern about the effectiveness of the measures to protect data subjects’ rights. Finally, in its verdict of 16 July 2020 on the Schrems II case, the CJEU invalidated the Privacy Shield framework as appropriate protection. In fact, for exactly the same reasons as the verdict regarding the Safe Harbor scheme: there is no real limit to the rights of the U.S. government to process personal data of EU residents. Hence there is no adequate judicial protection. You can’t go to court to protest the U.S. government’s legal behavior, and any processing they do is legal according to U.S. law. Moreover, the court maintains that the ‘ombudsperson’ specified in the framework is insufficiently independent. As such, they have no real power to adopt decisions that are binding to U.S. intelligence services.

No Privacy Shield - Now what?

As the verdict had an immediate effect, companies that rely on the Privacy Shield needed to quickly find an alternative. GDPR Recital (108) states that the necessary safeguards for transfers outside the EEA ‘should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country.’

The CJEU verdict on 16 July 2020 confirms that standard contractual clauses (SCCs), according to EU Decision 2010/87, can be a valid basis to transfer personal data to the USA (and other 3rd countries). Provided that the contract in practice ‘ensure(s) compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union.’ This includes, according to the press release about the verdict:

‘an obligation on a data exporter and the recipient of the data to verify, prior to any transfer, whether that level of protection is (still) respected in the third country concerned and that the decision requires the recipient to inform the data exporter of any inability to comply with the standard data protection clauses, the latter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the former.’

The conclusion is that organizations that relied on the Privacy Shield need to negotiate an agreement with their USA partner(s), using the standard clauses of EU Decision 2010/87 (which are arguably in need of an update) and adding the necessary provisions to affect the obligations described above. Whether that would be more than a purely theoretical possibility remains to be seen: which company has the resources to conduct carry out case-by-case risk assessments for each non-EEA data transfer, including an assessment of the practical level of data protection law, the respect for the rights of individuals, existence of independent supervisory bodies and effective legal remedies?

The Future after the Privacy Shield

In a reaction to the verdict, Didier Reynders (European Commissioner for Justice) and Wilbur Ross (U.S. Secretary of Commerce) issued a joint press statement that they ‘have initiated discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework’. There will, however, not be ‘a quick fix.’ During a meeting of the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament in August 2020, Mr. Reynders stated: ‘What we need are sustainable solutions that deliver legal certainty, in full compliance with the judgment of the court.’

Further Reading

In his book Privacy and Data Protection based on the GDPR, Leo Besemer describes the principles and the requirements of the GDPR. It features many practical examples and relevant references to EDPB (European Data Protection Board) publications, news articles, and case law. It will help anyone in charge of or involved in processing personal data to comply with the GDPR effectively and efficiently, merging the law’s requirements with sound business practice.

About the Author

Leo Besemer is an independent consultant with more than 40 years of experience in IT. This includes almost 30 years in exam design and writing educational materials covering IT-related topics, including data protection and privacy. Since the publication of the General Data Protection Regulation in 2016, he has closely followed the discussions about the exact interpretation of this European legislation and its impact on day-to-day practice.