Implications of Europe’s top court recent ruling on EU-US Privacy Shield

Written by International Compliance Association on Monday July 27, 2020

The impact of the decision by the EU Court of Justice on the Privacy Shield

The Court of Justice of the European Union (CJEU) made judgement on 16 July 2020 on a case brought to it concerning a data privacy advocate’s claim against Facebook’s Irish operations.[1] This judgement has potentially serious implications for companies which transfer personal data to processors outside the European Union, particularly to processors located in the US.  

In this article we explore the EU’s data privacy rules on the transfer of personal data outside of the EU (from the General Data Protection Regulations – GDPR), the arrangements in place to deal with transfers of data to the US (the so called US Data Privacy Shield), the substance of the CJEU’s recent judgement and its potential implications.   

What does the GDPR say about transferring data outside the EU?

The GDPR permits the transfer of personal data outside of the EU only if the country to which the data is being transferred (a third country) ensures an adequate level of data protection. The European Commission has powers under the GDPR[2] to make decisions concerning the adequacy of a third country’s domestic law or international commitments to protect personal data (sometimes referred to as an equivalence test).[3] Where there is no equivalence, transfers may still take place if safeguards – typically standard data protection clauses – are put in place by the exporter of the data that have the effect of also giving data subjects enforceable rights and effective legal remedies.[4] The GDPR also provides conditions that are to be satisfied in order for personal data to be transferred outside the EU in the absence of the equivalence test or the safeguards.[5] 

What was the US Data Privacy Shield and how did it work?

The US Data Privacy Shield was a mechanism put in place between the EU and the US that imposed on US companies and certain US regulatory agencies obligations to protect the personal data of EU citizens.

The Data Privacy Shield set principles concerning the handling of personal data, including:

• obligations on companies holding personal data including regular updates and reviews of their arrangements by US regulatory authorities;
• ensuring that any onward transmission of personal data to other organisations would be subject to the same level of protection as provided by the Privacy Shield;
• safeguards and transparency obligations on the US government’s access to personal data including EU redress mechanisms;
• accessible and affordable dispute resolution mechanisms and the creation of a US ombudsman independent of the US intelligence services; and
• an annual joint review by the European Commission and the US government department to monitor the functioning of the Data Privacy Shield.

To benefit from the Data Privacy Shield, a US organisation had to:

• be within the enforcement authority of amongst others the Federal Trade Commission that could ensure compliance;
• publish its commitment to adhere to the Privacy Shield’s principles and publicly disclose its privacy policy; and
• implement the Data Privacy Shield’s principles.

What is the substance behind the CJEU’s recent judgement?

In its judgement, the CJEU opined on two points concerning the adequacy of transferring personal data from the EU:

1. under the standard data protection clause; and
2. by relying on the US Data Privacy Shield to provide appropriate safeguards.

In principle the standard data protection clause remains valid. However, its validity depends on whether it is possible, in practice, for the data importer to ensure compliance with the level of protection required by EU law.

The CJEU has declared the Privacy Shield invalid. The ruling is generally not considered a great surprise, following views by some that the Privacy Shield was effectively the previous Safe Harbour agreement under another name.

The CJEU’s conclusion is that the Privacy Shield did not provide a level of protection of personal data in the US 'essentially equivalent' to that under the GDPR and EU law. This appears to be due to the intrusive nature of surveillance programmes undertaken by the US government and intelligence agencies, which are not limited to information that is 'strictly necessary' and are therefore viewed as disproportionate under the GDPR.

The CJEU also noted:

• there was limited ability by non-US citizens to challenge the US government processing their data in this manner; and
• the Privacy Shield Ombudsman (which was set up by the European Commission in response to criticism that EU individuals lacked access to an effective remedy under US law regarding processing of their data) did not provide data subjects with adequate access to justice, as its decisions were not binding on US intelligence services and its impartiality was deemed to be questionable.

What are the implications of the CJEU decision?

Despite the standard privacy clause remaining, in principle, valid, EU data exporters should consider suspending or preventing the transfers of personal data previously made under the standard data clause in order to ensure an individual’s data protection rights are protected to an 'essentially equivalent' standard outside the EU as they would be under GDPR.

It follows it is likely for there to be more focus on importers of the data of EU citizens – and in particular, those based in the US.

However, this ruling applies to all third countries without an adequacy decision to prove to the EU-based data exporter that processing will not clash with the GDPR. In the case of data exports to the US this may be difficult to prove, with current surveillance laws not granting the same protection afforded to Americans to foreign citizens.

EU-based organisations

EU-based organisations should analyse the practical implications of the CJEU’s ruling on their data management and data storage business models, where they transfer personal data to others. They should consider their use of third-party cloud storage. Some may wish to:

• identify existing arrangements where personal data of EU citizens is exported outside of the EU – including confirming with third parties within the EU to whom personal data is transferred how any subsequent export out of the EU is impacted by the CJEU’s ruling
• review whether the CJEU’s interpretation of the use of the standard data protection clause in each instance ensures compliance with the level of protection required by EU law. This may require considering the legal framework in the data importer’s jurisdiction
• consider existing data transfer arrangements that historically relied on the US Data Privacy Shield and put in place new arrangements to comply with the CJEU’s interpretation of the GDPR  
• consider what other mechanisms exist with the GDPR that would permit the export of personal data, particularly to the US. There may be limited grounds for exporting data under a contract and also in using the option of informed and freely given consent. In the latter option, the consent must be able of being withdrawn by the data subject at any time.

Organisations outside the EU

Organisations outside the EU who import personal data from the EU should also weigh up the implications of the CJEU’s ruling. They ought to anticipate whether the standard data protection clause provides the same level of protection as under the GDPR itself and consider the risks posed by their domestic legal framework. Where there are gaps or shortcomings, they will need to consider what other options are available.

Those US organisations who have agreed to participate in the US Data Privacy Shield arrangement ought to consider the implications of the CJEU’s ruling on their business and data model and develop plans to address the obvious challenges.   

Austrian privacy advocate Max Schrems, who brought the case against Facebook and the Irish supervisory authority that was the subject of the CJEU’s ruling, noted that the CJEU’s ruling put the US on the same footing as any other third country. He hoped that the CJEU’s decision would encourage US corporations to advocate for stronger privacy rights for foreign citizens.

[1] Court of Justice of the European Union, Press Release No 91/20, 16 July 2020: https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf – accessed July 2020

[2] The European Parliament and the Council, Regulation (EU) 2016/679, 27 April 2016: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN – accessed July 2020

[3] Article 45 of the GDPR

[4] Article 46(1) and (2)(c) of the GDPR

[5] Article 49 of the GDPR