In a major development for international data transfers, the European Union's highest court declared Thursday that the EU-U.S. Privacy Shield arrangement — which includes thousands of participating companies — is invalid.
The Court of Justice of the European Union, however, did uphold the validity of standard contractual clauses, but there must be protections in place in the third country to which EU data is transferred — specifically with regard to access by public authorities and judicial redress.
A CJEU news release revealed that in the court's view, "the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by U.S. public authorities ... are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary."
In particular, the court said that the ombudsperson mechanism in the U.S. — a role created by the Privacy Shield arrangement — "does not provide data subjects with any cause of action before a body which offers guarantees" at the level of EU law. The CJEU said the ombudsperson, which sits under the U.S. Department of State, is neither empowered nor independent at an adequate level.
U.S. Secretary of Commerce Wilbur Ross said the agency was "disappointed" and that it is "studying the decision to fully understand its practical impacts. ... We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies and governments."
At a news conference, European Commission Vice President for Values and Transparency Věra Jourová and Justice Commissioner Didier Reynders said they are in talks with their U.S. counterparts about the next steps. Jourová noted that they "will not be starting from scratch," that the "Schrems II" decision "provides further valuable guidance for us" and that "an updated tool will be fully in line with it."
Both provided little by way of details, noting they will need more time to analyze the decision. However, Reynders did say that the commission is already working to modernize SCCs.
Ireland's Data Protection Commission "strongly" welcomed the CJEU decision "precisely because it was concerned that, properly understood, the CJEU’s Safe Harbour judgment of 2015 was to be read as indicating that, for reasons associated with the structure of the legal system in operation in the United States, EU-US data transfers were inherently problematic." (Commissioner Helen Dixon will join an IAPP panel reacting to the news Friday, July 17, at 1 p.m. ET.)
Notably, in its statement, the DPC said, "the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable."
Though SCCs remain valid, the implications of today's decision will be far-reaching and affect how businesses operate around the world. According to last year's "IAPP-EY Governance Report," SCCs are the most popular data transfer mechanism, and in a recent Future of Privacy Forum study, more than 250 European-headquartered companies were active Privacy Shield participants. To date, more than 5,400 companies had signed up under Privacy Shield, including more than 1,000 in the last year.
The U.S. Department of Commerce, however, said it "will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. Today’s decision does not relieve participating organizations of their Privacy Shield obligations."
On the CJEU's validation of SCCs, Bird & Bird Partner Ruth Boardman said, "the CJEU sets out a heavy burden on data exporters which wish to use SCCs; the data exporter must consider the law and practice of the country to which data will be transferred, especially if public authorities may have access to the data. Additional safeguards, beyond the SCCs, may be required.
"Although not highlighted in the summary, the decision also concludes that all data transfers to the U.S. made by way of undersea cable are susceptible to access by U.S. intelligence services — and that the law and practice surrounding this access falls short of EU legal requirements. Given this conclusion, the judgment has implications for transfers of personal data to the U.S. more widely, beyond the EU-U.S. Privacy Shield."
Though the invalidation of Privacy Shield is bad news for thousands of companies, Refinitiv Chief Privacy Officer Vivienne Artz said the decision "results in a sigh of relief for many firms which rely on SCCs for both their inter-group data transfers and those with third parties, but it is a second body blow for EU-U.S. data transfers."
Artz said the "result is not wholly unexpected, given the ongoing criticism leveled at the Privacy Shield in recent months by various EU bodies, but it is disappointing both for the European Commission and the U.S. companies impacted to find that they are back to square one again."
Beyond the massive implications for data transfers to the U.S., the decision will place a greater burden on businesses exporting data to other countries via SCCs. It will also require more work from EU supervisory authorities, many of which are already faced with limited resources. (For more analysis of the case, see IAPP Research Director Caitlin Fennessy's, CIPP/US, article here.)
FPF's Gabriela Zanfir-Fortuna said, "One clear consequence of the decision today that SCCs are valid means to allow transfers of personal data 'independently of the level of protection guaranteed in each third country.' This means that they can also be used for transfers to those countries which have an insufficient level of protection. But for SCCs to be able to be used as lawful mechanisms for transfers to those countries, the court imposes on controllers to adduce 'supplementary measures' and 'additional safeguards' ... 'depending on the prevailing position in a particular third country,' on a case-by-case basis. Think, for example, of encryption. How will this work in practice?"
Max Schrems, who initially brought this case against Facebook to the Irish DPC and whose earlier legal challenge in 2015 lead to the invalidation of the EU-U.S. Safe Harbor Framework, applauded the CJEU decision. "It is clear that the U.S. will have to seriously change their surveillance laws if U.S. companies want to continue to play a major role (in) the EU market." (Schrems will join an IAPP panel Friday, July 17, at 10 a.m. ET to discuss the case and its implications.)
In comments provided to The Privacy Advisor, Facebook Associate General Counsel Eva Nagle said, "We welcome the decision of the (CJEU) to confirm the validity of (SCCs) for transfers of data to non-EU countries. These are used by Facebook and thousands of businesses in Europe and provide important safeguards to protect the data of EU citizens. Like many businesses, we are carefully considering the findings and implications of the decision of the (CJEU) in relation to the use of Privacy Shield, and we look forward to regulatory guidance in this regard. We will ensure that our advertisers, customers and partners can continue to enjoy Facebook services while keeping their data safe and secure.”
The decision also carries ramifications for the U.K. as it transitions out of the EU. In comments to the IAPP, a U.K. government spokesman said, "We are committed to ensuring high data protection standards. We are reviewing the details of the judgment and considering its impact on data transfers for U.K. organizations."
Promontory's John Bowman, CIPP/E, CIPM, FIP, said the judgment "raises significant questions about personal data flows between the EU and the U.K. after the end of the post-Brexit transition period on Dec. 31. The European Commission and the British government are currently negotiating an adequacy decision, which will maintain those data flows from 2021 onward. However, as the court determined that under Privacy Shield U.S. requirements of national security, public interest, and law enforcement have primacy and infringe on EU rights, decision-makers and influencers in Brussels may speculate as to whether a similar situation exists in the U.K.
"Although adequacy is a decision of the European Commission agreed by the Council of the EU (the member states), the opinions of the (EDPB) and the European Parliament will be important. Therefore, during the short time left to conclude adequacy negotiations, the national interests of the U.K. are bound to come under intense scrutiny, which may pose a risk to an agreement being reached in time."
Early on, it's clearly going to take some time for businesses, privacy professionals and regulators to digest the implications of the CJEU decision.
Refinitiv's Artz added, "As the impact unfolds, it will be interesting to see what this means for future EU adequacy decisions, many of which are in the pipeline, and how this may impact U.K./U.S. data transfers post-Brexit in 2021.”
Top image: Věra Jourová, European Commission