Data Déjà Vu: European Union’s Highest Court Invalidates EU-U.S. Privacy Shield Framework
On July 16th, 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Privacy Shield framework (one of the three primary mechanisms that permit the lawful transfer of personal data to the U.S. from the EU), finding that U.S. personal data protections are not satisfactory so as to be “essentially equivalent to those required under EU law.” The decision was largely due to the fact that U.S. law does not grant data subjects actionable rights before the courts against U.S. authorities, and because U.S. public interest, law enforcement and national security have primacy, which could condone interference with the fundamental rights of EU data subjects whose personal data is transferred to the U.S.
Why Does This Matter?
Stringent European Union data privacy laws prohibit the transfer of EU personal data to non-EU countries deemed “inadequate” by the European Commission—including the U.S.—unless such transfer is effected under certain circumstances. Up until yesterday, the three primary mechanisms to facilitate such cross-border transfers were: (1) standard contractual clauses ensuring EU-compliant data protection; (2) binding corporate rules (BCRs); or (3) in the case of the U.S., participation in the EU-U.S. Privacy Shield framework.
As thousands of companies had participated in the EU-U.S. Privacy Shield framework, the impact will be widespread in the data privacy community, and the CJEU’s decision provides more questions than answers. The U.S. Secretary of Commerce reported that the agency is "studying the decision to fully understand its practical impacts. ... We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies and governments." European Commission Vice President for Values and Transparency and the Justice Commissioner are reportedly in talks with their U.S. counterparts about next steps. Notably, they report that they "will not be starting from scratch," with regard to new data transfer mechanisms, but rather that an “updated tool” can be created by the “further valuable guidance” offered by the CJEU decision.
Despite the invalidation of Privacy Shield, many U.S. companies will be (somewhat) relieved to know the CJEU upheld the validity of standard contractual clauses – with an asterisk. The CJEU found that the use of such model clauses – the most popular data transfer mechanism – remains in need of review. The Court will require that data controllers put forth supplementary measures with additional safeguards and due diligence. Those measures include assessing the data protection level in the destination country, especially with regard to access by public authorities. EU privacy regulators are required to prohibit transfer of EU personal data to a third country where the data protection level required by the EU cannot be assured.
So Now What?
Although the practical impacts of the ruling will take some time to be seen, there are some affirmative steps companies can take to reduce legal exposure:
- Companies currently relying on the EU-U.S. Privacy Shield framework must still meet their obligations under the framework, but should know that it is no longer a valid mechanism for the transfer of EU personal data. Such companies will need to look to a different mechanism to facilitate such transfers.
- Because the use of standard contractual clauses currently remains a valid mechanism for cross-border data transfers from the EU, the CJEU’s ruling will not spell a moratorium for such data transfers. However, companies would be wise to revisit existing data flows under their standard contractual clauses, revise their due diligence assessments, and update written policies and protocols for exporting or importing EU personal data where appropriate.
- The CJEU’s reasoning leaves open questions as to the validity of standard contractual clauses and BCRs, so all cross-border transfers of EU personal data present some degree of risk, and companies should assess their appetite accordingly.
Companies should also be aware that the European Data Protection Board is expected to release updated standard contractual clauses designed to comply with the General Data Protection Regulation, which means companies should expect to be revisiting this exercise all over again in the near future.
For more information regarding the recent CJEU decision, or if you would like assistance in reviewing or shoring up your company’s existing data transfer protocols, please contact a member of Honigman’s Data Privacy & Cybersecurity team.