July 17, 2020 | Business, Corporate & Securities; Insights

EU Court Strikes Down EU-U.S. “Privacy Shield”

On July 16, 2020, the Court of Justice of the European Union (the “Court”) announced its decision to invalidate Commission Implementing Decision (EU) 2016/1250 (the “2016 Decision”). The 2016 Decision had ruled that the EU-U.S. Privacy Shield Framework (the “Privacy Shield”) was adequate to enable transfers of personal data from the EU to the U.S. under EU law, including the then newly adopted General Data Protection Regulation (“GDPR”). Yesterday’s decision (the “020 Decision”) is poised to have potentially significant impacts on businesses operating in both the European Union and United States.

As discussed below, the primary impact on U.S. businesses is the immediate inability to rely on the Privacy Shield for GDPR compliance. While the Department of Commerce released a statement yesterday maintaining that the Privacy Shield program will continue to be administered and its participants are not relieved of their obligations, EU-U.S. data transfers by Privacy Shield participants will no longer be considered compliant under EU law and the GDPR.

Background

Prior to the adoption of the GDPR, data transfers between the EU and the U.S. were allowed under the International Safe Harbor Privacy Principles. The European Commission ruled in July of 2000, in the so called “Safe Harbour Decision,” that U.S. companies complying with these principles met the data protection requirements under EU law (including the Data Protection Directive), and that such companies were allowed to transfer personal data from the EU to the U.S.

In October 2015, the Court invalidated the International Safe Harbor Privacy Principles. Soon after this decision, the European Union and the United States began talks over a new framework, and reached a political agreement regarding the same in February 2016. This new framework was the Privacy Shield, and was deemed adequate by the European Commission in its 2016 Decision.

The European Union adopted the GDPR in April 2016 and began enforcement in May 2018. The GDPR applies to organizations involved in the processing of personal data of individuals located in the European Union. Personal data is defined broadly as “any information relating to an identified or identifiable natural person.” The breadth of the GDPR means its application extends to many U.S. technology companies with European operations or that collect, process or handle the personal data of European Union residents.

The Privacy Shield program, administered by the International Trade Administration within the Department of Commerce, enabled U.S. companies to join the Privacy Shield framework (as well as the separate Swiss-U.S. framework), in order to benefit from the adequacy determination made in the 2016 Decision. To do so, U.S. companies had to self-certify and publicly commit to comply with the Privacy Shield requirements. While voluntary to join, once a commitment to the Privacy Shield requirements was made, such commitment would be enforceable under U.S. law.

The Privacy Shield was subject to a number of legal challenges, including one brought by Austrian national Maximillian Schrems in Ireland against Facebook. Schrems had challenged the transfer of his personal data from Facebook Ireland to servers belonging to Facebook Inc. located in the United States, where such personal data was then processed, as a violation of the GDPR. He claimed that despite the Privacy Shield, the U.S. does not offer sufficient protection of personal data. Schrems’ challenge was referred by the Irish authorities to the Court, which led to the 2020 Decision yesterday.

The 2020 Decision

In yesterday’s decision, the Court ruled that the transfer and processing arrangement conducted by Facebook and complained of by Mr. Schrems falls under the scope of the GDPR and that data subjects such as Mr. Schrems’ must be afforded a level of personal data protection “essentially equivalent” to that guaranteed within the EU by the GDPR. In determining the sufficiency of personal data protection, the Court ruled that such an assessment should look at both the contractual arrangement between the EU data exporter (Facebook Ireland in Schrems’ case) and the recipient of the personal data (Facebook Inc.) as well as the legal system of the country where the recipient is located.

The Court, in reexamining the 2016 Decision in light of the GDPR requirements, conducted such an assessment and ruled that (i) the requirements of US national security, public interest and law enforcement have primacy over the Privacy Shield, thus condoning interference with the fundamental rights of persons whose data are transferred, (ii) the limitations on the protection of personal data stemming from the permitted access and use of such data by U.S. authorities mean that personal data is not afforded an “essentially equivalent” level of protection as that required under EU Law, and (iii) accordingly, the 2016 Decision is invalid and the Privacy Shield is no longer deemed adequate to allow for data transfers under EU law. These rulings were based largely on the ability of U.S. authorities, through various surveillance programs authorized under the Foreign Intelligence Surveillance Act (which allows for mass collection of non-Americans’ personal data from technology companies), to access personal data despite the Privacy Shield. The Court focused on the insufficient limitations on the implementation and use of such surveillance programs, as well as the lack of actionable rights of EU data subjects before U.S. courts.

Although the 2016 Decision was invalidated and the Privacy Shield deemed inadequate, the Court stopped short of invalidating an alternative mechanism for GDPR compliance referred to as “standard contractual clauses” or “SCCs.” These SCCs are contractual provisions drafted by the European Commission, outlining rights and responsibilities of data subjects and processors that comply with the GDPR. However, the Court left open the possibility of EU privacy regulators invalidating SCCs on a case-by-case basis if a company violates their terms or is unable to adhere to them.

Impact on U.S. Businesses

The primary impact on U.S. businesses is the immediate inability to rely on the Privacy Shield for GDPR compliance. While the Department of Commerce released a statement yesterday maintaining that the Privacy Shield program will continue to be administered and its participants are not relieved of their obligations, EU-U.S. data transfers by Privacy Shield participants will no longer be considered compliant under EU law and the GDPR.

U.S. businesses relying solely on SCCs for GDPR compliance should also keep abreast of upcoming developments in light of the 2020 Decision, especially if they are known to be subject to data collection under U.S. surveillance law, including the Foreign Intelligence Surveillance Act. While the system of SCCs will remain in place for now, the Court contemplates, and much of the commentary in the EU data privacy realm predicts, that EU regulators will reexamine and ultimately invalidate the SCCs on a similar basis as the Court used to invalidate the Privacy Shield.

Finally, U.S. businesses potentially affected by the 2020 Decision should be aware that exceptions remain in place under existing provisions of Article 49 of the GDPR. These exceptions will allow for the continued transfer of data, despite the Court’s invalidation of the 2016 Decision and the Privacy Shield, where:

the data subject has given explicit consent to such transfer after being informed of the absence of an adequacy decision and appropriate safeguards;
the transfer is necessary for the performance of a contract between the data subject and the business controlling the data processing or the implementation of pre-contractual measures taken at the data subject’s request;
the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the business controlling the processing and another natural or legal person;
the transfer is necessary for important reasons of public interest;
the transfer is necessary for the establishment, exercise or defense of legal claims;
the transfer is necessary in order to protect the vital interests of the data subject or others and the data subject is physically or legally incapable of giving consent; or
the transfer is made from a register which according to EU or member state law is intended to provide information to the public and meets the prescribed legal conditions.

The Court highlighted that these exceptions, primarily that which allows for transfers necessary for the performance of a contract between the data subject and the business controlling the data processing, act to ensure that a “legal vacuum” is not created by 2020 Decision, disrupting crucial business activity.

Rich May continues to monitor the evolution of data protection and privacy laws and regulations that affect U.S. companies, both domestically and abroad, and will provide additional updates as they become available.

Disclaimer: This summary is provided for educational and informational purposes only and is not legal advice. Any specific questions about these topics should be directed to attorney Matthew Sweet.

About Rich May. P.C.

Rich May, P.C., a law firm founded in 1937 and located in the heart of Boston’s financial district, concentrates its practice on corporate, financial, civil litigation, energy, real estate, entertainment and wealth planning matters. The firm’s clients include a broad group of businesses in New England and throughout the country. Rich May provides the breadth and depth of expertise generally associated with large, national firms, while maintaining the prompt, personal service found in smaller, regional firms. Rich May’s clients have direct access to experienced attorneys who are familiar with both the client and the area of inquiry and can provide timely and practical legal solutions.

Rich May has been elected and admitted as a member of Ally Law. This membership, which provides affiliations with more than 2,800 lawyers at over 70 firms in 50 countries, supplements our ability to assist clients throughout North America and around the world.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_154472780_1	1 minute	This cookie is set by Google and is used to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	16 years 3 months 17 days 9 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

News & Insights

About Rich May. P.C.