As many here in the United States slept in the wee hours of this morning, July 16, 2020, the Court of Justice of the European Union (“CJEU”) issued a binding judgment invalidating the European Commission Decision (Commission Decision 2016/1250, the “Privacy Shield Decision”) that authorized the EU-U.S. Privacy Shield arrangement. For the past four years, this arrangement (resulting from negotiations between EU authorities and the Department of Commerce in the aftermath of a similar CJEU decision back in 2015, which invalidated the EU-U.S. Safe Harbor) has been relied upon by many businesses to transfer personal data from the European Union to the United States in compliance with European Union law. As a result of the CJEU’s judgment, self-certification under the Privacy Shield framework is no longer a lawful means of transferring personal data from Europe to the United States under the General Data Protection Regulation (EU) 2016/679 (the “GDPR”).
EU Data Protection Law
In October of 1998, the European Union instituted comprehensive privacy legislation that set minimum “floor” requirements for the protection of EU personal data in the form of the EU Data Protection Directive (Commission Decision 95/46, the “Directive”). As part of these requirements, the Directive prohibited the transfer of EU personal data to a non-EU country unless that country ensured an “adequate” level of protection for such personal data.
Specifically, the Directive required that a non-EU country have an “adequate level of protection… by reason of its domestic law or of the international commitments it has entered into… for the protection of the private lives and basic freedoms and rights of individuals.” (Directive, Article 25(6)). Protection for the “fundamental rights and freedoms of natural persons” was paramount (Directive, Article 1(1)).
These fundamental underpinnings of European data protection law were preserved in the GDPR (which replaced the Directive) when the GDPR went into effect on May 25, 2018. Specifically, “a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.” (GDPR, Article 46(1) (emphasis added)). Until today, the Privacy Shield continued serve (as it had under the Directive) as a valid data transfer mechanism for data from Europe to the United State under the GDPR.
Today, the CJEU found the Privacy Shield Decision (and thus the Privacy Shield framework itself) invalid because the Decision failed to ensure the necessary “appropriate safeguards,” including with respect to enforceable data subject rights and effective legal remedies. Specifically, the CJEU determined that certain aspects of U.S. national security law are incompatible with EU data protection principles and that the Privacy Shield framework did not serve to mitigate that incompatibility.
Practical Implications
The CJEU judgment creates uncertainty for U.S. companies processing or storing EU data. Without the protection of the Privacy Shield, U.S. organizations must take steps to ensure that any transmission of personal data from the European Union to the United States is carried out in compliance with the GDPR. Specifically, Article 46 of the GDPR sets forth limited conditions pursuant to which EU personal data may be transferred to non-EU countries that do not provide the requisite adequate level of protection.
For example, in circumstances under which personal data is transferred from an EU controller to a U.S. controller or to a U.S. processor, the Standard Contractual Clauses (also called the “model clauses”) put forth by the European Commission may be acceptable. That said, the recent CJEU decision casts doubt as to whether, in the long run, these Standard Contractual Clauses will continue to be a viable data transfer mechanism in all circumstances. The CJEU has left the door open for data protection authorities in Europe to strike down the use of the Standard Contractual Clauses with specific countries, where those data protection authorities find that the Standard Contractual Clauses cannot provide the requisite adequate level of protection amid the backdrop of local law in such countries. For now, however, the Standard Contractual Clauses remain a valid data transfer mechanism under the GDPR.
Alternatively, multinational companies transferring personal data from the European Union to affiliates in the United States may consider the implementation of Binding Corporate Rules (“BCRs”). However, the regulatory process for the approval of such rules tends to be lengthy.
Ultimately, invalidity of the Privacy Shield in combination with the cumbersome regulatory approval process required to implement BCRs and the uncertain future of the Standard Contractual Clauses could result in higher costs for businesses that wish to continue to operate in European markets.
Going Forward
As companies and European data protection authorities are still reeling from the impact of the CJEU’s decision, the best course of action for the immediate future is difficult to ascertain and will depend on the specific facts associated with each business. Please do not hesitate to contact Morse’s privacy and data security team if you would like to discuss options for your business in light of this decision.