The Court of Justice of the European Union (CJEU) struck down a major EU-US data flows agreement called Privacy Shield due to the inadequacy of its protection for EU citizens’ privacy, according to a press release issued by the Court on Thursday.
The CJEU found that, under the terms of the EU-US Data Protection Shield “the requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country”, and that the measures it established to mitigate interference of this kind (such as the creation of an ombudsman role to handle the complaints of EU citizens) did not meet the required legal standard of “essential equivalence” with EU law.
Austrian privacy activist and lawyer Max Schrems, who brought the case, hailed the decision as a victory for privacy rights.
“It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a role in the EU market,” Schrems said in a statement.
Though the agreement was invalidated, the CJEU upheld the validity of another data transfer mechanism called “standard contract clauses” (SCCs), which are used by more than 5,000 US companies (including Facebook, Twitter and Google) to transfer European data.
Wilbur Ross, the US Secretary of Commerce, said that his department was “deeply disappointed” by the decision, and hoped to “limit the negative consequences” to transatlantic trade.
The decision was unexpected for some. Bridget Treacy, data privacy partner at Hunton Andrews Kurth LLP, mentioned that for businesses that transfer personal data from the EU to the US, this represents the worst of all possible outcomes. "SCCs, commonly utilised for transfers around the globe, will be subject to much closer scrutiny by data exporters and by EU regulators. Transfers of personal data from the EU to the US will require particular care given comments made by the Court about US surveillance. But all personal data transfers from the EU, whether to the US or elsewhere (including the UK after 1 January 2021) will now require much closer scrutiny. "
This ruling will mainly impact EU-US transfers. Businesses that relied upon the Privacy Shield will need to assess whether they can utilize SCCs as an alternative data transfer mechanism, but with more proactive scrutiny of the data transfers than previously. Explaining this further, Briget tells us, "EU regulators will need to adopt a pragmatic approach to enforcement, allowing businesses a period of grace in which to implement alternative arrangements to the Shield in order to continue to lawfully transfer personal data from the EU to the US. Businesses will expect urgent guidance from regulators on transition arrangements.
“The ruling on the Privacy Shield is likely to have implications for the UK’s hopes for a post-Brexit data protection adequacy ruling from the European Commission. The UK can expect its surveillance laws to be subject to similar scrutiny to those of the US, to assess whether they respect the privacy rights of EU citizens.”
It is fortunate, says Matthew Getz, Partner at Boies Schiller Flexner, that the use of standard contractual clauses has been validated. But the decision gives the green light to national and regional data protection authorities to ban transfers on the basis of those clauses to countries with lower levels of protection.
"And of course, the United States will be the first recipient country the authorities will be thinking about. We may end up with a patchwork of different decisions whereby a multinational company can send data to the US from Holland but not Belgium, for example. Such divergence may not be in the spirit of the GDPR – but could be in the letter", explains Matthew.
He advises that all companies transferring personal data to the US and anywhere else around the world need to act quickly. "If they had contingency plans, they should implement them; if they did not, they should immediately work out what other bases they have to transfer data, and whether they have to suspend some transfers. This could require rapid re-engineering of systems and structures."
The million pound question is what does this mean for the UK? "We are due sometime this summer to get the European Commission’s view as to whether our level of protection of personal data is adequate", Matthew expands, "Now more than ever, we should pray for a good decision, because transfers to any country without an adequacy decision have become harder. On top of COVID-19 and other Brexit effects, the economy-dragging effect of restrictions on data transfers to this country would not be a welcome development in 2021.”