Impacts of the European Union invalidation of the EU-U.S. Privacy Shield
On July 16, 2020, the Court of Justice of the European Union (CJEU) issued a very lengthy and detailed opinion invalidating the EU-US Privacy Shield (Decision 2016/1250), thereby requiring an immediate re-assessment of transfers of Personal Data between the European Union (EU) and the United States.
History of EU – U.S. Personal Data and Privacy Protection
The General Data Protection Regulation (GDPR) was approved by the EU in 2016 and replaced the 1995 EU Data Protection Directive 95/46/EC. GDPR expanded privacy protections and provided for the imposition of heavy fines for violations of such – which have since been levied on several notable U.S. technology companies. GDPR was intended to update and harmonize EU data privacy laws with regard to the protection of Personal Data enumerated in GDPR. Personal Data has since been construed to mean any information relating to an identified or identifiable natural person, referred to as a Data Subject. Critical GDPR protections include:
- Requiring that consents be provided in clear plain language – think U.S. liability disclaimers.
- The right to obtain details regarding the use and processing of Personal Data.
- The right of “data portability” – to receive a copy in a “commonly used and machine readable format,” or to have such transmitted to another party.
- The “the right to be forgotten” – the erasure, or termination of dissemination or links.
- Notification of a breach within 72 hours.
Significantly, Article 44 of GDPR only permits transfers of the Personal Data of EU citizens outside the EU if the level of data protection in the country in which the data will be transferred is comparable to that of the EU. Historically, businesses could transfer EU Personal Data into the U.S. under an agreed upon data protection regime called the EU-U.S. Safe Harbor.
Legal Challenges to U.S. Data Protections
The U.S. Safe Harbor protections were challenged and invalidated by the CJEU in a case brought by Max Schrems, an Austrian lawyer and data protection activist against Facebook, which is commonly referred to as “Schrems I.” In response to the invalidation of the EU-U.S. Safe Harbor, and to facilitate the continued transfer of Personal Data to the U.S., the EU and U.S. established additional privacy protections under a regime call the EU-U.S. Privacy Shield.
Schrems brought a second action challenging the suitability of the protections under the EU-U.S. Privacy Shield, which is the basis for the CJEU’s July 16 opinion invalidating the EU-U.S. Privacy Shield – already being dubbed “Schrems II.”
While the Schrems II decision clearly follows on Schrems I, it acknowledges a more fundamental basis for the privacy rights of EU citizens – tantamount to a personal liberty protected by the U.S. Bill of Rights. It is this aspect of the Schrems II decision that may have broader implications beyond the EU-U.S. Privacy Shield and how businesses will need to protect Personal Data of EU Data Subjects going forward. The significance of this issue to data driven business cannot be understated.
As an acknowledgement of the commercial significance of data transfers, the U.S. Secretary of Commerce issued an announcement on the invalidation of the EU-U.S. Privacy Shield. The U.S. Secretary of Commerce announcement and other similar announcements have tried to calm commercial concerns by focusing on the invalidation of the EU-U.S. Privacy Shield – and implying that contractual privacy protection clauses can still be used to continue the transfer of Personal Data between the EU and the U.S. While such is true in the short term, the broader EU privacy rights issue raised in Schrems II necessarily requires a more detailed assessment of suitable U.S. protections going forward.
Standard (Privacy) Contractual Clauses at Risk
As background, most businesses have utilized contractual privacy protection clauses, referred to as Standard Contractual Clauses for the transfer of covered Personal Data. Standard Contractual Clauses were promulgated and generally sanctioned by EU Data Protection offices for use with data processors located in non-EU countries.
While the CJEU Schrems II opinion did not expressly invalidate the use of Standard Contractual Clauses, it did establish that EU supervisory authorities are obliged to assess the compliance of such clauses in non-EU countries – such as the U.S. The Data Protection Commission in Ireland and Federal Commissioner for Data Protection in Germany have already issued announcements specifically questioning the adequacy of Standard Contractual Clauses for proposed transfers of Personal Data of EU Data Subjects into the U.S. Other EU Data Protection offices will likely follow suit. We will continue to monitor for such announcements and provide updates accordingly.
- Covered Personal Data transfers from the EU to the U.S. based solely on the EU-U.S. Privacy Shield must be suspended – or subject the responsible parties to GDPR enforcement and fines.
- Covered Personal Data transfers and related operations involving the U.S. should be evaluated for possible interim use and coverage under Standard Contractual Clauses.
Additional guidance is likely to follow from the EU and EU member state Data Protection offices on the suitability or requirements for the use of Standard Contractual Clauses. There will also likely be a renewed effort for a U.S. federal regulatory solution – with a possible federal preemption – to address the requirements of GDPR as established in Schrems II.
Continue to look for further updates and alerts from Bradley on practices needed to remain compliant with the collection, use, storage and transfer of Personal Data in the US and abroad.