Today the Court of Justice of the European Union (CJEU), the EU’s highest court, invalidated the EU-U.S. Privacy Shield for cross-border transfers of personal data.  The CJEU’s decision also cast significant doubts over whether companies can continue to use the European Commission-approved Standard Contractual Clauses (SCCs) to transfer EU personal data to the U.S., or to other jurisdictions with similarly broad surveillance regimes.  The CJEU’s lengthy decision is here and its short-form press release is here.

What does this mean for organizations that rely on Privacy Shield or SCCs?  History suggests that privacy enforcement authorities in the EU may hold their fire while efforts are made to come up with a replacement system for data transfers.  EU authorities hopefully will clarify their enforcement intentions soon.  In any event, organizations that have relied on Privacy Shield will have to turn immediately to considering what practical alternatives they might adopt.  U.S. government authorities will also have to turn to the knotty question of what data transfer mechanisms might ever satisfy the CJEU, given persistent EU concerns about U.S. government surveillance of personal data.

What Is This About?

For anybody entering in “the middle of the movie”: The EU’s General Data Protection Regulation (GDPR) creates a stringent EU-wide uniform law of data privacy, going well beyond what US privacy law requires.  GDPR provides among other things that, when it comes to personal data, what happens in the EU generally stays in the EU.

That is – GDPR effectively builds a data protection “wall” around the perimeter of the EU.  Personal data can only be brought across the wall to a non-EU country if the data goes via an approved “door,” i.e., one of several data transfer mechanisms that are authorized by GDPR.  These mechanisms, broadly speaking, all are meant to ensure that once EU personal data arrives at its non-EU destination, it will continue to be protected by privacy standards that approximate those of GDPR.

One of the key doors, or transfer mechanisms, is Privacy Shield, a European Commission-approved framework for transatlantic data transfers enacted in 2016 between the U.S. and the EU. U.S.-based organizations that sign up for Privacy Shield voluntarily certify to compliance with a GDPR-like set of data privacy terms.  Privacy Shield replaced Safe Harbour, a predecessor mechanism that the CJEU struck down as being inadequately protective of EU personal data.  The CJEU acted against Safe Harbour after Edward Snowden’s revelations about how broadly U.S. intelligence and law enforcement agencies were reviewing telephone records and other personal data.

Approximately 5,000 organizations have self-certified under Privacy Shield, including major companies like Facebook, Google and Microsoft.  One feature of Privacy Shield is the designation of an “ombudsperson.” That is an official within the U.S. Department of State who can take inquiries from EU data subjects who are concerned about what happens to their personal data once in the U.S.

Another widely used transfer mechanism are the SCCs.  These are a set of European Commission pre-approved terms that private parties can incorporate into their own agreements.  SCCs can be entered into by unrelated commercial counterparties—say, as part of the terms of a business transaction.  They can also be entered into by affiliated entities, such as between parents and subsidiaries or between “sibling” organizations.  Like Privacy Shield, the SCCs boil down to a commitment by private parties to follow GDPR-like standards in the handling of personal data.

What Just Happened?

The case is the latest chapter in the long-running battle played out in the Irish courts and the CJEU among Facebook, Austrian privacy advocate Maximillian Schrems, and the Irish Data Protection Commission.  Schrems’ complaint posed the question: Do the Privacy Shield and SCCs provide sufficient safeguards to EU personal data once it leaves the EU?  For Privacy Shield, the Court answered with – in our words – a firm “no,” and for SCCs, “it depends, but sometimes not.”

The Court found Privacy Shield invalid on two principal grounds.

First, that U.S. law enforcement agencies’ access to personal data transferred under Privacy Shield is “not circumscribed in a way that satisfies requirements that are essentially equivalent to those required, under EU law,” due to a lack of proportionality – meaning that they are not “limited to what is strictly necessary.”   Long story short: Just as Safe Harbour failed at the CJEU several years ago because of perceived excessive access to personal data by the NSA and similar agencies, Privacy Shield has failed for basically the same reason.

Second, that the Privacy Shield ombudsperson mechanism did not give EU data subjects effective administrative and judicial redress for violations of their rights.

This means that Privacy Shield immediately ceases to be a valid basis on which to transfer personal data from the EU to the U.S.

On the SCCs, the Court found that while they are valid, as such, whether they can constitute a lawful basis for the transfer of personal data to a jurisdiction without an adequacy decision depends on whether the recipient is in a jurisdiction which affords “a level of protection essentially equivalent to that guaranteed within the EU.”  Crucially, this necessitates an assessment of any potential “access by the public authorities of that third country” by the data exporter.

Given the Court’s findings on U.S. surveillance laws in the context of Privacy Shield, the risk seems high that – on further scrutiny, in some future case – the same concerns would render transfers to the U.S. based on the SCCs invalid as well.  The same risk would apply to transfers to other jurisdictions with broad surveillance regimes that do not provide (in the eyes of the CJEU, at least) the same safeguards as GDPR.

For this reason, the impact of today’s decision is likely to be far greater than when Safe Harbour was ruled invalid.  At that time, organizations could comfortably fall back on the SCCs.  Now that option might not be open to them.

What Happens Next?

  1. It appears that organizations that today rely on Privacy Shield alone for data transfers out of the EU must, in due course, either simply stop the transfers or adopt a different GDPR-approved mechanism for making them. The SCCs remain an option today, subject to the risk noted above.  For transfers within a corporate family, another GDPR-approved option are the Binding Corporate Rules, or BCRs.  The BCRs are a set of terms, pre-approved by the EU authorities, which multinational organizations can adopt as their own internal rules.  Following the rationale of the decision transfers made on this basis may also be at risk.
  2. Companies may also want to revisit the terms on which they have contracted with third parties regarding data transfers, and assess whether representations that they will send or receive data based on the Privacy Shield are no longer accurate. The U.S. Federal Trade Commission has taken the position that a statement of Privacy Shield certification or compliance—for example, in a company’s online privacy policy – must be true, or the statement violates U.S. consumer protection law.  All such statements must now be reconsidered.
  3. Companies may want to start identifying for which jurisdictions they rely on the Standard Contractual Clauses for cross-border transfers and, of those, whether any have local laws that could ultimately render reliance on SCCs invalid.
  4. Given that the challenge to Privacy Shield and the SCCs has been pending for some time, some organizations have already adopted a “belt and suspenders” approach—that is, certifying under Privacy Shield but also enacting SCCs and BCRs where feasible. Organizations in this position, especially those relying on BCRs, may be less directly affected by today’s decision.
  5. Perhaps the most immediate challenge is this: As a practical matter, some companies today rely only on Privacy Shield for data transfers that are mission-critical to daily business operations. Such companies may feel they have no choice but to continue making the transfers while all this gets sorted out.  That tees up the question of whether such companies face legal risk for future transfers.  The EU’s data protection authorities (DPAs), a/k/a the privacy enforcement agency of each EU Member State, will hopefully issue guidance on this soon.  When Safe Harbour fell, the DPAs stood down in terms of enforcement action to allow for the creation of Privacy Shield as a replacement mechanism.
  6. It is worth keeping in mind that the culture surrounding private litigation risk in the EU is considerably heightened since Safe Harbour fell – meaning that even if DPAs are not willing to take action, private litigants might be. The need to take a proactive approach to addressing these issues might therefore be more pressing than it was last time round.
  7. Today’s decision may intensify discussion in U.S. political circles about whether to (finally) adopt a national privacy law on par with GDPR. Such a law has been long discussed in the U.S. Congress, but has never gotten seriously close to passage.  A national U.S. privacy law that passed muster with EU authorities—meaning that the law includes meaningful limits on U.S. intelligence and law enforcement access to personal data—could be the solution that cuts the Gordian knot.

Watch this space.  We will continue to assess the impact of the decision and report any relevant guidance from U.S. or EU on the blog.

Author

Dr. Friedrich Popp is a senior associate in Debevoise's Frankfurt office and a member of the firm’s Litigation Department. His practice focuses on arbitration, litigation, internal investigations, corporate law, data protection and anti-money laundering. In addition, he is experienced in Mergers & Acquisitions, private equity, banking and capital markets and has published various articles on banking law. He can be reached at fpopp@debevoise.com.

Author

Robert Maddox is an associate based in the London office and a member of Debevoise's White Collar & Regulatory Defense and International Dispute Resolution Groups, as well as the firm’s Data Strategy & Security practice. His practice focuses on complex multi-jurisdictional investigations, disputes and cybersecurity matters. He can be reached at rmaddox@debevoise.com.

Author

Christopher Garrett is an English-qualified associate who is a member of the Debevoise Data Strategy & Security practice and part of the Corporate Department, also specialising in employment law. He can be reached at cgarrett@debevoise.com.

Author

Fanny Gauthier is an associate in Debevoise's Litigation Department, based in the Paris office. Ms. Gauthier is a member of the firm’s International Dispute Resolution Group, as well as the firm’s Data Strategy & Security practice. Her practice focuses on complex commercial litigation, international arbitration and data protection. She can be reached at fgauthier@debevoise.com.

Author

Jeffrey Cunard, managing partner of Debevoise's Washington, D.C. office, leads the firm’s corporate intellectual property, information technology and e-commerce practices. He has broad experience in transactions, including software and technology licenses, joint ventures, mergers and acquisitions, and outsourcing arrangements. Mr. Cunard’s practice also encompasses copyright litigation. He is an internationally recognized practitioner in the field of the Internet and cyberlaw, a member of the firm’s Data Strategy & Security practice, and advises in U.S. and international media and telecommunications law, including privatizations and regulatory advice. He can be reached at jpcunard@debevoise.com.

Author

Luke Dembosky is a Debevoise litigation partner based in the firm’s Washington, D.C. office. He is Co-Chair of the firm’s Data Strategy & Security practice and a member of the White Collar & Regulatory Defense Group. His practice focuses on cybersecurity incident preparation and response, internal investigations, civil litigation and regulatory defense, as well as national security issues. He can be reached at ldembosky@debevoise.com.

Author

Jeremy Feigelson is a Debevoise litigation partner, Co-Chair of the firm’s Data Strategy & Security practice, and a member of the firm’s Intellectual Property and Media Group. He frequently represents clients in litigations and government investigations that involve the Internet and new technologies. His practice includes litigation and counseling on cybersecurity, data privacy, trademark, right of publicity, false advertising, copyright, and defamation matters. He can be reached at jfeigelson@debevoise.com.

Author

Avi Gesser is a Debevoise cybersecurity and litigation partner. He is a member of the Debevoise Data Strategy & Security Group, as well as the White Collar & Regulatory Defense Group. Avi has extensive experience advising on a wide range of cybersecurity matters, incident response issues, data strategy concerns and complex commercial litigation. He can be reached at agesser@debevoise.com.

Author

Jim Pastore is a Debevoise litigation partner and a member of the firm’s Data Strategy & Security practice and Intellectual Property Litigation Group. He can be reached at jjpastore@debevoise.com.

Author

Dr. Thomas Schürrle is admitted to practice both in Germany and the United States and currently serves as the Managing Partner of Debevoise's Frankfurt office. He works on cross-border transactions and advises on corporate governance matters, including litigation and investigations and he is active in the firm’s Data Strategy & Security practice. He can be reached at tschuerrle@debevoise.com.

Author

Alexandre Bisch is an international counsel in Debevoise's Paris office and a member of the firm’s Litigation Department. He can be reached at abisch@debevoise.com.

Author

Anna R. Gressel is a senior commercial litigation associate at Debevoise and a member of the firm’s Technology, Media & Telecommunications and Data Strategy & Security groups. She actively advises clients on the legal and regulatory implications of artificial intelligence (“AI”) and other emerging technologies. Her practice includes not only representing companies in regulatory inquiries concerning AI, but also assisting companies in developing AI principles and governance mechanisms. She can be reached at argressel@debevoise.com.