Today the Court of Justice of the European Union (CJEU), the EU’s highest court, invalidated the EU-U.S. Privacy Shield for cross-border transfers of personal data.  The CJEU’s decision also cast significant doubts over whether companies can continue to use the European Commission-approved Standard Contractual Clauses (SCCs) to transfer EU personal data to the U.S., or to other jurisdictions with similarly broad surveillance regimes.  The CJEU’s lengthy decision is here and its short-form press release is here.

What does this mean for organizations that rely on Privacy Shield or SCCs?  History suggests that privacy enforcement authorities in the EU may hold their fire while efforts are made to come up with a replacement system for data transfers.  EU authorities hopefully will clarify their enforcement intentions soon.  In any event, organizations that have relied on Privacy Shield will have to turn immediately to considering what practical alternatives they might adopt.  U.S. government authorities will also have to turn to the knotty question of what data transfer mechanisms might ever satisfy the CJEU, given persistent EU concerns about U.S. government surveillance of personal data.

What Is This About?

For anybody entering in “the middle of the movie”: The EU’s General Data Protection Regulation (GDPR) creates a stringent EU-wide uniform law of data privacy, going well beyond what US privacy law requires.  GDPR provides among other things that, when it comes to personal data, what happens in the EU generally stays in the EU.

That is – GDPR effectively builds a data protection “wall” around the perimeter of the EU.  Personal data can only be brought across the wall to a non-EU country if the data goes via an approved “door,” i.e., one of several data transfer mechanisms that are authorized by GDPR.  These mechanisms, broadly speaking, all are meant to ensure that once EU personal data arrives at its non-EU destination, it will continue to be protected by privacy standards that approximate those of GDPR.

One of the key doors, or transfer mechanisms, is Privacy Shield, a European Commission-approved framework for transatlantic data transfers enacted in 2016 between the U.S. and the EU. U.S.-based organizations that sign up for Privacy Shield voluntarily certify to compliance with a GDPR-like set of data privacy terms.  Privacy Shield replaced Safe Harbour, a predecessor mechanism that the CJEU struck down as being inadequately protective of EU personal data.  The CJEU acted against Safe Harbour after Edward Snowden’s revelations about how broadly U.S. intelligence and law enforcement agencies were reviewing telephone records and other personal data.

Approximately 5,000 organizations have self-certified under Privacy Shield, including major companies like Facebook, Google and Microsoft.  One feature of Privacy Shield is the designation of an “ombudsperson.” That is an official within the U.S. Department of State who can take inquiries from EU data subjects who are concerned about what happens to their personal data once in the U.S.

Another widely used transfer mechanism are the SCCs.  These are a set of European Commission pre-approved terms that private parties can incorporate into their own agreements.  SCCs can be entered into by unrelated commercial counterparties—say, as part of the terms of a business transaction.  They can also be entered into by affiliated entities, such as between parents and subsidiaries or between “sibling” organizations.  Like Privacy Shield, the SCCs boil down to a commitment by private parties to follow GDPR-like standards in the handling of personal data.

What Just Happened?

The case is the latest chapter in the long-running battle played out in the Irish courts and the CJEU among Facebook, Austrian privacy advocate Maximillian Schrems, and the Irish Data Protection Commission.  Schrems’ complaint posed the question: Do the Privacy Shield and SCCs provide sufficient safeguards to EU personal data once it leaves the EU?  For Privacy Shield, the Court answered with – in our words – a firm “no,” and for SCCs, “it depends, but sometimes not.”

The Court found Privacy Shield invalid on two principal grounds.

First, that U.S. law enforcement agencies’ access to personal data transferred under Privacy Shield is “not circumscribed in a way that satisfies requirements that are essentially equivalent to those required, under EU law,” due to a lack of proportionality – meaning that they are not “limited to what is strictly necessary.”   Long story short: Just as Safe Harbour failed at the CJEU several years ago because of perceived excessive access to personal data by the NSA and similar agencies, Privacy Shield has failed for basically the same reason.

Second, that the Privacy Shield ombudsperson mechanism did not give EU data subjects effective administrative and judicial redress for violations of their rights.

This means that Privacy Shield immediately ceases to be a valid basis on which to transfer personal data from the EU to the U.S.

On the SCCs, the Court found that while they are valid, as such, whether they can constitute a lawful basis for the transfer of personal data to a jurisdiction without an adequacy decision depends on whether the recipient is in a jurisdiction which affords “a level of protection essentially equivalent to that guaranteed within the EU.”  Crucially, this necessitates an assessment of any potential “access by the public authorities of that third country” by the data exporter.

Given the Court’s findings on U.S. surveillance laws in the context of Privacy Shield, the risk seems high that – on further scrutiny, in some future case – the same concerns would render transfers to the U.S. based on the SCCs invalid as well.  The same risk would apply to transfers to other jurisdictions with broad surveillance regimes that do not provide (in the eyes of the CJEU, at least) the same safeguards as GDPR.

For this reason, the impact of today’s decision is likely to be far greater than when Safe Harbour was ruled invalid.  At that time, organizations could comfortably fall back on the SCCs.  Now that option might not be open to them.

What Happens Next?

  1. It appears that organizations that today rely on Privacy Shield alone for data transfers out of the EU must, in due course, either simply stop the transfers or adopt a different GDPR-approved mechanism for making them. The SCCs remain an option today, subject to the risk noted above.  For transfers within a corporate family, another GDPR-approved option are the Binding Corporate Rules, or BCRs.  The BCRs are a set of terms, pre-approved by the EU authorities, which multinational organizations can adopt as their own internal rules.  Following the rationale of the decision transfers made on this basis may also be at risk.
  2. Companies may also want to revisit the terms on which they have contracted with third parties regarding data transfers, and assess whether representations that they will send or receive data based on the Privacy Shield are no longer accurate. The U.S. Federal Trade Commission has taken the position that a statement of Privacy Shield certification or compliance—for example, in a company’s online privacy policy – must be true, or the statement violates U.S. consumer protection law.  All such statements must now be reconsidered.
  3. Companies may want to start identifying for which jurisdictions they rely on the Standard Contractual Clauses for cross-border transfers and, of those, whether any have local laws that could ultimately render reliance on SCCs invalid.
  4. Given that the challenge to Privacy Shield and the SCCs has been pending for some time, some organizations have already adopted a “belt and suspenders” approach—that is, certifying under Privacy Shield but also enacting SCCs and BCRs where feasible. Organizations in this position, especially those relying on BCRs, may be less directly affected by today’s decision.
  5. Perhaps the most immediate challenge is this: As a practical matter, some companies today rely only on Privacy Shield for data transfers that are mission-critical to daily business operations. Such companies may feel they have no choice but to continue making the transfers while all this gets sorted out.  That tees up the question of whether such companies face legal risk for future transfers.  The EU’s data protection authorities (DPAs), a/k/a the privacy enforcement agency of each EU Member State, will hopefully issue guidance on this soon.  When Safe Harbour fell, the DPAs stood down in terms of enforcement action to allow for the creation of Privacy Shield as a replacement mechanism.
  6. It is worth keeping in mind that the culture surrounding private litigation risk in the EU is considerably heightened since Safe Harbour fell – meaning that even if DPAs are not willing to take action, private litigants might be. The need to take a proactive approach to addressing these issues might therefore be more pressing than it was last time round.
  7. Today’s decision may intensify discussion in U.S. political circles about whether to (finally) adopt a national privacy law on par with GDPR. Such a law has been long discussed in the U.S. Congress, but has never gotten seriously close to passage.  A national U.S. privacy law that passed muster with EU authorities—meaning that the law includes meaningful limits on U.S. intelligence and law enforcement access to personal data—could be the solution that cuts the Gordian knot.

Watch this space.  We will continue to assess the impact of the decision and report any relevant guidance from U.S. or EU on the blog.

Author

Dr. Friedrich Popp is an international counsel in the Frankfurt office and a member of the firm’s Litigation Department. His practice focuses on arbitration, litigation, internal investigations, corporate law, data protection and anti-money laundering. In addition, he is experienced in Mergers & Acquisitions, private equity, banking and capital markets and has published various articles on banking law.

Author

Robert Maddox is International Counsel and a member of Debevoise & Plimpton LLP’s Data Strategy & Security practice and White Collar & Regulatory Defense Group in London. His work focuses on cybersecurity incident preparation and response, data protection and strategy, internal investigations, compliance reviews, and regulatory defense. In 2021, Robert was named to Global Data Review’s “40 Under 40”. He is described as “a rising star” in cyber law by The Legal 500 US (2022). He can be reached at rmaddox@debevoise.com.

Author

Christopher Garrett is an English-qualified international counsel in the Corporate Department and a member of the Data Strategy & Security practice, practising employment law and data protection. He has significant experience advising employers on all aspects of employment law and advising companies on compliance with UK and EU data protection law. Mr. Garrett has substantial experience in advising on the employment aspects of mergers & acquisitions transactions, including transfers of employees or other issues arising under TUPE/the Acquired Rights Directive. Mr. Garrett has a wide range of experience advising on other matters such as boardroom disputes, senior executive contracts and terminations, disciplinary and grievance matters, a variety of employment tribunal claims (including high-value discrimination claims), advising employers faced with industrial action, consultation on changes to occupational pension schemes and policy and handbook reviews. Mr. Garrett also has a particular focus on handling privacy and data protection issues relating to employees, as well as online privacy, marketing and safety practices, regular advice to clients on privacy policies, online marketing practices and related matters.

Author

Fanny Gauthier is an associate in Debevoise's Litigation Department, based in the Paris office. Ms. Gauthier is a member of the firm’s International Dispute Resolution Group, as well as the firm’s Data Strategy & Security practice. Her practice focuses on complex commercial litigation, international arbitration and data protection. She can be reached at fgauthier@debevoise.com.

Author

JJeffrey Cunard is a retired partner and currently is of counsel to the firm. He was managing partner of the Washington, D.C. office and led the firm’s corporate intellectual property, information technology and e-commerce practices. He has broad experience in transactions, including software and technology licenses, joint ventures, mergers and acquisitions, and outsourcing arrangements. Mr. Cunard’s practice also encompassed copyright litigation. He was an internationally recognized practitioner in the field of the Internet and cyberlaw, a member of the firm’s Data Strategy & Security practice, and advised in U.S. and international media and telecommunications law, including privatizations and regulatory advice.

Author

Luke Dembosky is a Debevoise litigation partner based in the firm’s Washington, D.C. office. He is Co-Chair of the firm’s Data Strategy & Security practice and a member of the White Collar & Regulatory Defense Group. His practice focuses on cybersecurity incident preparation and response, internal investigations, civil litigation and regulatory defense, as well as national security issues. He can be reached at ldembosky@debevoise.com.

Author

Jeremy Feigelson is a Debevoise litigation partner, Co-Chair of the firm’s Data Strategy & Security practice, and a member of the firm’s Intellectual Property and Media Group. He frequently represents clients in litigations and government investigations that involve the Internet and new technologies. His practice includes litigation and counseling on cybersecurity, data privacy, trademark, right of publicity, false advertising, copyright, and defamation matters. He can be reached at jfeigelson@debevoise.com.

Author

Avi Gesser is Co-Chair of the Debevoise Data Strategy & Security Group. His practice focuses on advising major companies on a wide range of cybersecurity, privacy and artificial intelligence matters. He can be reached at agesser@debevoise.com.

Author

Jim Pastore is a Debevoise litigation partner and a member of the firm’s Data Strategy & Security practice and Intellectual Property Litigation Group. He can be reached at jjpastore@debevoise.com.

Author

Dr. Thomas Schürrle is admitted to practice both in Germany and the United States and currently serves as the Managing Partner of Debevoise's Frankfurt office. He works on cross-border transactions and advises on corporate governance matters, including litigation and investigations and he is active in the firm’s Data Strategy & Security practice. He can be reached at tschuerrle@debevoise.com.

Author

Alexandre Bisch is an international counsel in Debevoise's Paris office and a member of the firm’s Litigation Department. He can be reached at abisch@debevoise.com.

Author

Anna R. Gressel is an associate and a member of the firm’s Data Strategy & Security Group and its FinTech and Technology practices. Her practice focuses on representing clients in regulatory investigations, supervisory examinations, and civil litigation related to artificial intelligence and other emerging technologies. Ms. Gressel has a deep knowledge of regulations, supervisory expectations, and industry best practices with respect to AI governance and compliance. She regularly advises boards and senior legal executives on governance, risk, and liability issues relating to AI, privacy, and data governance. She can be reached at argressel@debevoise.com.